MD5: 787bc17aa29a48edf7a62922b5c884e9
SHA1: 2dff13cbd13f50d5e3a9b8f8150aa8c9750f1297
SHA256: a4610b4755704326d8e5dca24287a89470fa69402d4225bb1e045b952d28420a
SSDeep: 196608:co wOOTtcMuUw8Tf16dEyB1Jm3zxYGHJa:c9OiMPZe3I3zxYGY
Size: 7213568 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Software Assistant
Created at: 2016-04-01 15:24:20
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The AIT creates the following process(es):

WALLHACKTRAINER.EXE:1140
WALLHACKTRAINER.EXE:212
%original file name%.exe:1252
%original file name%.exe:636
%original file name%.exe:2040

The AIT injects its code into the following process(es):

LEL.EXE:1276

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WALLHACKTRAINER.EXE:1140 makes changes in the file system.
The AIT creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\CET_Archive.dat (25429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\WALLHACKTRAINER.EXE (200 bytes)

The AIT deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\CET_Archive.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\WALLHACKTRAINER.EXE (0 bytes)

The process WALLHACKTRAINER.EXE:212 makes changes in the file system.
The AIT creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\extracted\WALLHACKTRAINER.EXE (73789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\extracted\lua5.1-64.dll (563 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\extracted\defines.lua (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\extracted\CET_TRAINER.CETRAINER (995 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\extracted (4 bytes)

The AIT deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\extracted\WALLHACKTRAINER.EXE (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\extracted\lua5.1-64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\extracted\defines.lua (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\extracted\CET_TRAINER.CETRAINER (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\extracted (0 bytes)

The process LEL.EXE:1276 makes changes in the file system.
The AIT creates and/or writes to the following file(s):

%System%\drivers\etc\hosts (40 bytes)

The process %original file name%.exe:1252 makes changes in the file system.
The AIT creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\res.ico2 (36354 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\res.ico (36354 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (39419 bytes)

The AIT deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\res.ico2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)

The process %original file name%.exe:636 makes changes in the file system.
The AIT creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WALLHACKTRAINER.EXE (28502 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LEL.EXE (3746 bytes)

The process %original file name%.exe:2040 makes changes in the file system.
The AIT creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\res.ico2 (45846 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (48247 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\res.ico (45846 bytes)

The AIT deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)

Registry activity

The process WALLHACKTRAINER.EXE:212 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 9F FB 78 61 60 1A 51 5C 28 79 A5 0E D1 BD F3"

The process LEL.EXE:1276 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 63 AC B2 55 09 C3 3D B9 78 38 36 D6 C7 C7 3E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1252 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 00 DF 14 78 38 EA 26 E8 02 11 B4 C0 7A 4C 4A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:636 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 9C 3A B6 FB 9E 91 49 CF 67 75 2D 5B 47 7B 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"LEL.EXE" = "Remote Service Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"WALLHACKTRAINER.EXE" = "WALLHACKTRAINER"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The AIT modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The AIT modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The AIT modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:2040 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E B7 FE 4B C7 6D 2F 80 6B 2E 4D EE C7 15 E1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

HOSTS file anomalies

The AIT modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 40 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The AIT connects to the servers at the folowing location(s):

.text

`.itext

`.data

.idata

.rdata

@.reloc

B.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

%s_%d

EInvalidGraphicOperation

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

%s, ClassID: %s

%s, ProgID: "%s"

ole32.dll

USER32.DLL

uxtheme.dll

DWMAPI.DLL

clWebSnow

clWebFloralWhite

clWebLavenderBlush

clWebOldLace

clWebIvory

clWebCornSilk

clWebBeige

clWebAntiqueWhite

clWebWheat

clWebAliceBlue

clWebGhostWhite

clWebLavender

clWebSeashell

clWebLightYellow

clWebPapayaWhip

clWebNavajoWhite

clWebMoccasin

clWebBurlywood

clWebAzure

clWebMintcream

clWebHoneydew

clWebLinen

clWebLemonChiffon

clWebBlanchedAlmond

clWebBisque

clWebPeachPuff

clWebTan

clWebYellow

clWebDarkOrange

clWebRed

clWebDarkRed

clWebMaroon

clWebIndianRed

clWebSalmon

clWebCoral

clWebGold

clWebTomato

clWebCrimson

clWebBrown

clWebChocolate

clWebSandyBrown

clWebLightSalmon

clWebLightCoral

clWebOrange

clWebOrangeRed

clWebFirebrick

clWebSaddleBrown

clWebSienna

clWebPeru

clWebDarkSalmon

clWebRosyBrown

clWebPaleGoldenrod

clWebLightGoldenrodYellow

clWebOlive

clWebForestGreen

clWebGreenYellow

clWebChartreuse

clWebLightGreen

clWebAquamarine

clWebSeaGreen

clWebGoldenRod

clWebKhaki

clWebOliveDrab

clWebGreen

clWebYellowGreen

clWebLawnGreen

clWebPaleGreen

clWebMediumAquamarine

clWebMediumSeaGreen

clWebDarkGoldenRod

clWebDarkKhaki

clWebDarkOliveGreen

clWebDarkgreen

clWebLimeGreen

clWebLime

clWebSpringGreen

clWebMediumSpringGreen

clWebDarkSeaGreen

clWebLightSeaGreen

clWebPaleTurquoise

clWebLightCyan

clWebLightBlue

clWebLightSkyBlue

clWebCornFlowerBlue

clWebDarkBlue

clWebIndigo

clWebMediumTurquoise

clWebTurquoise

clWebCyan

clWebPowderBlue

clWebSkyBlue

clWebRoyalBlue

clWebMediumBlue

clWebMidnightBlue

clWebDarkTurquoise

clWebCadetBlue

clWebDarkCyan

clWebTeal

clWebDeepskyBlue

clWebDodgerBlue

clWebBlue

clWebNavy

clWebDarkViolet

clWebDarkOrchid

clWebMagenta

clWebDarkMagenta

clWebMediumVioletRed

clWebPaleVioletRed

clWebBlueViolet

clWebMediumOrchid

clWebMediumPurple

clWebPurple

clWebDeepPink

clWebLightPink

clWebViolet

clWebOrchid

clWebPlum

clWebThistle

clWebHotPink

clWebPink

clWebLightSteelBlue

clWebMediumSlateBlue

clWebLightSlateGray

clWebWhite

clWebLightgrey

clWebGray

clWebSteelBlue

clWebSlateBlue

clWebSlateGray

clWebWhiteSmoke

clWebSilver

clWebDimGray

clWebMistyRose

clWebDarkSlateBlue

clWebDarkSlategray

clWebGainsboro

clWebDarkGray

clWebBlack

comctl32.dll

AutoHotkeysd-C

AutoHotkeys

\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDownL

OnKeyPress

OnKeyUpH

GlassFrame.Bottom

GlassFrame.Enabled

GlassFrame.Left

GlassFrame.Right

GlassFrame.SheetOfGlass

GlassFrame.Top

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

Uh.ID

User32.dll

TKeyEvent

TKeyPressEvent

HelpKeyword nA

crSQLWait

%s (%s)

imm32.dll

TSocketPort

%d.%d.%d.%d

0.0.0.0

PSAPI.dll

TDCWebCam

127.0.0.1

BuildImportTable: can't load library:

BuildImportTable: ReallocMemory failed

BuildImportTable: GetProcAddress failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: exported symbol not found

1.2.3

127.0.0.1:1604

#KCMDDC51#-

5.3.0

cmd.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

hkey

\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

*.torrent

\Internet Explorer\iexplore.exe

explorer.exe

wlanapi.dll

80211_SHARED_KEY

user32.dll

TUploadFTP

notepad.exe

KEYNAME

%ShortCut#

RELATEDCMD

ping 127.0.0.1 -n 4 > NUL && "

DRKey

CRKey

DelMSKey

InstallHKEY

ActiveOnlineKeylogger

UnActiveOnlineKeylogger

KeylogOn

ActiveOfflineKeylogger

UnActiveOfflineKeylogger

ActiveOnlineKeyStrokes

UnActiveOnlineKeyStrokes

OpenWebPage

tmpprint.txt

URLUpdate

MSGBOX

#BOT#VisitUrl

#BOT#OpenUrl

HTTP://

hXXp://

BTRESULTOpen URL|

Command successfully executed!|

#BOT#URLUpdate

BTERRORUpdate from URL| Error on downloading file check if you type the correct url...|

BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|

#BOT#URLDownload

GetActivePorts

out.txt

tmp.txt

DDOSHTTPFLOOD

DDOSUDPFLOOD

%IPPORTSCAN

SAPI.SpVoice

WEBCAMLIVE

WEBCAMSTOP

PASSWORD

FTPFILEUPLOAD

URLDOWNLOADTOFILE

UPLOADEXEC

UPANDEXEC

FTPPORT

FTPPASS

FTPUSER

FTPHOST

FTPROOT

FTPUPLOADK

FTPSIZE

BTRESULTUDP Flood|UDP Flood task finished!|

PortScanAdd

BTRESULTVisit URL|finished to visit

BTERRORVisit URL|An exception occured in the thread|

POST /index.php/1.0

BTRESULTHTTP Flood|Http Flood task finished!|

Mozilla

BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|

BTERRORDownload File| Error on downloading file check if you type the correct url...|

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

ERR|Cannot listen to port, try another one..|

TCaptureWebcam

taskmgr.exe

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

DC3_FEXEC

Windows NT 4.0

Windows 2000

Windows XP

Windows Server 2003

Windows Vista

Windows 7

Windows 95

Windows 98

Windows Me

S-%u-

FAKEMSG

MSGICON

MSGTITLE

MSGCORE

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

%Documents and Settings%\%current user%\Application Data\dclogs\2016-04-06-4.dc

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetKeyboardType

keybd_event

VkKeyScanA

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutNameA

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

ExitWindowsEx

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

gdi32.dll

SetViewportOrgEx

version.dll

WinExec

PeekNamedPipe

GetWindowsDirectoryA

GetProcessHeap

GetCPInfo

CreatePipe

RegQueryInfoKeyA

RegOpenKeyA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCreateKeyA

wsock32.dll

shell32.dll

ShellExecuteExA

ShellExecuteA

SHFileOperationA

URLMON.DLL

URLDownloadToFileA

wininet.dll

InternetOpenUrlA

HttpQueryInfoA

FtpPutFileA

winmm.dll

netapi32.dll

gdiplus.dll

GdiplusShutdown

msacm32.dll

ntdll.dll

WS2_32.DLL

SHFolder.dll

SHELL32.DLL

AVICAP32.DLL

1!1,1=1|1

6 6$6(6,606

=!=$=)=-=1=

01m1

0 0$0(0,0004080<0@0

<!=$=)=-=4=

;"<?<_<|<

; ;$;(;,;0;4;8;<;@;

7 8$888<8

= =$=(=,=0=4=8=

UntKeylogger

KWindows

UntActivePorts

UntControlKey

UntCaptureWebcam

UntWebCam

UrlMon

(UntUploadFTPThread

UntFTP

_UntUDPFlood

YUntScanPorts

0UntPasswordAndData

XUntHTTPFlood

UntCPU

66006666

No help found for %s#No context-sensitive help installed

No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

Invalid clipboard format Clipboard does not support Icons

Cannot open clipboard/Menu '%s' is already being used by another form

- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)

Unsupported clipboard format

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to create key %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

No argument for format '%s'"Variant method calls not supported

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time

'%s' is not a valid GUID value

I/O error %d

1, 0, 0, 1

MSRSAAP.EXE

4, 0, 0, 0

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   WALLHACKTRAINER.EXE:1140
   WALLHACKTRAINER.EXE:212
   %original file name%.exe:1252
   %original file name%.exe:636
   %original file name%.exe:2040

2. Delete the original AIT file.
   
3. Delete or disinfect the following files created/modified by the AIT:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\CET_Archive.dat (25429 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\WALLHACKTRAINER.EXE (200 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\extracted\WALLHACKTRAINER.EXE (73789 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\extracted\lua5.1-64.dll (563 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\extracted\defines.lua (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\cetrainers\CET3.tmp\extracted\CET_TRAINER.CETRAINER (995 bytes)
   %System%\drivers\etc\hosts (40 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\res.ico2 (36354 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (39419 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\WALLHACKTRAINER.EXE (28502 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\LEL.EXE (3746 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (48247 bytes)
   

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.