Win32.Parite.B_e55f46744e

by malwarelabrobot on August 1st, 2017 in Malware Descriptions.

Win32.Parite.B (BitDefender), Virus:Win32/Parite.B (Microsoft), Virus.Win32.Parite.b (Kaspersky), Win32.Parite.b (v) (VIPRE), Trojan.DownLoader25.8858 (DrWeb), Win32.Parite.B (B) (Emsisoft), W32/Pate.b (McAfee), W32.Pinfi.B (Symantec), Virus.Win32.Parite (Ikarus), Win32.Parite.B (FSecure), Win32:Parite (AVG), Win32:Parite (Avast), PE_PARITE.A (TrendMicro), Win32.Parite.B (AdAware), Trojan.Win32.Bumat.FD, Virus.Win32.Parite.B.FD, VirusParite.YR, VirusVirut.YR (Lavasoft MAS)
Behaviour: Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: e55f46744e9cd6317bd0ccd74c386e2f
SHA1: d59a381fbfa47c686f904bde4c90e405915749c7
SHA256: a67e759abbe9c06197f5e4e43c8bbcd7a3208dc4aba812ec6fd7c23e8ca5dc1c
SSDeep: 6144:ZngoRfgkpt//q6iZDpm6V8YZFtdXn9IDN4E23zyU38xoS:VgoR4B6iW6eizXnON9Er38xoS
Size: 263634 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-04 15:35:59
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3620
Explorer.EXE:520
conhost.exe:3360

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Internet Explorer\updata.exe (14505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\updata[1].dat (16500 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\gwcDD44.tmp (11186 bytes)

Registry activity

The process %original file name%.exe:3620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\e55f46744e9cd6317bd0ccd74c386e2f_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\e55f46744e9cd6317bd0ccd74c386e2f_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecisionTime" = "A0 C7 BE F6 17 0A D3 01"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecision" = "3"

[HKLM\SOFTWARE\Microsoft\Tracing\e55f46744e9cd6317bd0ccd74c386e2f_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadNetworkName" = "Network 2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionTime" = "A0 C7 BE F6 17 0A D3 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\e55f46744e9cd6317bd0ccd74c386e2f_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\e55f46744e9cd6317bd0ccd74c386e2f_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\e55f46744e9cd6317bd0ccd74c386e2f_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\e55f46744e9cd6317bd0ccd74c386e2f_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\e55f46744e9cd6317bd0ccd74c386e2f_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0A 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"adminmysqldata" = "%Program Files%\Internet Explorer\test.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
685f1cbd4af30a1d0c25f252d399a666 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\gwcDD44.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile

Propagation

VersionInfo

Company Name: ????
Product Name: ???? NewTestreyht5uy5
Product Version: 1, 0, 0, 1
Legal Copyright: ????(C) 2017
Legal Trademarks:
Original Filename: NewTestreyht5uy5.exe
Internal Name: NewTestreyht5uy5
File Version: 1, 0, 0, 1
File Description: NewTestreyht5uy5
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 32768 32768 4.67635 e38202b018ac75eb117adb4d82f590d2
.rdata 36864 6612 8192 2.94265 71e0d00e1186cd8cdbe323c221cb97f3
.data 45056 6428 8192 0.821452 0de5540425ee67be0638f91bed8da3c2
.rsrc 53248 32768 32768 5.13096 500a17cc1338107299102d40b2d79920
.oli 86016 4096 4096 4.80905 b3b3caa937a3bcf9291854a728cc860a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
xiaochen118.f3322.net 42.51.38.251
ant.trenz.pl 148.81.111.121
ilo.brenz.pl 148.81.111.121
tfmhkt.com
yhvudy.com
dneari.com
yglujg.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Known Hostile Domain ilo.brenz.pl Lookup
ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

...T....Dh.8.m...%.....Q...^.K...6h.GQn.8.c.r..QS.Y..i..W.n.




:irc 001 zinlmfbt :Hi virtu.:irc 376 zinlmfbt :End of /MOTD command.:i
rc 001 zinlmfbt :Hi virtu.:irc 376 zinlmfbt :End of /MOTD command...

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3620:

.text
`.rdata
.data
.rsrc
kernel32.dll
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
mscoree.dll
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
GetProcessWindowStation
user32.dll
GetProcessHeap
KERNEL32.dll
GetCPInfo
NewTest.dat
c:\%original file name%.exe
ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ilo.brenz.pl
ant.trenz.pl
NICK fxygvhns
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
KERNEL32.DLL
windowsupdate
drweb
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
Software\Microsoft\Windows\CurrentVersion\Explorer
1, 0, 0, 1
NewTestreyht5uy5.exe

%original file name%.exe_3620_rwx_001E0000_00008000:

ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ilo.brenz.pl
ant.trenz.pl
NICK zinlmfbt
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
KERNEL32.DLL
windowsupdate
drweb
C:\Windows\system32\winlogon.exe:*:enabled:@shell32.dll,-1
68.50.163\SANDBOXOUTPUT\2017-07-31\E55F46744E9CD6317BD0CCD74C386E2F\DUMPS\E55F46744E9CD6317BD0CCD74C386E2F.EXE_3620_RWX_001D0000_00001000.DMP
%WinDir%\SYSTEM32\SNIPPINGTOOL.EXE
\WMPLAYER.EXE
bicimf.com
vsrlvi.com
vxehka.com
dzuaeo.com
iohtvo.com
iooooh.com
elmvtm.com
roscae.com
cqspsu.com
aeapqr.com
znorpm.com
eiepvk.com
gpjbbe.com
peoasr.com
vubuaz.com
ciiefi.com
miuzwc.com
xqvesa.com
xaavai.com
ematfi.com
pirhae.com
nibmfb.com
dzvkbj.com
jusawl.com
hinxfu.com
triwky.com
zplhnd.com
ylriea.com
ptjweb.com
uikpis.com
oocbie.com
dozecj.com
celnvu.com
tnnupo.com
rgohnq.com
kucilz.com
evdghq.com
iycoxk.com
zpnlre.com
zoyfer.com
whphdu.com
bqgyas.com
zaleao.com
gobyah.com
pzzxjz.com
xcoytu.com
vebdax.com
yhxbcy.com
crxaur.com
ooodcu.com
shtqna.com
gfjpap.com
ntmtuk.com
aexahf.com
wzslyl.com
ypuuho.com
ojhcwm.com
teuaej.com
gmiudv.com
gszoac.com
dofiae.com
byqefx.com
kveocw.com
yozsjf.com
luodus.com
rxpuoe.com
ikgbaa.com
itaite.com
eixpuk.com
uttlhq.com
ieaoeb.com
yhvudy.com
pkbjjv.com
qtixkg.com
rbzcra.com
xyuphe.com
meejdy.com
dneari.com
nontky.com
efgizb.com
ekujuq.com
cmdntq.com
eaeoqz.com
guiain.com
yotuqj.com
hnnzmn.com
yivsog.com
dajyzi.com
yglujg.com
yatjfj.com
jjaefy.com
qyvoed.com
iqiuou.com
gfbtlb.com
miveta.com
xbdixa.com
uovoac.com
isbixb.com
tfmhkt.com
xesrxw.com

%original file name%.exe_3620_rwx_002F1000_00071000:

UDPSockError
NMUDP
Errmsg
Port
TNMUDP
RemotePort
LocalPort
ReportLevelLk/
0.0.0.0
%d.%d.%d.%d
AutoHotkeys
:].tJ
EInvalidGraphicOperation,00
EInvalidGraphicOperation
KeyPreview,
WindowState
OnKeyDown
OnKeyPressdz1
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
Gw2.Hw
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
VprK|%Ud
€00404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
70"!(&&$
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt  Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s

Explorer.EXE_520_rwx_02AF1000_00071000:

UDPSockError
NMUDP
Errmsg
Port
TNMUDP
RemotePort
LocalPort
ReportLevelLk
0.0.0.0
%d.%d.%d.%d
AutoHotkeys
:].tJ
EInvalidGraphicOperation,0
EInvalidGraphicOperation
KeyPreview,
WindowState
OnKeyDown
OnKeyPressdz
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
Gw2.Hw
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
VprK|%Ud
€00404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
70"!(&&$
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt  Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s

%original file name%.exe_3620_rwx_0040E000_00008000:

ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ilo.brenz.pl
ant.trenz.pl
NICK fxygvhns
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
KERNEL32.DLL
windowsupdate
drweb
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
Software\Microsoft\Windows\CurrentVersion\Explorer

conhost.exe_3360_rwx_011E1000_00071000:

UDPSockError
NMUDP
Errmsg
Port
TNMUDP
RemotePort
LocalPort
ReportLevelLk
0.0.0.0
%d.%d.%d.%d
AutoHotkeys
:].tJ
EInvalidGraphicOperation,0
EInvalidGraphicOperation
KeyPreview,
WindowState
OnKeyDown
OnKeyPressdz
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
Gw2.Hw
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
VprK|%Ud
€00404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
70"!(&&$
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt  Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\Internet Explorer\updata.exe (14505 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\updata[1].dat (16500 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\gwcDD44.tmp (11186 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "adminmysqldata" = "%Program Files%\Internet Explorer\test.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now