Win32.Parite.C_de4e73fde7

Win32.Parite.C (BitDefender), Virus:Win32/Parite.C (Microsoft), Virus.Win32.Parite.c (Kaspersky), Win32.Parite.c (v) (VIPRE), Trojan.Siggen7.21401 (DrWeb), Win32.Parite.C (B) (Emsisoft), W32/Pate.c (M...
Blog rating:2 out of5 with1 ratings

Win32.Parite.C_de4e73fde7

by malwarelabrobot on May 11th, 2017 in Malware Descriptions.

Win32.Parite.C (BitDefender), Virus:Win32/Parite.C (Microsoft), Virus.Win32.Parite.c (Kaspersky), Win32.Parite.c (v) (VIPRE), Trojan.Siggen7.21401 (DrWeb), Win32.Parite.C (B) (Emsisoft), W32/Pate.c (McAfee), W32.Pinfi.B (Symantec), Virus.Win32.Parite (Ikarus), Win32.Parite.C (FSecure), Win32/Parite (AVG), Win32:Parite (Avast), PE_PARITE.A (TrendMicro), Win32.Parite.C (AdAware), Trojan.Win32.Bumat.FD, Virus.Win32.Parite.B.FD, VirusParite.YR (Lavasoft MAS)
Behaviour: Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: de4e73fde799dd5adabd81ba5630c530
SHA1: cb215ae18a72b1ca8aa1877dd7cfb7207b7cdc14
SHA256: ce4d2887a72ee43da403307c335c3527b213cdd913787be69c7e8a52392825e8
SSDeep: 6144:sDYPb0McYn2yy8pvoQ7BzPEZtPuxsc9np5:MMcUbpvRBzv55p5
Size: 219108 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-04-28 09:53:28
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

WerFault.exe:3568
wermgr.exe:160

The Trojan injects its code into the following process(es):

%original file name%.exe:3380
Explorer.EXE:1440
conhost.exe:1648

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WerFault.exe:3568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\WER2146.tmp.WERInternalMetadata.xml (51540 bytes)
C:\Windows\Temp\WER2157.tmp.hdmp (133646 bytes)
C:\Windows\Temp\WER21D5.tmp.mdmp (117249 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_acefd23b6d9b11f337fb2b1ec85b4b86295a42_cab_0df5222f\Report.wer (146554 bytes)
C:\Windows\Temp\WER2126.tmp.appcompat.txt (2056 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_acefd23b6d9b11f337fb2b1ec85b4b86295a42_cab_0df5222f\WER2146.tmp.WERInternalMetadata.xml (3 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_acefd23b6d9b11f337fb2b1ec85b4b86295a42_cab_0df5222f\WER21D5.tmp.mdmp (5873 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_acefd23b6d9b11f337fb2b1ec85b4b86295a42_cab_0df5222f\WER2157.tmp.hdmp (7433 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_acefd23b6d9b11f337fb2b1ec85b4b86295a42_cab_0df5222f\WER2126.tmp.appcompat.txt (3 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\WER2126.tmp (0 bytes)
C:\Windows\Temp\WER2146.tmp (0 bytes)
C:\Windows\Temp\WER2146.tmp.WERInternalMetadata.xml (0 bytes)
C:\Windows\Temp\WER2157.tmp.hdmp (0 bytes)
C:\Windows\Temp\WER21D5.tmp (0 bytes)
C:\Windows\Temp\WER2126.tmp.appcompat.txt (0 bytes)
C:\Windows\Temp\WER21D5.tmp.mdmp (0 bytes)
C:\Windows\Temp\WER2157.tmp (0 bytes)

The process wermgr.exe:160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_acefd23b6d9b11f337fb2b1ec85b4b86295a42_cab_0df5222f\Report.wer.tmp (151984 bytes)

The process %original file name%.exe:3380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\svchost.exe (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dca1821.tmp (11190 bytes)

Registry activity

The process WerFault.exe:3568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[\REGISTRY\A\{686941E9-946F-11E6-8ABA-0050563CAC71}\DefaultObjectStore\LruList\000000000000056C]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{686941E9-946F-11E6-8ABA-0050563CAC71}\DefaultObjectStore\ObjectTable\143]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{686941E9-946F-11E6-8ABA-0050563CAC71}\DefaultObjectStore\LruList\000000000000056B]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[HKU\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_acefd23b6d9b11f337fb2b1ec85b4b86295a42_cab_0df5222f"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_acefd23b6d9b11f337fb2b1ec85b4b86295a42_cab_0df5222f"

[\REGISTRY\A\{686941E9-946F-11E6-8ABA-0050563CAC71}\DefaultObjectStore\ObjectTable\143]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{686941E9-946F-11E6-8ABA-0050563CAC71}\DefaultObjectStore\ObjectTable\144]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{686941E9-946F-11E6-8ABA-0050563CAC71}\DefaultObjectStore\ObjectTable\144\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"1000000005823" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{686941E9-946F-11E6-8ABA-0050563CAC71}\DefaultObjectStore\LruList]
"CurrentLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{686941E9-946F-11E6-8ABA-0050563CAC71}\DefaultObjectStore]
"_CurrentObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{686941E9-946F-11E6-8ABA-0050563CAC71}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\1000000005823]
"144" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{686941E9-946F-11E6-8ABA-0050563CAC71}\DefaultObjectStore\ObjectTable\144]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{686941E9-946F-11E6-8ABA-0050563CAC71}\DefaultObjectStore\ObjectTable\143]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{686941E9-946F-11E6-8ABA-0050563CAC71}\DefaultObjectStore\ObjectTable\143\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000055E1" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{686941E9-946F-11E6-8ABA-0050563CAC71}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000055E1]
"143" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{686941E9-946F-11E6-8ABA-0050563CAC71}\DefaultObjectStore\LruList\000000000000056C]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{686941E9-946F-11E6-8ABA-0050563CAC71}\DefaultObjectStore\ObjectTable\144]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "05 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 00"

[\REGISTRY\A\{686941E9-946F-11E6-8ABA-0050563CAC71}\DefaultObjectStore\LruList\000000000000056B]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{686941E9-946F-11E6-8ABA-0050563CAC71}\DefaultObjectStore\ObjectTable\143]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{686941E9-946F-11E6-8ABA-0050563CAC71}\DefaultObjectStore\ObjectTable\144]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

The process wermgr.exe:160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_acefd23b6d9b11f337fb2b1ec85b4b86295a42_cab_0df5222f"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_acefd23b6d9b11f337fb2b1ec85b4b86295a42_cab_0df5222f"

The process %original file name%.exe:3380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\NetRoot]
"InstallTime" = "2017-05-10 15:54"
"Group" = "Default"

[HKLM\System\CurrentControlSet\services\NetRoot\SYSTEM\CurrentControlSet\Services]
"NetRoot" = "ÉñÆæµÄ°¢Æß"

[HKLM\System\CurrentControlSet\services\NetRoot]
"Remark" = "VIP"

Dropped PE files

MD5 File path
fe763c2d71419352141c77c310e600d2 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\dca1821.tmp
fe763c2d71419352141c77c310e600d2 c:\Windows\Temp\aca1C08.tmp
fe763c2d71419352141c77c310e600d2 c:\Windows\Temp\hca1C46.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.rdata 4096 3674 4096 3.0226 6481f16041bc5f9083442ea75539f16f
.data 8192 29788 32768 3.91017 d70fbd3954c395dbb24a8fd5041dd7a0
.uro 40960 4096 4096 4.84191 ced34dd936a129da7b8df4b5f731ca6e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3380:

.rdata
.data
GetProcessHeap
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyA
ADVAPI32.dll
MSVCRT.dll
_acmdln
%%SystemRoot%%\System32\svchost.exe -k "%s"
SYSTEM\CurrentControlSet\Services\%s\Parameters
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
userenv.dll
%s\%d.bak
SYSTEM\CurrentControlSet\Services\%s
%s\shell\open\command
%s %s
Applications\iexplore.exe\shell\open\command
210.222.25.223
%Program Files%\Internet Explorer\iexplore0.exe
%s:%d:%s
M-%.2d-%.2d %.2d:%.2d
%s Win7
Ole32.dll
Oleaut32.dll
%d*%sMHz
kernel32.dll
User32.dll
ExitWindowsEx
EnumWindows
ws2_32.dll
wininet.dll
user32.dll
InternetOpenUrlA
C:\2.txt
RegOpenKeyExA
RegEnumKeyExA
RegCreateKeyExA
RegDeleteKeyA
Kernel32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer

%original file name%.exe_3380_rwx_0040A000_00001000:

Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
Software\Microsoft\Windows\CurrentVersion\Explorer

%original file name%.exe_3380_rwx_01141000_00071000:

UDPSockError
NMUDP
Errmsg
Port
TNMUDP
TNMUDPxp
RemotePort
LocalPort
ReportLevel4o
0.0.0.0
%d.%d.%d.%d
Portt:
AutoHotkeysp
AutoHotkeys
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowStatep
OnKeyDown
OnKeyPressL~
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
wry.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
hu2.iu
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
€00404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt  Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s

svchost.exe_3392:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

Explorer.EXE_1440_rwx_047C1000_00071000:

UDPSockError
NMUDP
Errmsg
Port
TNMUDP
TNMUDPxp|
RemotePort
LocalPort
ReportLevel4o|
0.0.0.0
%d.%d.%d.%d
Portt:
AutoHotkeysp
AutoHotkeys
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowStatep
OnKeyDown
OnKeyPressL~~
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
Uh%u~
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
wry.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
hu2.iu
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
€00404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt  Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s

conhost.exe_1648_rwx_01211000_00071000:

UDPSockError
NMUDP
Errmsg
Port
TNMUDP
TNMUDPxp!
RemotePort
LocalPort
ReportLevel4o!
0.0.0.0
%d.%d.%d.%d
Portt:%
AutoHotkeysp
AutoHotkeys
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowStatep
OnKeyDown
OnKeyPressL~#
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
Uh%u#
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
wry.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
hu2.iu
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
€00404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt  Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WerFault.exe:3568
    wermgr.exe:160

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\Temp\WER2146.tmp.WERInternalMetadata.xml (51540 bytes)
    C:\Windows\Temp\WER2157.tmp.hdmp (133646 bytes)
    C:\Windows\Temp\WER21D5.tmp.mdmp (117249 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_acefd23b6d9b11f337fb2b1ec85b4b86295a42_cab_0df5222f\Report.wer (146554 bytes)
    C:\Windows\Temp\WER2126.tmp.appcompat.txt (2056 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_acefd23b6d9b11f337fb2b1ec85b4b86295a42_cab_0df5222f\WER2146.tmp.WERInternalMetadata.xml (3 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_acefd23b6d9b11f337fb2b1ec85b4b86295a42_cab_0df5222f\WER21D5.tmp.mdmp (5873 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_acefd23b6d9b11f337fb2b1ec85b4b86295a42_cab_0df5222f\WER2157.tmp.hdmp (7433 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_acefd23b6d9b11f337fb2b1ec85b4b86295a42_cab_0df5222f\WER2126.tmp.appcompat.txt (3 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_acefd23b6d9b11f337fb2b1ec85b4b86295a42_cab_0df5222f\Report.wer.tmp (151984 bytes)
    C:\Windows\svchost.exe (1281 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dca1821.tmp (11190 bytes)

  4. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 2 (1 vote)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now