MD5: 9bfbc811ff09651fdfd028a5f7ec2110
SHA1: 387c8c99bdec266320c9ab01ca7177fb0896f505
SHA256: f43a8b7f1e5406d56141051c3e1b380ea169234becf28cd3388e63c6c60bf6df
SSDeep: 12288:1RAiP1Bsf84tJdK2Yi7GEqF/gHRH NLmu6:HAi9Bs3JdK2d9dHReNKH
Size: 476640 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-05-04 10:59:44
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3868

The Trojan injects its code into the following process(es):

Internet.exe:3740
Dwm.exe:524
taskhost.exe:268
Explorer.EXE:520
TPAutoConnect.exe:1988
conhost.exe:3360

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3868 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\vnc84D8.tmp (11186 bytes)
C:\Windows\Internet.exe (3552 bytes)

The process Internet.exe:3740 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\zoc8FFF.tmp (11186 bytes)

The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)

Registry activity

The process %original file name%.exe:3868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\System\CurrentControlSet\services\Internet]
"DeleteFiles" = "c:\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process Internet.exe:3740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\Internet]
"MarkTime" = "2017-05-29 13:16"

"ConnectGroup" = "ĬÈÏ·Ö×é"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internet" = "C:\Windows\Internet.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\services\Internet]
"DeleteFiles"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: qunminghanzi ????
Product Version: 1, 0, 0, 1
Legal Copyright: ???? (C) 2017
Legal Trademarks:
Original Filename: qunminghanzi.EXE
Internal Name: qunminghanzi
File Version: 1, 0, 0, 1
File Description: qunminghanzi Microsoft ???????
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
ww.qinvv.com	124.72.32.229
teredo.ipv6.microsoft.com	157.56.120.207
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

.data

.rsrc

MFC42.DLL

MSVCRT.dll

_acmdln

GetProcessHeap

KERNEL32.dll

USER32.dll

|%D(L,P

|,7-8.9/

f S"D$b%u'

$\.dK

<1.aE

.ttq^[

9L.av

$z%u&

.//041. @=

.Jv!kr

'()* ,(:

1#'''2345

=W(%s

.aAV`H

@.FH 

N.vAL]U

(F-%f

E?$#.Mu

'Vr%C

,%X^{

%UQJb

.XVZP4

 @web`

Tp$%D

Tp.NB

.bLj7s

!"rrrr#$%&rrrr'()*rrrr ,-.rrrr/012rrrr3456rrrr789:rrrr;<=>rrrr?@ABrrrrCDEFrrrrGHIJrrrrKLMNrrrrOPQRrrrrSTUVrrrrWXYZrrrr[\]^rrrr_`abrrrrcdefrrrrghijrrrrklmnrrrropqrrrrrstuvrrrrwxyzrrrr{|}~

2345''''6789'''':;<=

2999934569999789:9999;<=>

PL XviD co>c (1.3.0{k

dows\Cur.ntVersion\run^HKC

LMexe

"7R%d *

c.uvo

;nalG6UdpTab

&hXXp://

#gCMD

.mRoot%Z

im cmd

PCRT

-.va_o

d%cU

vurLw

R6.Zk

L.ro N

s@.Mx(

KERNEL32.DLL

ADVAPI32.dll

GDI32.dll

imagehlp.dll

iphlpapi.dll

MPRAPI.dll

MSVCP60.dll

NETAPI32.dll

ole32.dll

OLEAUT32.dll

PSAPI.DLL

SHELL32.dll

SHLWAPI.dll

USERENV.dll

VERSION.dll

WININET.dll

WINMM.dll

WS2_32.dll

WTSAPI32.dll

ShellExecuteA

NetSyst81.dll

Kernel32.dll

RegOpenKeyExA

RegCloseKey

Software\Microsoft\Windows\CurrentVersion\Explorer

7,1,43,14654

kugou.com Inc.

Copyright(C) 2004-2012 KuGou-Inc.All Rights Reserved

KuGou.dll

1, 0, 0, 1

qunminghanzi.EXE

Qunminghanzi.Document

Internet.exe_3740_rwx_00448000_00001000:

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

RegCloseKey

Software\Microsoft\Windows\CurrentVersion\Explorer

Internet.exe_3740_rwx_01231000_00071000:

UDPSockError

NMUDP

Errmsg

Port

TNMUDP

RemotePort

LocalPort

ReportLevelLk#

0.0.0.0

%d.%d.%d.%d

AutoHotkeys

:].tJ

EInvalidGraphicOperation,0$

EInvalidGraphicOperation

KeyPreview,

WindowState

OnKeyDown

OnKeyPressdz%

OnKeyUp

ssHotTrack

TWindowState

poProportional

TWMKey

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

TDragOperation

TKeyEvent

TKeyPressEvent

crSQLWait

%s (%s)

IMM32.DLL

EInvalidOperation

%s[%d]

%s_%d

USER32.DLL

comctl32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

kernel32.dll

Portions Copyright (c) 1983,99 Borland

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer

*.TMP

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

RegCloseKey

readbook.exe

rundll32.exe

*.exe

*.scr

UdpT

UdpOnDataReceived

xxtype.cpp

derv->tpClass.tpcFlags & CF_HAS_BASES

Inappropriate I/O control operation

Broken pipe

Operation not permitted

%H:%M:%S

%m/%d/%y

%A, %B %d, %Y

d/d/d d:d:d.d

An exception (X) occurred during DllEntryPoint or DllMain in module:

xx.cpp

varType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpClass.tpcDtorAddr

(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags

memType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR

dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR

IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)

elemType->tpClass.tpcFlags & CF_HAS_DTOR

Gw2.Hw

ReportLevel

GetCPInfo

GetProcessHeap

GetWindowsDirectoryA

RegCreateKeyExA

RegFlushKey

SetViewportOrgEx

ActivateKeyboardLayout

EnumThreadWindows

EnumWindows

GetKeyNameTextA

GetKeyState

GetKeyboardLayout

GetKeyboardLayoutList

GetKeyboardState

GetKeyboardType

LoadKeyboardLayoutA

MapVirtualKeyA

MsgWaitForMultipleObjects

SetWindowsHookExA

UnhookWindowsHookEx

VprK|%Ud

€00404

8 @ @ @ @ @

.text

`.data

.idata

@.edata

@.rsrc

@.reloc

70"!(&&$

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

Invalid data type for '%s'

Failed to set data for '%s'

Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'

Asynchronous socket error %d

- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value

Alt  Clipboard does not support Icons

!Control '%s' has no parent window

Error reading %s%s%s: %s

Ancestor for '%s' not found

Unsupported clipboard format

Class %s not found

Resource %s not found

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

Internet.exe_3740_rwx_10001000_00348000:

D$%SS

t;Jt%UQJPSt

@43434343

Jw2.Hw

deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

inflate 1.1.4 Copyright 1995-2002 Mark Adler

This software is derived from the GNU GPL XviD codec (1.3.0).

Software\Microsoft\Windows\CurrentVersion\run

\StringFileInfo\%s\CompanyName

000%x

Software\Microsoft\Windows\CurrentVersion\Run

%d * %d:

(%d-d-d d:d:d)

<%s> %s

%d.%d.%d.%d

Ourlog

%s\*.*

%s%s%s

%s%s*.*

%Y-%m-%d %H:%M

%s : %u

InternalGetUdpTableWithOwnerPid

AllocateAndGetUdpExTableFromStack

InternalGetTcpTable2

AllocateAndGetTcpExTableFromStack

%d-%d-%d %d:%d:%d

hXXp://

\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

\Local Settings\History\History.IE5\index.dat

%Y-%m-%d %H:%M:%S

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

\*.url

%sDocuments and Settings\%s\Favorites

%sUsers\%s\Favorites

192.168.1.2

Http/1.1 403 Forbidden

HTTP/1.0 200 OK

GET %s HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

Host: %s:%d

Host: %s

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

Referer: hXXp://%s:80/hXXp://%s

:] %s

:] %d-%d-%d %d:%d:%d

%s\dllcache\magnify.exe

%s\dllcache\osk.exe

%s\dllcache\sethc.exe

%s\magnify.exe

%s\osk.exe

%s\sethc.exe

\dllcache\termsrvhack.dll

\termsrvhack.dll

%SystemRoot%\system32\termsrvhack.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

%s%s %s%s

jingtisanmenxiachuanxiao.vbs

TSDISCON %s

LOGOFF %s

taskkill /f /im cmd.exe

cmd.exe

taskkill /f /im taskmgr.exe

taskmgr.exe

taskkill /f /im regedit.exe

regedit.exe

taskkill /f /im mmc.exe

mmc.exe

taskkill /f /im mstsc.exe

mstsc.exe

taskkill /f /im QQ.exe

QQ.exe

taskkill /f /im Maxthon.exe

Maxthon.exe

taskkill /f /im Firefox.exe

Firefox.exe

taskkill /f /im Chrome.exe

Chrome.exe

taskkill /f /im sogouexplorer.exe

sogouexplorer.exe

taskkill /f /im 360SE.exe

360SE.exe

taskkill /f /im IEXPLORE.exe

IEXPLORE.exe

taskkill /f /im s.exe

s.exe

PortNumber

%d/%d

\cmd.exe

explorer.exe

All Users\Microsoft\Network\Connections\Pbk\rasphone.pbk

Microsoft\Network\Connections\pbk\rasphone.pbk

Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk

AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk

%s\%s

AppData\Roaming\Microsoft\Network\Connections\pbk\rasphone.pbk

%USERPROFILE%

RasDialParams!%s#0

Iphlpapi.dll

rasphone.pbk

\Application Data\Tencent\Users\*.*

\AppData\Roaming\Tencent\Users\*.*

/IP (%s)

Net123.dat

mgui.exe

mcagent.exe

Pavsrv50.exe

SHesvchost.exe

onlinent.exe

pasvc.exe

fsaa.exe

vba32ldr.exe

spider.exe

ccapp.exe

bdnagent.exe

MsMpEng.exe

v3lsvc.exe

AYAgent.aye

avgui.exe

baidusdSvc.exe

QQPCRTP.exe

ksafe.exe

rtvscan.exe

ashDisp.exe

avcenter.exe

pccmain.exe

knsdtray.exe

kxetray.exe

egui.exe

Mcshield.exe

RavMonD.exe

KvMonXP.exe

avp.exe

360sd.exe

360tray.exe

%d %c %d

1.1.4

xvid-1.3.2

%d st:%lld if:%d

XviDd%c

C:\Windows

ww.qinvv.com

C:\Windows\Internet.exe

hXXp://user.qzone.qq.com/%s

hXXp://tool.chinaz.com/Ip/?IP=%s

hXXp://dns.aizhan.com/?q=%s

Windows Internet

Windows Firewall/Internet Comnection Shaing (ICS)

Internet.exe

2017-05-29 13:16

C:\Windows\Internet.dat

~~}}}~~}}}

PeekNamedPipe

DisconnectNamedPipe

CreatePipe

WinExec

GetProcessHeap

GetWindowsDirectoryA

RegCreateKeyA

RegQueryInfoKeyA

RegCreateKeyExA

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyA

RegOpenKeyExA

RegCloseKey

ShellExecuteA

MapVirtualKeyA

keybd_event

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyState

ExitWindowsEx

EnumWindows

InternetOpenUrlA

.text

`.rodata

`.rotext

`.rdata

@.data

.rsrc

@.reloc

L.ro N

s@.Mx(

""""$$$$&&&&((((****,,,,....00002222444466668888::::<<<<>>>>

#*1892 $

%,3:;4-&

'.5<=6/7>?

"#()01* $%&',-./2389:;4567<=>?

"*2:# 3;

$,4<%-5=

&.6>'/7?

iphlpapi.dll

lIngress.exe

arpguard.exe

zrclient.exe

zrupdate.exe

zreboot.exe

This user account is used by the Visual Studio .NET Debugger

Dwm.exe_524_rwx_005B1000_00071000:

UDPSockError

NMUDP

Errmsg

Port

TNMUDP

RemotePort

LocalPort

ReportLevelLk[

0.0.0.0

%d.%d.%d.%d

AutoHotkeys

:].tJ

EInvalidGraphicOperation,0\

EInvalidGraphicOperation

KeyPreview,

WindowState

OnKeyDown

OnKeyPressdz]

OnKeyUp

ssHotTrack

TWindowState

poProportional

TWMKey

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

TDragOperation

TKeyEvent

TKeyPressEvent

crSQLWait

%s (%s)

IMM32.DLL

EInvalidOperation

%s[%d]

%s_%d

USER32.DLL

comctl32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

kernel32.dll

Portions Copyright (c) 1983,99 Borland

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer

*.TMP

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

RegCloseKey

readbook.exe

rundll32.exe

*.exe

*.scr

UdpT

UdpOnDataReceived

xxtype.cpp

derv->tpClass.tpcFlags & CF_HAS_BASES

Inappropriate I/O control operation

Broken pipe

Operation not permitted

%H:%M:%S

%m/%d/%y

%A, %B %d, %Y

d/d/d d:d:d.d

An exception (X) occurred during DllEntryPoint or DllMain in module:

xx.cpp

varType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpClass.tpcDtorAddr

(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags

memType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR

dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR

IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)

elemType->tpClass.tpcFlags & CF_HAS_DTOR

Gw2.Hw

ReportLevel

GetCPInfo

GetProcessHeap

GetWindowsDirectoryA

RegCreateKeyExA

RegFlushKey

SetViewportOrgEx

ActivateKeyboardLayout

EnumThreadWindows

EnumWindows

GetKeyNameTextA

GetKeyState

GetKeyboardLayout

GetKeyboardLayoutList

GetKeyboardState

GetKeyboardType

LoadKeyboardLayoutA

MapVirtualKeyA

MsgWaitForMultipleObjects

SetWindowsHookExA

UnhookWindowsHookEx

VprK|%Ud

€00404

8 @ @ @ @ @

.text

`.data

.idata

@.edata

@.rsrc

@.reloc

70"!(&&$

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

Invalid data type for '%s'

Failed to set data for '%s'

Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'

Asynchronous socket error %d

- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value

Alt  Clipboard does not support Icons

!Control '%s' has no parent window

Error reading %s%s%s: %s

Ancestor for '%s' not found

Unsupported clipboard format

Class %s not found

Resource %s not found

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

taskhost.exe_268_rwx_01151000_00071000:

UDPSockError

NMUDP

Errmsg

Port

TNMUDP

RemotePort

LocalPort

ReportLevelLk

0.0.0.0

%d.%d.%d.%d

AutoHotkeys

:].tJ

EInvalidGraphicOperation,0

EInvalidGraphicOperation

KeyPreview,

WindowState

OnKeyDown

OnKeyPressdz

OnKeyUp

ssHotTrack

TWindowState

poProportional

TWMKey

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

TDragOperation

TKeyEvent

TKeyPressEvent

crSQLWait

%s (%s)

IMM32.DLL

EInvalidOperation

%s[%d]

%s_%d

USER32.DLL

comctl32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

kernel32.dll

Portions Copyright (c) 1983,99 Borland

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer

*.TMP

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

RegCloseKey

readbook.exe

rundll32.exe

*.exe

*.scr

UdpT

UdpOnDataReceived

xxtype.cpp

derv->tpClass.tpcFlags & CF_HAS_BASES

Inappropriate I/O control operation

Broken pipe

Operation not permitted

%H:%M:%S

%m/%d/%y

%A, %B %d, %Y

d/d/d d:d:d.d

An exception (X) occurred during DllEntryPoint or DllMain in module:

xx.cpp

varType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpClass.tpcDtorAddr

(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags

memType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR

dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR

IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)

elemType->tpClass.tpcFlags & CF_HAS_DTOR

Gw2.Hw

ReportLevel

GetCPInfo

GetProcessHeap

GetWindowsDirectoryA

RegCreateKeyExA

RegFlushKey

SetViewportOrgEx

ActivateKeyboardLayout

EnumThreadWindows

EnumWindows

GetKeyNameTextA

GetKeyState

GetKeyboardLayout

GetKeyboardLayoutList

GetKeyboardState

GetKeyboardType

LoadKeyboardLayoutA

MapVirtualKeyA

MsgWaitForMultipleObjects

SetWindowsHookExA

UnhookWindowsHookEx

VprK|%Ud

€00404

8 @ @ @ @ @

.text

`.data

.idata

@.edata

@.rsrc

@.reloc

70"!(&&$

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

Invalid data type for '%s'

Failed to set data for '%s'

Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'

Asynchronous socket error %d

- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value

Alt  Clipboard does not support Icons

!Control '%s' has no parent window

Error reading %s%s%s: %s

Ancestor for '%s' not found

Unsupported clipboard format

Class %s not found

Resource %s not found

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

Explorer.EXE_520_rwx_039A1000_00071000:

UDPSockError

NMUDP

Errmsg

Port

TNMUDP

RemotePort

LocalPort

ReportLevelLk

0.0.0.0

%d.%d.%d.%d

AutoHotkeys

:].tJ

EInvalidGraphicOperation,0

EInvalidGraphicOperation

KeyPreview,

WindowState

OnKeyDown

OnKeyPressdz

OnKeyUp

ssHotTrack

TWindowState

poProportional

TWMKey

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

TDragOperation

TKeyEvent

TKeyPressEvent

crSQLWait

%s (%s)

IMM32.DLL

EInvalidOperation

%s[%d]

%s_%d

USER32.DLL

comctl32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

kernel32.dll

Portions Copyright (c) 1983,99 Borland

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer

*.TMP

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

RegCloseKey

readbook.exe

rundll32.exe

*.exe

*.scr

UdpT

UdpOnDataReceived

xxtype.cpp

derv->tpClass.tpcFlags & CF_HAS_BASES

Inappropriate I/O control operation

Broken pipe

Operation not permitted

%H:%M:%S

%m/%d/%y

%A, %B %d, %Y

d/d/d d:d:d.d

An exception (X) occurred during DllEntryPoint or DllMain in module:

xx.cpp

varType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpClass.tpcDtorAddr

(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags

memType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR

dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR

IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)

elemType->tpClass.tpcFlags & CF_HAS_DTOR

Gw2.Hw

ReportLevel

GetCPInfo

GetProcessHeap

GetWindowsDirectoryA

RegCreateKeyExA

RegFlushKey

SetViewportOrgEx

ActivateKeyboardLayout

EnumThreadWindows

EnumWindows

GetKeyNameTextA

GetKeyState

GetKeyboardLayout

GetKeyboardLayoutList

GetKeyboardState

GetKeyboardType

LoadKeyboardLayoutA

MapVirtualKeyA

MsgWaitForMultipleObjects

SetWindowsHookExA

UnhookWindowsHookEx

VprK|%Ud

€00404

8 @ @ @ @ @

.text

`.data

.idata

@.edata

@.rsrc

@.reloc

70"!(&&$

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

Invalid data type for '%s'

Failed to set data for '%s'

Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'

Asynchronous socket error %d

- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value

Alt  Clipboard does not support Icons

!Control '%s' has no parent window

Error reading %s%s%s: %s

Ancestor for '%s' not found

Unsupported clipboard format

Class %s not found

Resource %s not found

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

TPAutoConnect.exe_1988_rwx_01EC1000_00071000:

UDPSockError

NMUDP

Errmsg

Port

TNMUDP

RemotePort

LocalPort

ReportLevelLk

0.0.0.0

%d.%d.%d.%d

AutoHotkeys

:].tJ

EInvalidGraphicOperation,0

EInvalidGraphicOperation

KeyPreview,

WindowState

OnKeyDown

OnKeyPressdz

OnKeyUp

ssHotTrack

TWindowState

poProportional

TWMKey

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

TDragOperation

TKeyEvent

TKeyPressEvent

crSQLWait

%s (%s)

IMM32.DLL

EInvalidOperation

%s[%d]

%s_%d

USER32.DLL

comctl32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

kernel32.dll

Portions Copyright (c) 1983,99 Borland

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer

*.TMP

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

RegCloseKey

readbook.exe

rundll32.exe

*.exe

*.scr

UdpT

UdpOnDataReceived

xxtype.cpp

derv->tpClass.tpcFlags & CF_HAS_BASES

Inappropriate I/O control operation

Broken pipe

Operation not permitted

%H:%M:%S

%m/%d/%y

%A, %B %d, %Y

d/d/d d:d:d.d

An exception (X) occurred during DllEntryPoint or DllMain in module:

xx.cpp

varType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpClass.tpcDtorAddr

(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags

memType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR

dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR

IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)

elemType->tpClass.tpcFlags & CF_HAS_DTOR

Gw2.Hw

ReportLevel

GetCPInfo

GetProcessHeap

GetWindowsDirectoryA

RegCreateKeyExA

RegFlushKey

SetViewportOrgEx

ActivateKeyboardLayout

EnumThreadWindows

EnumWindows

GetKeyNameTextA

GetKeyState

GetKeyboardLayout

GetKeyboardLayoutList

GetKeyboardState

GetKeyboardType

LoadKeyboardLayoutA

MapVirtualKeyA

MsgWaitForMultipleObjects

SetWindowsHookExA

UnhookWindowsHookEx

VprK|%Ud

€00404

8 @ @ @ @ @

.text

`.data

.idata

@.edata

@.rsrc

@.reloc

70"!(&&$

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

Invalid data type for '%s'

Failed to set data for '%s'

Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'

Asynchronous socket error %d

- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value

Alt  Clipboard does not support Icons

!Control '%s' has no parent window

Error reading %s%s%s: %s

Ancestor for '%s' not found

Unsupported clipboard format

Class %s not found

Resource %s not found

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

conhost.exe_3360_rwx_011E1000_00071000:

UDPSockError

NMUDP

Errmsg

Port

TNMUDP

RemotePort

LocalPort

ReportLevelLk

0.0.0.0

%d.%d.%d.%d

AutoHotkeys

:].tJ

EInvalidGraphicOperation,0

EInvalidGraphicOperation

KeyPreview,

WindowState

OnKeyDown

OnKeyPressdz

OnKeyUp

ssHotTrack

TWindowState

poProportional

TWMKey

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

TDragOperation

TKeyEvent

TKeyPressEvent

crSQLWait

%s (%s)

IMM32.DLL

EInvalidOperation

%s[%d]

%s_%d

USER32.DLL

comctl32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

kernel32.dll

Portions Copyright (c) 1983,99 Borland

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer

*.TMP

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

RegCloseKey

readbook.exe

rundll32.exe

*.exe

*.scr

UdpT

UdpOnDataReceived

xxtype.cpp

derv->tpClass.tpcFlags & CF_HAS_BASES

Inappropriate I/O control operation

Broken pipe

Operation not permitted

%H:%M:%S

%m/%d/%y

%A, %B %d, %Y

d/d/d d:d:d.d

An exception (X) occurred during DllEntryPoint or DllMain in module:

xx.cpp

varType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpClass.tpcDtorAddr

(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags

memType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR

dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR

IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)

elemType->tpClass.tpcFlags & CF_HAS_DTOR

Gw2.Hw

ReportLevel

GetCPInfo

GetProcessHeap

GetWindowsDirectoryA

RegCreateKeyExA

RegFlushKey

SetViewportOrgEx

ActivateKeyboardLayout

EnumThreadWindows

EnumWindows

GetKeyNameTextA

GetKeyState

GetKeyboardLayout

GetKeyboardLayoutList

GetKeyboardState

GetKeyboardType

LoadKeyboardLayoutA

MapVirtualKeyA

MsgWaitForMultipleObjects

SetWindowsHookExA

UnhookWindowsHookEx

VprK|%Ud

€00404

8 @ @ @ @ @

.text

`.data

.idata

@.edata

@.rsrc

@.reloc

70"!(&&$

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

Invalid data type for '%s'

Failed to set data for '%s'

Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'

Asynchronous socket error %d

- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value

Alt  Clipboard does not support Icons

!Control '%s' has no parent window

Error reading %s%s%s: %s

Ancestor for '%s' not found

Unsupported clipboard format

Class %s not found

Resource %s not found

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:3868
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\vnc84D8.tmp (11186 bytes)
   C:\Windows\Internet.exe (3552 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\zoc8FFF.tmp (11186 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "internet" = "C:\Windows\Internet.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.