MD5: 0140b27506571a25ae319785917e04fa
SHA1: f6d0867c38caac33ab96ee93dae0b991c57f7732
SHA256: 590af81ee6f5662bc11d8405f4a574b23635d6244aca5c9393d1e67816f61dbe
SSDeep: 49152:pB9Mjsm9UbOa8isTwwSNZ9TFfTZddiYTYT9Jx2BOxRmCED5EYwWbU/mQwaQfokaK:pB9Mj7M6ijNZ9axWOx4fE3mQwnai2ZTk
Size: 3418811 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, ACProtect141
Company: Fast Downloader Media
Created at: 2009-09-19 01:41:52
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1796

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\errorPageStrings[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\errorPageStrings[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\dnserrordiagoff_webOC[1] (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\navcancl[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\navcancl[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\dnserrordiagoff_webOC[1] (6 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\errorPageStrings[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0140b27506571a25ae319785917e04fa.madExcept (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\navcancl[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ErrorPageTemplate[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\dnserrordiagoff_webOC[1] (0 bytes)

Registry activity

The process %original file name%.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\0140b27506571a25ae319785917e04fa_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\0140b27506571a25ae319785917e04fa_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\0140b27506571a25ae319785917e04fa_RASAPI32]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"

"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\0140b27506571a25ae319785917e04fa_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\0140b27506571a25ae319785917e04fa_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Aocea - Helios Emu
Product Name: Aeomin DLIB Core V4 Series
Product Version: 4.1.0
Legal Copyright: AED
Legal Trademarks:
Original Filename: Thor.exe
Internal Name: Stonegarlic
File Version: 2.5.4.18
File Description: Thor Patcher
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
dns.msftncsi.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

.text

`.itext

`.data

.idata

.edata

@.tls

.rdata

@.reloc

B.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

user32.dll

;!199{199

;0!8&2{199

Windows 95

Windows 95 OSR-2

Windows 98

Windows 98 SE

Windows ME

Windows 9x New

Windows NT 3

Windows NT 4

Windows 2000

Windows XP

Windows 2003

Windows Vista

Windows NT New

user.exe

TMsgHandlers

madToolsMsgHandlerMutex

madToolsMsgHandlerWindow

cmovÌ

setÌ

pop %seg

push %seg

VVV.madshi.net

.data

.jdbg

madExcept.HandleContactForm

madExcept.HandleScreenshotForm

Uh.rB

comctl32.dll

TaskDialogIndirect

ntdll.dll

.madExcept

The import table is invalid.

%exceptMsg%

%bugReport%

Úte%

Útetime%

%userappdata%

%commonappdata%

cc3270mt.dll

cc3270.dll

MailAsSmtpServer

MailAsSmtpClient

UploadViaHttp

SmtpServer

SmtpPort

SmtpAccount

SmtpPassword

HttpServer

HttpPort

HttpAccount

HttpPassword

bugreport.txt

screenshot.png

ExceptMsg

FrozenMsg

BitFaultMsg

send bug report

save bug report

print bug report

show bug report

continue bug report

restart bug report

close bug report

bug report

please find the bug report attached

Sending bug report...

PrepAttMsg

MxLookMsg

ConnMsg

AuthMsg

SendMailMsg

FieldMsg

SendAttMsg

SendFinalMsg

SendFailMsg

Sorry, sending the bug report didn't work.

TDABugReportCallback

TDABugReportCallbackOO

screenShot.bmp

madExceptIde_.bpl

wininet.dll

VVV.google.de

SMTP:

mapi32.dll

Tcpip\Parameters

VxD\MSTCP

IpHlpApi.dll

A.ROOT-SERVERS.NET

K.ROOT-SERVERS.NET

LOGIN

--VVV.madshi.net_multipart_boundary

AUTH LOGIN

Content-Type: multipart/mixed; boundary="VVV.madshi.net_multipart_boundary"

--VVV.madshi.net_multipart_boundary--

http=

VVV.madshi.net_multipart_boundary

HTTP/1.1

shell32.dll

*.txt

TSendBugReportExRec

BugReport

screenShot.png

hXXp://madExcept.com

<tr><td><button onClick="history.back();" style="height:19.5pt;"> 

<button onClick="document.getElementById('bugReport').style.visibility='visible';this.style.visibility='hidden';" style="height:19.5pt;"> 

<textarea id="bugReport" readonly cols="80" rows="20" style="width:100%;height:100%;

advapi32.dll

wtsapi32.dll

Software\Microsoft\Windows

operating system

idapi32.dll

GetThreadReport

GetCpuRegisters

internal error. please notify bug@madshi.net

@System@@StartExe$qqrp23System@PackageInfoTablep17System@TLibModule

HardWareKey

setupapi.dll

psapi.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

%s[%d]

%s_%d

.Owner

Uh%xG

USER32.DLL

EInvalidGraphicOperation

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

uxtheme.dll

DWMAPI.DLL

OnKeyDown

OnKeyPress\JI

OnKeyUp

clWebSnow

clWebFloralWhite

clWebLavenderBlush

clWebOldLace

clWebIvory

clWebCornSilk

clWebBeige

clWebAntiqueWhite

clWebWheat

clWebAliceBlue

clWebGhostWhite

clWebLavender

clWebSeashell

clWebLightYellow

clWebPapayaWhip

clWebNavajoWhite

clWebMoccasin

clWebBurlywood

clWebAzure

clWebMintcream

clWebHoneydew

clWebLinen

clWebLemonChiffon

clWebBlanchedAlmond

clWebBisque

clWebPeachPuff

clWebTan

clWebYellow

clWebDarkOrange

clWebRed

clWebDarkRed

clWebMaroon

clWebIndianRed

clWebSalmon

clWebCoral

clWebGold

clWebTomato

clWebCrimson

clWebBrown

clWebChocolate

clWebSandyBrown

clWebLightSalmon

clWebLightCoral

clWebOrange

clWebOrangeRed

clWebFirebrick

clWebSaddleBrown

clWebSienna

clWebPeru

clWebDarkSalmon

clWebRosyBrown

clWebPaleGoldenrod

clWebLightGoldenrodYellow

clWebOlive

clWebForestGreen

clWebGreenYellow

clWebChartreuse

clWebLightGreen

clWebAquamarine

clWebSeaGreen

clWebGoldenRod

clWebKhaki

clWebOliveDrab

clWebGreen

clWebYellowGreen

clWebLawnGreen

clWebPaleGreen

clWebMediumAquamarine

clWebMediumSeaGreen

clWebDarkGoldenRod

clWebDarkKhaki

clWebDarkOliveGreen

clWebDarkgreen

clWebLimeGreen

clWebLime

clWebSpringGreen

clWebMediumSpringGreen

clWebDarkSeaGreen

clWebLightSeaGreen

clWebPaleTurquoise

clWebLightCyan

clWebLightBlue

clWebLightSkyBlue

clWebCornFlowerBlue

clWebDarkBlue

clWebIndigo

clWebMediumTurquoise

clWebTurquoise

clWebCyan

clWebPowderBlue

clWebSkyBlue

clWebRoyalBlue

clWebMediumBlue

clWebMidnightBlue

clWebDarkTurquoise

clWebCadetBlue

clWebDarkCyan

clWebTeal

clWebDeepskyBlue

clWebDodgerBlue

clWebBlue

clWebNavy

clWebDarkViolet

clWebDarkOrchid

clWebMagenta

clWebDarkMagenta

clWebMediumVioletRed

clWebPaleVioletRed

clWebBlueViolet

clWebMediumOrchid

clWebMediumPurple

clWebPurple

clWebDeepPink

clWebLightPink

clWebViolet

clWebOrchid

clWebPlum

clWebThistle

clWebHotPink

clWebPink

clWebLightSteelBlue

clWebMediumSlateBlue

clWebLightSlateGray

clWebWhite

clWebLightgrey

clWebGray

clWebSteelBlue

clWebSlateBlue

clWebSlateGray

clWebWhiteSmoke

clWebSilver

clWebDimGray

clWebMistyRose

clWebDarkSlateBlue

clWebDarkSlategray

clWebGainsboro

clWebDarkGray

clWebBlack

Proportional

%s%s%s%s%s%s%s%s%s%s

AutoHotkeys\

AutoHotkeys

\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

imm32.dll

HelpKeyword$

OnExecuted

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview$HI

WindowState

GlassFrame.Bottom

GlassFrame.Enabled

GlassFrame.Left

GlassFrame.Right

GlassFrame.SheetOfGlass

GlassFrame.Top

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

User32.dll

1.2.3

%s, %.2d %s %.4d %s %s

EIdCanNotBindPortInRange

EIdInvalidPortRange@7L

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

WS2_32.DLL

Wship6.dll

EIdIPVersionUnsupportedU

TIdSocketListWindows

TIdStackWindowsU

IdStackWindows

127.0.0.1

ftpTransfer

ftpReady

ftpAborted

ClientPortMinl

ClientPortMax(

PortSVW

EIdPortRequired

EIdTCPConnectionError

EIdObjectTypeNotSupported

Portl

"EIdTransparentProxyUDPNotSupported

0.0.0.0

TIdTCPClientCustom

IdTCPClient

TIdTCPClient

TIdTCPClientD

BoundPortl

%EIdSocksUDPNotSupportedBySOCKSVersion

saUsernamePassword

Passwordl

Port

0.0.0.1

DefaultPort

TIdTCPConnection

IdTCPConnection

config.ini

language.ini

TLoginEvent

Password

%s %s

(%s%s)

-%s%s

%s-%s

%s%s-

-%s %s

%s %s-

%s -%s

(%s- %s)

(%s %s)

TSQLTimeStampVariantType

TSQLTimeStampData

SqlTimSt

Uh.KN

%s, ClassID: %s

ole32.dll

ftParadoxOle

pfInKey

ImportedConstraint@

LookupKeyFields4

KeyFields

TSQLTimeStampField

TSQLTimeStampField`

ImportedConstraint

SQLTimeStamp

%s.%s

%s <%p>

ZGenericSqlAnalyser

JOIN

EZSQLThrowable

EZSQLException

TZSQLType

password=

TImportItem

TZSQLiteNativeLibraryLoaderSV

sqlite_open

sqlite_close

sqlite_exec

sqlite_last_insert_rowid

sqlite_changes

sqlite_last_statement_changes

sqlite_error_string

sqlite_interrupt

sqlite_complete

sqlite_busy_handler

sqlite_busy_timeout

sqlite_get_table

sqlite_free_table

sqlite_freemem

sqlite_libversion

sqlite_libencoding

sqlite_create_function

sqlite_create_aggregate

sqlite_function_type

sqlite_set_result_string

sqlite_set_result_int

sqlite_set_result_double

sqlite_set_result_error

sqlite_user_data

sqlite_aggregate_context

sqlite_aggregate_count

sqlite_set_authorizer

sqlite_trace

sqlite_compile

sqlite_step

sqlite_finalize

sqlite_reset

sqlite_bind

sqlite_progress_handler

sqlite_commit_hook

sqlite_open_encrypted

sqlite_rekey

sqlite_key

TZGenericSQLSymbolState

TZGenericSQLWordState

TZGenericSQLQuoteState

TZGenericSQLTokenizer

password

keyonly

INSERT INTO %s (%s) VALUES (%s)

UPDATE %s SET %s

DELETE FROM %s

%d.%d

get-procedures:%s:%s:%s

get-procedure-columns:%s:%s:%s:%s

get-tables:%s:%s:%s:%s

get-columns:%s:%s:%s:%s

get-column-privileges:%s:%s:%s:%s

get-table-privileges:%s:%s:%s

get-best-row-identifier:%s:%s:%s:%d:%s

get-version-columns:%s:%s:%s

get-primary-keys:%s:%s:%s

get-imported-keys:%s:%s:%s

get-exported-keys:%s:%s:%s

get-cross-reference:%s:%s:%s:%s:%s:%s

get-index-info:%s:%s:%s:%s:%s

get-sequences:%s:%s:%s

get-udts:%s:%s:%s%s

,insert,update,delete,select,drop,create,from,set,values,where,order,group,by,having,into,as,table,index,primary,key,on,is,null,char,varchar,integer,number,

SQL_DATA_TYPE

SQL_DATETIME_SUB

KEY_SEQ

zdbc:%s:

TZSQLiteStatementAnalyser

TZSQLiteDatabaseMetadata

SQLite

Zeos Database Connectivity Driver for SQLite

ALL,AND,AS,BETWEEN,BY,CASE,CHECK,COLLATE,COMMIT,CONSTRAINT,CREATE,DEFAULT,DEFERRABLE,DELETE,DISTINCT,DROP,ELSE,EXCEPT,FOREIGN,FROM,GLOB,GROUP,HAVING,IN,INDEX,INSERT,INTERSECT,INTO,IS,ISNULL,JOIN,LIKE,LIMIT,NOT,NOTNULL,NULL,ON,OR,ORDER,PRIMARY,REFERENCES,ROLLBACK,SELECT,SET,TABLE,THEN,TRANSACTION,UNION,UNIQUE,UPDATE,USING,VALUES,WHEN,WHERE,ABORT,AFTER,ASC,ATTACH,BEFORE,BEGIN,DEFERRED,CASCADE,CLUSTER,CONFLICT,COPY,CROSS,DATABASE,DELIMITERS,DESC,DETACH,EACH,END,EXPLAIN,FAIL,FOR,FULL,IGNORE,IMMEDIATE,INITIALLY,INNER,INSTEAD,KEY,LEFT,MATCH,NATURAL,OF,OFFSET,OUTER,PRAGMA,RAISE,REPLACE,RESTRICT,RIGHT,ROW,STATEMENT,TEMP,TEMPORARY,TRIGGER,VACUUM,VIEW

LAST_INSERT_ROWID,SQLITE_VERSION,TYPEOF

SQLITE_MASTER WHERE

PRAGMA %s table_info('%s')

PRAGMA %s index_list('%s')

PRAGMA %s index_info('%s')

TZSQLiteNumberState

TZSQLiteQuoteState

TZSQLiteCommentState

TZSQLiteSymbolState8

TZSQLiteWordState

TZSQLiteTokenizer

TZSQLTypeArray

TZSQLiteResultSetMetadata

TZSQLiteResultSet

TZSQLiteCachedResolver

FINALIZE SQLite VM

????-??-??*

*??:??:??*

TZSQLiteStatement

TZSQLitePreparedStatementU

Finalize SQLite VM

Uh.BR

TZExecutionStack

TZBeforeSQLStatementEvent

TZAfterSQLStatementEvent

TZAfterInsertSQLStatementEvent

TZUpdateSQLHrR

TZUpdateSQL

ZSqlUpdate

DeleteSQL

InsertSQL

ModifySQL

RefreshSQL

UseSequenceFieldForRefreshSQL

BeforeDeleteSQLt

BeforeInsertSQLt

BeforeModifySQLt

AfterDeleteSQLt

AfterInsertSQLt

AfterModifySQL

BeforeDeleteSQLStatement

BeforeInsertSQLStatement

BeforeModifySQLStatementlpR

AfterDeleteSQLStatement

AfterInsertSQLStatementlpR

AfterModifySQLStatement

wmWhereKeyOnly

TZSQLStatement

TZSQLStrings

ZSqlStrings

MAPI32.DLL

TComboBoxExEnumerator

F:\TNS\Source\TntActnList.pas

F:\TNS\Source\TntMenus.pas

Internal Error: SyncHotKeyPosition Failed ("%s" <> "%s").

F:\TNS\Source\TntControls.pas

Internal Error: SubClassUnicodeControl.Control is not Unicode.

.UnicodeClass

F:\TNS\Source\TntForms.pas

!"#$%&*;<=>@[]^_`{|}

TNT Internal Error: TWideComponentHelper.Create should never be encountered.

F:\TNS\Source\TntClasses.pas

TRzRegKey

hkeyClassesRoot

hkeyCurrentUser

hkeyLocalMachine

hkeyUsers

hkeyPerformanceData

hkeyCurrentConfig

hkeyDynData

TRzRegAccessKey

keyQueryValue

keySetValue

keyCreateSubKey

keyEnumerateSubKeys

keyNotify

keyCreateLink

keyRead

keyWrite

keyExecute

keyAllAccess

RegKey

\Software\Microsoft\Windows\CurrentVersion

olepro32.dll

Uh.oV

IWebBrowser

IWebBrowserApp

IWebBrowser2

TWebBrowserStatusTextChange

TWebBrowserProgressChange

TWebBrowserCommandStateChange

TWebBrowserTitleChange

TWebBrowserPropertyChange

TWebBrowserBeforeNavigate2

TWebBrowserNewWindow2

TWebBrowserNavigateComplete2

TWebBrowserDocumentComplete

TWebBrowserOnVisible

TWebBrowserOnToolBar

TWebBrowserOnMenuBar

TWebBrowserOnStatusBar

TWebBrowserOnFullScreen

TWebBrowserOnTheaterMode

TWebBrowserWindowSetResizable

TWebBrowserWindowSetLeft

TWebBrowserWindowSetTop

TWebBrowserWindowSetWidth

TWebBrowserWindowSetHeight

TWebBrowserWindowClosing

TWebBrowserClientToHostWindow

TWebBrowserSetSecureLockIcon

TWebBrowserFileDownload

TWebBrowserNavigateError

%TWebBrowserPrintTemplateInstantiation

TWebBrowserPrintTemplateTeardown

TWebBrowserUpdatePageStatus

%TWebBrowserPrivacyImpactedStateChange

TWebBrowser

TWebBrowser$

OnWindowSetResizable

OnWindowSetLeftd

OnWindowSetTop

OnWindowSetWidth

OnWindowSetHeightD

ISO_646.irv:1991

ISO_646.basic:1983

ISO_646.irv:1983

csISO16Portuguese

csISO84Portuguese2

windows-936

csShiftJIS

ISO-8859-1-Windows-3.0-Latin-1

csWindows30Latin1

ISO-8859-1-Windows-3.1-Latin-1

csWindows31Latin1

ISO-8859-2-Windows-Latin-2

csWindows31Latin2

ISO-8859-9-Windows-Latin-5

csWindows31Latin5

csMicrosoftPublishing

Windows-31J

csWindows31J

windows-1250

windows-1251

windows-1252

windows-1253

windows-1254

windows-1255

windows-1256

windows-1257

windows-1258

TIdFTPTransferType

IdFTPCommon

TIdFTPDataPortSecurity

ftpdpsClear

ftpdpsPrivate

IdReplyFTP

TIdReplyFTP

TIdReplyFTP$?W

TIdFTPListItem

TIdFTPListItemXEW

IdFTPList

TIdFTPListItems

TIdFTPListItems,FW

IdFTPListTypes

NotContextIndexed

TIdCreationDateFTPListItem

TIdCreationDateFTPListItem\LW

TIdMLSTFTPListItem

TIdMLSTFTPListItem MW

TIdFTPListBase

TIdFTPRegParseList

TIdFTPLPNList

TIdFTPLPMList

windows.lastaccesstime

UNIX.mode

win32.ea

utNoTLSSupport

BURL

CURL

HURL

KEYS

NICK

BoundPortMinl

BoundPortMax

TIdCreateFTPList

VFTPList

TIdFtpAfterGet

TIdFtpProxyType

fpcmUserPass

fpcmHttpProxyWithFtp

IdFTP

TAuthCmd

TIdFTPBannerEvent

AMsg

TIdFTPClientIdentifier

TIdFTPClientIdentifierD

TIdFtpProxySettings

TIdFTPTZInfo

TIdFTP

IdFTP%

AutoLoginx;W

Passive(2W

DataPortProtectionh

AUTHCmdl

DataPortl

DataPortMinl

DataPortMax(

UseExtensionDataPort

OnBannerBeforeLogin

OnBannerAfterLogint

OnAfterClientLogin(

OnCreateFTPListt

OnCustomFTPProxy

EIdFTPException0

EIdFTPMustUseExtWithIPv6

EIdFTPMustUseExtWithNATFastTrack

EIdFTPPassiveMustBeTrueWithNATFT

EIdFTPServerSentInvalidPort

EIdFTPUnknownOTPMethodException` X

EIdFTPOnCustomFTPProxyRequired

EIdFTPWrongIOHandler

EIdFTPDataPortProtection

"EIdFTPNoDataPortProtectionAfterCCC

&EIdFTPNoDataPortProtectionWOEncryption

EIdFTPNoCCCWOEncryption

EIdFTPAUTHException\#X

EIdFTPNoAUTHWOSSL

EIdFTPCanNotSetAUTHCon

PORT

USER %s@%s@%s

BPFTP Server

TitanFTP server

Titan FTP Server

TIndyFTPClientComponent

PTF://

IdHTTPHeaderInfo

ProxyPasswordl

ProxyPort(

Password(

Mozilla/3.0 (compatible; Indy Library)

%d%s%d

CommentURL

TIdHTTPOption

IdHTTP

TIdHTTPOptions

TIdHTTPProtocolVersion

TIdHTTPOnRedirectEvent

TIdHTTPOnHeadersAvailable

TIdHTTPResponse

TIdHTTPRequest

TIdHTTPProtocol

TIdCustomHTTP

TIdHTTP

HTTPOptionsp

EIdHTTPProtocolException

HTTPS

https

HTTP/1.0 200 OK

HTTP/

TIndyHTTPClientComponent

tmp.exe

tmp.exe @idunno "

"TWindowsMediaPlayerOpenStateChange

"TWindowsMediaPlayerPlayStateChange

&TWindowsMediaPlayerAudioLanguageChange

TWindowsMediaPlayerScriptCommand

TWindowsMediaPlayerDisconnect

TWindowsMediaPlayerBuffering

TWindowsMediaPlayerWarning

TWindowsMediaPlayerEndOfStream

!TWindowsMediaPlayerPositionChange

TWindowsMediaPlayerMarkerHit

%TWindowsMediaPlayerDurationUnitChange

#TWindowsMediaPlayerCdromMediaChange

!TWindowsMediaPlayerPlaylistChange

(TWindowsMediaPlayerCurrentPlaylistChange

/TWindowsMediaPlayerCurrentPlaylistItemAvailable

TWindowsMediaPlayerMediaChange

,TWindowsMediaPlayerCurrentMediaItemAvailable

$TWindowsMediaPlayerCurrentItemChange

6TWindowsMediaPlayerMediaCollectionAttributeStringAdded

8TWindowsMediaPlayerMediaCollectionAttributeStringRemoved

8TWindowsMediaPlayerMediaCollectionAttributeStringChanged

2TWindowsMediaPlayerPlaylistCollectionPlaylistAdded

4TWindowsMediaPlayerPlaylistCollectionPlaylistRemoved

9TWindowsMediaPlayerPlaylistCollectionPlaylistSetAsDeleted

TWindowsMediaPlayerModeChange

TWindowsMediaPlayerMediaError

%TWindowsMediaPlayerOpenPlaylistSwitch

TWindowsMediaPlayerDomainChange

TWindowsMediaPlayerClick

TWindowsMediaPlayerDoubleClick

TWindowsMediaPlayerKeyDown

nKeyCode

TWindowsMediaPlayerKeyPress

nKeyAscii

TWindowsMediaPlayerKeyUp

TWindowsMediaPlayerMouseDown

TWindowsMediaPlayerMouseMove

TWindowsMediaPlayerMouseUp

TWindowsMediaPlayerDeviceConnect

#TWindowsMediaPlayerDeviceDisconnect

%TWindowsMediaPlayerDeviceStatusChange

(TWindowsMediaPlayerDeviceSyncStateChange

"TWindowsMediaPlayerDeviceSyncError

,TWindowsMediaPlayerCreatePartnershipComplete

&TWindowsMediaPlayerCdromRipStateChange

%TWindowsMediaPlayerCdromRipMediaError

'TWindowsMediaPlayerCdromBurnStateChange

&TWindowsMediaPlayerCdromBurnMediaError

!TWindowsMediaPlayerCdromBurnError

!TWindowsMediaPlayerLibraryConnect

$TWindowsMediaPlayerLibraryDisconnect

(TWindowsMediaPlayerFolderScanStateChange

)TWindowsMediaPlayerStringCollectionChange

,TWindowsMediaPlayerMediaCollectionMediaAdded

.TWindowsMediaPlayerMediaCollectionMediaRemoved

TWindowsMediaPlayer

OnKeyPressL7Y

Uh%fY

Invalid Operation

hXXp://

.jpeg

sqlite3_open

sqlite3_close

sqlite3_column_count

sqlite3_column_text

sqlite3_column_name

sqlite3_column_decltype

sqlite3_exec

sqlite3_last_insert_rowid

sqlite3_changes

sqlite3_errmsg

sqlite3_interrupt

sqlite3_complete

sqlite3_busy_handler

sqlite3_busy_timeout

sqlite3_get_table

sqlite3_free_table

sqlite3_free

sqlite3_libversion

sqlite3_result_string

sqlite3_result_int

sqlite3_result_double

sqlite3_result_error

sqlite3_user_data

sqlite3_aggregate_context

sqlite3_aggregate_count

sqlite3_set_authorizer

sqlite3_trace

sqlite3_prepare

sqlite3_step

sqlite3_finalize

sqlite3_reset

sqlite3_progress_handler

sqlite3_commit_hook

sqlite3_rekey

sqlite3_key

TZSQLiteNativeLibraryLoaderU

sqlite3.dll

IZSQLitePlainDriver

ZPlainSqLiteDriver&

TZSQLite28PlainDriver

TZSQLite3PlainDriver

sqlite-2.8

Native Plain Driver for SQLite 2.8

sqlite-3

Native Plain Driver for SQLite 3

SQL logic error or missing database

internal SQLite implementation flaw

kernel lacks large file support

3.2.5

TZSQLiteDriver

TZSQLiteConnection

sqlite

CONNECT TO "%s" AS USER "%s"

SQLite.Key

DISCONNECT FROM "%s"

Port(

LoginPrompt(

SQLHourGlasst

OnLogint

zdbc:%s://%s:%d/%s?UID=%s;PWD=%s

zdbc:%s://%s/%s?UID=%s;PWD=%s

6.6.5-stable

CREATE TABLE [SysVars] ( [Key] VARCHAR(100) UNIQUE NOT NULL PRIMARY KEY, [VarType] INTEGER(1) NOT NULL, [Value] VARCHAR(100) NOT NULL )

CREATE TABLE [UserVars] ( [Key] VARCHAR(100) UNIQUE NOT NULL PRIMARY KEY, [VarType] INTEGER(1) NOT NULL, [Value] VARCHAR(100) NOT NULL )

SELECT `Key` FROM `SysVars` WHERE `Key`=:Key;

UPDATE SysVars SET `VarType`=:Type, `Value`=:Value WHERE `Key`=:Key;

INSERT INTO SysVars (`Key`, `VarType`, `Value`) VALUES(:Key, :Type, :Value);

SELECT `VarType`, `Value` FROM SysVars WHERE `Key`=:Key;

SELECT name FROM sqlite_master WHERE type='table';

RootURL

ClientEXE

LanguageMap.ini

Languages\Default.ini

ROClient.exe

policy_msg

file_url

sqlite.dll

TntUnicodeVcl.DestroyWindow

Portable Network Graphics

6666666666666666

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

(3-!0,1'8"5.*2$

?456789:;<=

!"#$%&'()* ,-./0123

iu2.iu

RegOpenKeyExA

RegCloseKey

GetKeyboardType

VkKeyScanW

UnhookWindowsHookEx

SetWindowsHookExW

SetWindowsHookExA

MsgWaitForMultipleObjects

MapVirtualKeyW

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutNameA

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextW

GetKeyNameTextA

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

gdi32.dll

SetViewportOrgEx

version.dll

GetWindowsDirectoryA

GetCPInfo

CreatePipe

RegQueryInfoKeyA

RegFlushKey

RegEnumKeyA

RegCreateKeyExA

wsock32.dll

ShellExecuteExA

ShellExecuteA

comdlg32.dll

Thor.exe

78l9

2 2$2(2,202>2

4 5%5:5?5|6

3!3&3 303

3 323:3@3]3

3$3,383@3

=#='= =/=

<"<&<*<.<2<6<:<><

: :$:(:,:0:4:8:<:@:

2(2,2024282<2

?(?,?<?[?|?

4 4$4(4,4044484@4

8*9.92969:9@9

0"0&0.040

;=<"=<=;>

67

2 2$2(2,202

7 7$7(7,7074787<7@7

6 6$6\6|6

=!=$=)=-=1=

;";&;*;.;

1!1%1)1-1115191

2!2%2)2-21252

5 5$5(5,50545

2>3441666;6

1/2b2s2

.02060<0

: :$:(:,:0:>:`:|:

393F3a3

7"787?7`7

0-11151<1

7*8.82868:8@8

= =$=2=:=[=

3 3$3(3,3034383

2-252R2V2Z2y2}2

VVV.madshi.net.

/b.hE

.GvM"[NP

%5.U(

8\.nR@

QR$C%fi

Kg!4r.GT

osQL

,.sZm}

'@%c*=n

g.MuZ

*|%XO

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

H%%xa11

KWindows

ZGenericSqlToken

rSqlTimSt

YZSqlProcessor

IZDbcSqLite

6ZSqLiteAnalyser

ZDbcSqLiteMetadata

ZDbcSqLiteUtils

ZPlainSqLiteDriver

ZZPlainSqLite3

UrlMon

TntWindows

XIndyFTPClientComponent

WIdFTP

IdFTPListParseBase

IdCustomTCPServer

 IdTCPServer

IdCmdTCPServer

IndyHTTPClientComponent

0IdHTTPHeaderInfo

ZPlainSqLite28

*ZSqLiteToken

'ZDbcSqLiteStatement

-ZDbcSqLiteResultSet

hXXp://VVV.aocea.com/thor.php

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

attach a screenshot to the bug report

Glyph.Data

version="11.0.2627.5503"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

%s: %s

66006666

8This value can not be set while the client is connected.$SSL is not available on this server.%Start SSL negotiation command failed.&Cannot change the size of a JPEG image

JPEG error #%d

Transfer aborted*OnCustomFTPProxy required but not assigned7UseExtensionDataPort must be true for IPv6 connections.7UseExtensionDataPort must be true for NAT fasttracking.2Can not use active transfers with NAT fastracking.$Server sent invalid port number (%s)0Can not set DataPortProtection after CCC issued.<Can not set DataPortProtection with unencrypted connections."Can not set CCC without encyption.

OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

Unknown Protocol(Request method requires HTTP version 1.1DThis authentication method is already registered with class name %s.

Starting FTP transfer

Description: BThe "Portable Network Graphics" image contains an invalid palette.

The file being readed is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corruped, try obtaining it again.nThis "Portable Network Graphics" image is not supported or it might be invalid.

This "Portable Network Graphics" image is not supported because either it's width or height exceeds the maximum size, which is 65535 pixels length.

There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.]The program tried to add a existent critical chunk to the current image which is not allowed.IIt's not allowed to add a new chunk because the current image is invalid.oSome operation could not be performed because the system is out of resources. Close some windows and try again.OThis operation is not valid because the current image contains no valid header.

Menu BarjThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corruptedUThis "Portable Network Graphics" image is invalid because it has missing image parts.

)Update Refresh SQL delivered no resultset'Field %s is required, but not supplied.?%d record(s) updated. Only one record should have been updated.

Invalid owner=This control requires version 4.70 or greater of COMCTL32.DLL

SQL Query is empty"Cannot execute more then one query-Operation is not allowed in FORWARD ONLY mode*Operation is not allowed in READ ONLY mode Operation is not allowed for closed dataset No more records in the Resultset

Bookmark was not found'Incorrect number of search field values.Invalid operation in explicit transaction mode$Incorrect symbol in field list "%s".

Incorrect token followed by ":"dCan not find default login prompt dialog. Please add DBLogDlg to the uses section of your main file.

Cannot update this query type'Requested database driver was not found)Live query is not supported by this class Input parameter count is less then expected#Column with name "%s" was not found

Incorrect connection URL: %s

Unsupported protocol: %s

Connection is not opened yet$Invalid operation in AutoCommit mode(Invalid operation in non AutoCommit mode

Syntax error near "%s"

Unknown symbol "%s"

) expected-%d parameters were expected but %d were found%More than two parameters are expected

Variable "%s" already exists

Unsupported operation.None of the dynamic libraries can be found: %s

Row buffer is not assigned&Column with index %d is not accessable6Convertion is not possible for column %d from %s to %s

%s is not a valid BCD value

Invalid format type for BCD$Could not parse SQL TimeStamp string

Invalid SQL date/time values

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

SQL Error: %s'Clonning is not supported by this class:The operation is not allowed on not changeable collections

Variable "%s" was not found

Function "%s" was not found

Internal error"Dataset not in edit or insert mode1Cannot perform this operation on a closed dataset1Cannot perform this operation on an empty dataset!Cannot modify a read-only dataset#Nested dataset must inherit from %s

Parameter '%s' not found

Unable to load bind parameters$Field '%s' is of an unsupported type

SQL not supported: %s

Execute not supported: %s1Operation not allowed on a unidirectional dataset

BCD overflowE%s is not a valid value for field '%s'. The allowed range is %s to %s0'%s' is not a valid integer value for field '%s'0'%s' is not a valid boolean value for field '%s'7'%s' is not a valid floating point value for field '%s'6Type mismatch for field '%s', expecting: %s actual: %s6Size mismatch for field '%s', expecting: %d actual: %d Invalid variant type or size for field '%s'#Value of field '%s' is out of range

Field '%s' must have a value

Field '%s' has no dataset1Field '%s' cannot be a calculated or lookup field

Field '%s' cannot be modified"Circular datalinks are not allowed/Lookup information for field '%s' is incomplete

DataSource cannot be changed0Cannot perform this operation on an open dataset

Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.$Cannot change a connected IOHandler.%No IOHandler of type %s is installed.

Reply Code is not valid: %s

Invalid FieldKind Field '%s' is of an unknown type

Duplicate field name '%s'

Field '%s' not found#Cannot access field '%s' as type %s

Invalid value for field '%s'E%g is not a valid value for field '%s'. The allowed range is %g to %g

Command not supported.

Address type not supported."%d: Circular links are not allowed

File "%s" not found

Object type not supported.

Set Size Exceeded.)UDP is not support in this SOCKS version.

Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.

Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)

Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.

Invalid Port Range (%d - %d)

%s is not a valid service.

%s is not a valid IPv6 address:The requested IPVersion / Address family is not supported.

Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.

Operation would block.

Operation now in progress.

Operation already in progress.

Socket operation on non-socket.

Protocol not supported.

Socket type not supported."Operation not supported on socket.

Protocol family not supported.0Address family not supported by protocol family.

UTF-74Failed attempting to retrieve time zone information.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)

Resolving hostname %s.

Connecting to %s.

Socket Error # %d

Alt  Clipboard does not support Icons

Cannot open clipboard/Menu '%s' is already being used by another form

- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.#No OnGetItem event handler assigned

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'

No help found for %s#No context-sensitive help installed

Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic

Unsupported clipboard format

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)"Unable to find a Table of Contents

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid property element: %s

Invalid property type: %s

Invalid data type for '%s' List capacity out of bounds (%d)

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Wed?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

Invalid variant operation

Invalid NULL variant operation%Invalid variant operation (%s%.8x)

%s,Custom variant type (%s%.4x) is out of range

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time '%d.%d' is not a valid timestamp

I/O error %d

2.5.4.18

4.1.0

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\errorPageStrings[1] (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\errorPageStrings[1] (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ErrorPageTemplate[1] (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\dnserrordiagoff_webOC[1] (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\navcancl[1] (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\navcancl[1] (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ErrorPageTemplate[1] (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\dnserrordiagoff_webOC[1] (6 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.