Win32.Ramnit_10cfb7229c

by malwarelabrobot on August 17th, 2017 in Malware Descriptions.

Win32.Ramnit (BitDefender), Virus:Win32/Parite.B (Microsoft), Virus.Win32.Parite.b (Kaspersky), Virus.Win32.Ramnit.a (v) (VIPRE), Win32.Parite.2 (DrWeb), Win32.Ramnit (B) (Emsisoft), W32/Pate.b (McAfee), W32.Pinfi.B (Symantec), DDoS.Win32.Nitol (Ikarus), Win32.Ramnit (FSecure), Win32:Parite (AVG), Win32:Parite (Avast), Win32.Ramnit (AdAware), Trojan.Win32.Bumat.FD, Virus.Win32.Parite.B.FD, VirusParite.YR, GenericInjector.YR, DDoSNitol.YR (Lavasoft MAS)
Behaviour: Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 10cfb7229c27ea6146a22ee7323390b9
SHA1: 0862aa12b8002bb7ae6cd27d9905412997ca5b82
SHA256: 7c07ea8aa915a582c5a9c923997c8d7b30d8042983843191a788e91605005079
SSDeep: 6144:/xn/UkzznXqBYLDeayKpov3jzR8b7xBPOz1Ix:pn/UknnXEUkP58brWz1c
Size: 256986 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-05-23 14:13:42
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

10cfb7229c27ea6146a22ee7323390b9Srv.exe:316
%original file name%.exe:2932
ccoecmSrv.exe:1248

The Trojan injects its code into the following process(es):

ccoecm.exe:1784
chrome.exe:2544
iexplore.exe:2192
Explorer.EXE:2024

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process ccoecm.exe:1784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\ccoecmSrv.exe (113 bytes)
C:\Windows\Temp\jma7A5D.tmp (11186 bytes)

The process chrome.exe:2544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Chrome\Application\dmlconf.dat (48 bytes)

The process 10cfb7229c27ea6146a22ee7323390b9Srv.exe:316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft\DesktopLayer.exe (113 bytes)

The Trojan deletes the following file(s):

%Program Files%\Microsoft\px79FF.tmp (0 bytes)

The process %original file name%.exe:2932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\10cfb7229c27ea6146a22ee7323390b9Srv.exe (113 bytes)
C:\Windows\ccoecm.exe (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tma79C1.tmp (11186 bytes)

The process ccoecmSrv.exe:1248 makes changes in the file system.
The Trojan deletes the following file(s):

%Program Files%\Microsoft\px7AAB.tmp (0 bytes)

Registry activity

The process chrome.exe:2544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Chrome\BLBeacon]
"State" = "2"
"failed_count" = "0"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "c:\windows\system32\userinit.exe,,c:\windows\ccoecmsrv.exe,c:\program files\microsoft\desktoplayer.exe"

The process %original file name%.exe:2932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"

[HKLM\System\CurrentControlSet\services\xcvxcvcbcvbvcbcvbxvxcv.Net CLR]
"Description" = "Microsoft cvcxvcxvvcbvcb.NET CObcvbxvcxvbvc Integration with SOAP"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
c2d564911c96d80bb311ad2b8f6cc40d c:\10cfb7229c27ea6146a22ee7323390b9Srv.exe
685f1cbd4af30a1d0c25f252d399a666 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\tma79C1.tmp
685f1cbd4af30a1d0c25f252d399a666 c:\Windows\Temp\jma7A5D.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 36864 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 40960 16384 15360 5.42591 51b32dea0c5d7d46eb6fa9c7087999a6
.rsrc 57344 8192 5120 2.94789 20bf7e0761340e2aa488212a258ff2ea
.rmnet 65536 61440 57856 5.52538 3f56f950fb220e9638287c81d49f157a
.uro 126976 4096 1536 4.8938 85704b7cd7feee6d025adfc3e76afa58

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
google.com 172.217.16.110
fget-career.com 89.185.44.100


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Win32/Ramnit Checkin

Traffic

The Trojan connects to the servers at the folowing location(s):

ccoecm.exe_1784:

`.rsrc
.rmnet
WS2_32.dll
sUnl=oOpenKey
#"%s"
admin$\g1fd.exe#
" %d:
.lxi3.c
$HTTP/1B74
.ms-"nl
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyA
RegCloseKey
23.235.184.68
xcvxcvcbcvbvcbcvbxvxcv.Net CLR
Microsoft .Net Frxcvcbvcbvcbcvxcvcxvcamework COM  Support
Microsoft cvcxvcxvvcbvcb.NET CObcvbxvcxvbvc  Integration with SOAP
mpr.dll
\\%s\ipc$
\\%s\admin$\g1fd.exe
\\%s\C$\NewArean.exe
C:\g1fd.exe
\\%s\D$\g1fd.exe
D:\g1fd.exe
\\%s\E$\g1fd.exe
E:\g1fd.exe
\\%s\F$\g1fd.exe
F:\g1fd.exe
at \\%s %d:%d %s
password
12345678
5201314
1314520
%d.%d.%d.%d
hra%u.dll
kernel32.dll
%c%c%c%cÌn.exe
VVV.lxi3.com
ddd
%c%c%c%c%c%c.exe
%s %s %s%d
%d*%u%s
%u MB
0.0.0.0
%u Gbps
%u Mbps
GET %s HTTP/1.1
Host: %s
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
Referer: hXXp://%s:80/hXXp://%s
%s %s%s
Host: %s:%d
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
SSShAR@
GetWindowsDirectoryA
WinExec
RegOpenKeyExA
_acmdln
ShellExecuteExA
ShellExecuteA
SHDeleteKeyA
.data
.rsrc
KERNEL32.DLL
iphlpapi.dll
MSVCRT.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
Srv.exe
C:\Windows\ccoecmSrv.exe
O.Cp}l
OO.sJD
AM6d%X
4ml%F
.pkrd
.DBxA
Xvi%2x
8KeysX
<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>
SHELL32.DLL
USER32.DLL
Kernel32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer
106.42.73.61
2528-6142
nedwp.exe

ccoecm.exe_1784_rwx_001D1000_00071000:

UDPSockError
NMUDP
Errmsg
Port
TNMUDP
RemotePort
LocalPort
ReportLevelLk
0.0.0.0
%d.%d.%d.%d
AutoHotkeys
:].tJ
EInvalidGraphicOperation,0
EInvalidGraphicOperation
KeyPreview,
WindowState
OnKeyDown
OnKeyPressdz
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
Cv.SCv
Bv}.Bv
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
VprK|%Ud
€00404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
70"!(&&$
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt  Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s

ccoecm.exe_1784_rwx_00401000_0000C000:

WS2_32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyA
RegCloseKey
23.235.184.68
xcvxcvcbcvbvcbcvbxvxcv.Net CLR
Microsoft .Net Frxcvcbvcbvcbcvxcvcxvcamework COM  Support
Microsoft cvcxvcxvvcbvcb.NET CObcvbxvcxvbvc  Integration with SOAP
mpr.dll
\\%s\ipc$
\\%s\admin$\g1fd.exe
\\%s\C$\NewArean.exe
C:\g1fd.exe
\\%s\D$\g1fd.exe
D:\g1fd.exe
\\%s\E$\g1fd.exe
E:\g1fd.exe
\\%s\F$\g1fd.exe
F:\g1fd.exe
at \\%s %d:%d %s
password
12345678
5201314
1314520
%d.%d.%d.%d
hra%u.dll
kernel32.dll
%c%c%c%cÌn.exe
VVV.lxi3.com
ddd
%c%c%c%c%c%c.exe
%s %s %s%d
%d*%u%s
%u MB
0.0.0.0
%u Gbps
%u Mbps
GET %s HTTP/1.1
Host: %s
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
Referer: hXXp://%s:80/hXXp://%s
%s %s%s
Host: %s:%d
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
SSShAR@
GetWindowsDirectoryA
WinExec
RegOpenKeyExA
_acmdln
ShellExecuteExA
ShellExecuteA
SHDeleteKeyA
.data
.rsrc

ccoecm.exe_1784_rwx_00410000_00010000:

Srv.exe
C:\Windows\ccoecmSrv.exe
kernel32.dll
.rsrc
O.Cp}l
OO.sJD
AM6d%X
4ml%F
.pkrd
.DBxA
Xvi%2x
8KeysX
<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>
KERNEL32.DLL
SHELL32.DLL
USER32.DLL
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
Software\Microsoft\Windows\CurrentVersion\Explorer
106.42.73.61
2528-6142
nedwp.exe

iexplore.exe_2192:

.text
`.data
.rsrc
@.reloc
Bv.TBv
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
%user32.dll
Kernel32.DLL
%xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

iexplore.exe_2192_rwx_00180000_00001000:

wC:\Windows\ccoecmSrv.exe

iexplore.exe_2192_rwx_20010000_00009000:

.text
.rdata
@.data
.reloc
Srv.exe
kernel32.dll

chrome.exe_2544:

.text
`.rdata
@.data
.gfids
@.tls
.rsrc
@.reloc
D$,j.Xf
j.Yf;
_tcPVj@
.PjRW
Cv.SCv
ole32.dll
POWRPROF.dll
address family not supported
broken pipe
function not supported
inappropriate io control operation
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
InitOnceExecuteOnce
operator
operator ""
?#%X.y
%S#[k
?OLEAUT32.dll
user32.dll
c:\b\build\slave\win-pgo\build\src\chrome\app\chrome_exe_main_win.cc
c:\b\build\slave\win-pgo\build\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
%s: option `%s' is ambiguous (could be `--%s' or `--%s')
%s: invalid option -- `-%c'
%s: argument required for option `
--%s'
0.8.0
%ls (%s) %s
hXXps://crashpad.chromium.org/
hXXps://crashpad.chromium.org/bug/new
Report %ls bugs to
%s home page: <%s>
%ls: %s
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
PlatformFile.UnknownErrors.Windows
c:\b\build\slave\win-pgo\build\src\base\threading\thread_local_win.cc
0123456789
Histogram: %s recorded %d samples
(flags = 0x%x)
.syzygy
.thunks
Windows NT
Histogram.InconsistentCountHigh
Histogram.InconsistentCountLow
c:\b\build\slave\win-pgo\build\src\base\metrics\persistent_memory_allocator.cc
(%d = %3.1f%%)
UMA.CreatePersistentHistogram.Result
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
widevinecdmadapter.dll
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_update_settings.cc
Removed incremental installer failure key; switching to channel:
Failed to write to application's ClientState key
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
chrome-sxs
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_chrome_distribution.cc
iexplore.exe
googlechrome
googlechromeframe
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\channel_info.cc
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\language_selector.cc
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\app_commands.cc
Cannot initialize AppCommands from an invalid key.
Skipping over key "
Failed to open key "
Cannot initialize an AppCommand from an invalid key.
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\app_command.cc
CHROME_MAIN_TICKS
user_experience_metrics.reporting_enabled
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\settings.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\numeric\in_range_cast.h
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\crash_report_database_win.cc
x-x-x-xx-xxxxxx
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\misc\uuid.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io.cc
--annotation=KEY=VALUE set a process annotation in each crash report
--database=PATH store the crash report database at PATH
create a new pipe and send its name via HANDLE
--pipe-name=PIPE communicate with the client over PIPE
--url=URL send crash reports to this Breakpad server URL,
pipe-name
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\handler_main.cc
duplicate key
--annotation requires KEY=VALUE
--handshake-handle and --pipe-name are incompatible
--handshake-handle or --pipe-name is required
SetProcessShutdownParameters
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\crash_report_upload_thread.cc
reserved key
FinishedWritingCrashReport failed
PrepareNewCrashReport failed
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\win\crash_report_exception_handler.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_file_writer.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writer_util.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writable.cc
%s.%s,%s,%s
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_context_writer.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\process_snapshot_minidump.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_snapshot_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\crashpad_info_client_options.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_simple_string_dictionary_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\module_snapshot_minidump.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\exception_snapshot_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\module_snapshot_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\system_snapshot_win.cc
%s %d.%d.%d.%s%s
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_reader_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_string_list_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\capture_memory.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\cpu_context_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_annotations_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_subrange_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_resource_reader.cc
kernel32.dll
c:\b\build\slave\win-pgo\build\src\sandbox\win\src\sandbox_policy_base.cc
NtOpenKey
NtCreateKey
GetCertificateSize
GetCertificate
GetCertificateSizeByHandle
GetCertificateByHandle
SetOPMSigningKeyAndSequenceNumbers
CreateNamedPipeW
NtOpenKeyEx
PruneCrashReportDatabase: Failed to get pending reports
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\prune_crash_reports.cc
PruneCrashReportDatabase: Failed to get completed reports
Database Pruning: Failed to remove report
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\exception_handler_server.cc
::GetNamedPipeClientProcessId
\\.\pipe\crashpad_%d_
ImpersonateNamedPipeClient
ConnectNamedPipe
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_reader.cc
WinHttpSetTimeouts
WinHttpCrackUrl
WinHttpConnect
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_transport_win.cc
WinHttpCloseHandle
Crashpad/0.8.0
WinHttpOpen
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryHeaders
HTTP status %d
WinHttpOpenRequest
WinHttpAddRequestHeaders
WinHttpReadData
%%x
--%s%sContent-Disposition: form-data; name="%s"
; filename="%s"%s
Content-Type: %s%s
multipart/form-data; boundary=%s
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\scoped_process_suspend.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_seeker.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\process_info.cc
Reading x64 process from x86 process not supported
0x%llx   0x%llx (%s)
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\module_version.cc
(0xx)
<failed to retrieve error message (0x%x)>
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\scoped_local_alloc.cc
WaitNamedPipe
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\registration_protocol_win.cc
TransactNamedPipe
SetNamedPipeHandleState
TransactNamedPipe: expected
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_body.cc
InvokeMainViaCRT
ExitMainViaCRT
Microsoft.CRTProvider
C:\b\build\slave\win-pgo\build\src\out\Release\initialexe\chrome.exe.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XLA
.CRT$XLB
.CRT$XLZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$T
.rdata$r
.rdata$sxdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.didat$5
.gfids$x
.gfids$y
.tls$ZZZ
.rsrc$01
.rsrc$02
chrome.exe
SignalChromeElf
SignalInitializeCrashReporting
chrome_elf.dll
RegOpenKeyExW
RegEnumKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegCloseKey
ADVAPI32.dll
CreateIoCompletionPort
GetWindowsDirectoryW
GetProcessHandleCount
KERNEL32.dll
ShellExecuteExW
SHELL32.dll
CloseWindowStation
CreateWindowStationW
GetProcessWindowStation
SetProcessWindowStation
USER32.dll
VERSION.dll
WINMM.dll
WTSAPI32.dll
RPCRT4.dll
GetCPInfo
GetProcessHeap
PeekNamedPipe
DisconnectNamedPipe
WaitNamedPipeW
WINHTTP.dll
.?AU_Crt_new_delete@std@@
a.IDATx
%F?????????3 
ÿFFFFFFFFFFFFFFF?B%
:1----16
Rhgf^rrrr(   ?NOCdhgfrrrr...DlEBScjhg^rr,001k>985Tnhherr-12
:BBBBBBBBBB>>-.jdddcccca
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="54.0.2840.71" version="54.0.2840.71" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
3 3*363@3
6#6(60676
0%1X1y1
4"4'4-44494p4K5Z9j9t9}9
; ;%;7;>;^;
< =0=4=8=<=
6 6$6(6,60646
8-8C8}8
? ?$?(?,?0?4?8?<?
= =$=(=,=0=4=8=
5 5$5(5,5054585
? ?$?(?,?0?
= =@=\=`=
KERNEL32.DLL
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
nchrome_watcher.dll
PreReadChromeChildInBrowser
${windows}
Ndebug.log
\StringFileInfo\xx\%ls
ntdll.dll
shell32.dll
script.log
resources.pak
chrome
pepflashplayer.dll
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium
{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}
Chrome
chrome_child.dll
chrome.dll
Google Chrome Canary
Chrome Canary HTML Document
ChromeSSHTM
{1BEAC3E3-B852-44F4-B468-8906C062422E}
{4ea16ac7-fd5a-47c3-875b-dbf4a2008c20}
ChromeCanary
{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}
Google Chrome binaries
hXXps://support.google.com/chrome/contact/chromeuninstall3?hl=$1
Google Chrome
%d.%d.%d
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
ChromeHTML
Chrome HTML Document
{8A69D345-D564-463c-AFF1-A69D9E530F96}
{5C65F4B0-3651-4514-B207-D10CB699B14B}
Google Chrome Frame
Chrome in a Frame.
Google\Chrome Frame
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{8BA986DA-5100-405E-AA35-86F34A02ACBF}
WebAccessible
-chromeframe
-chrome
lSOFTWARE\Policies\Google\Chrome
reports
settings.dat
ALPC Port
\Sessions\%d\AppContainerNamedObjects\%ls
sHKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
pipe\
tgdi32.dll
xntdll.dll
Chrome_MessageWindow
Failed to create directory %ls, last error is %d
Chrome SxS\Application
winhttp.dll
54.0.2840.71
chrome_exe

chrome.exe_2544_rwx_00090000_00001000:

w%Program Files%\Microsoft\DesktopLayer.exe

chrome.exe_2544_rwx_20010000_00009000:

.text
.rdata
@.data
.reloc
Srv.exe
kernel32.dll

Explorer.EXE_2024_rwx_046C1000_00071000:

UDPSockError
NMUDP
Errmsg
Port
TNMUDP
RemotePort
LocalPort
ReportLevelLkl
0.0.0.0
%d.%d.%d.%d
AutoHotkeys
:].tJ
EInvalidGraphicOperation,0m
EInvalidGraphicOperation
KeyPreview,
WindowState
OnKeyDown
OnKeyPressdzn
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
Cv.SCv
Bv}.Bv
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
VprK|%Ud
€00404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
70"!(&&$
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt  Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    10cfb7229c27ea6146a22ee7323390b9Srv.exe:316
    %original file name%.exe:2932
    ccoecmSrv.exe:1248

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\ccoecmSrv.exe (113 bytes)
    C:\Windows\Temp\jma7A5D.tmp (11186 bytes)
    %Program Files%\Google\Chrome\Application\dmlconf.dat (48 bytes)
    %Program Files%\Microsoft\DesktopLayer.exe (113 bytes)
    C:\10cfb7229c27ea6146a22ee7323390b9Srv.exe (113 bytes)
    C:\Windows\ccoecm.exe (1281 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tma79C1.tmp (11186 bytes)

  4. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "c:\windows\system32\userinit.exe,,c:\windows\ccoecmsrv.exe,c:\program files\microsoft\desktoplayer.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now