MD5: b716149de896974bf5d514592e8c7209
SHA1: 19c76734257f3a3ba666157ecfe957b162e999cd
SHA256: 3adc1d67e31ba9f7415cc4264b917ec2ab102de87b71f74cb215ed2c5cbdaee8
SSDeep: 3072:OwR5g46PJhr dXwfgsuHt7pULOpcnKtQpQaFB6AGqy4cqv l1ghILvpsyFco2pzR:/R2zP yfABqacKMBgx/qv zghESoT6
Size: 225833 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2005-12-10 07:55:16
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

Process activity

The Adware creates the following process(es):

taskkill.exe:1568
taskkill.exe:768
taskkill.exe:168
sc.exe:816
rundll32.exe:628
%original file name%.exe:1752
cacls.exe:1920
cacls.exe:1736

The Adware injects its code into the following process(es):

v13-200.exe:1316
QvodSetupPlus3.0.exe:548

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process rundll32.exe:628 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%System%\drivers\acpiec.sys (14 bytes)

The process v13-200.exe:1316 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Documents and Settings% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QvodSetupPlus.exe.!qd (7912 bytes)
C:\ (4 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%System%\func.dll (18563831 bytes)
%System%\CatRoot2 (96 bytes)
C:\autorun.inf (21 bytes)
%WinDir%\WinSxS (12 bytes)
%System%\drivers\etc\hosts (5 bytes)
%WinDir%\AppPatch (4 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (10756 bytes)
%Documents and Settings%\All Users (4 bytes)
%WinDir%\REGISTRATION (4 bytes)
%WinDir% (1444 bytes)
C:\$Directory (1984 bytes)
%System%\dllcache (4 bytes)
%WinDir%\inf (400 bytes)
%System%\config\SysEvent.Evt (920 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\config\systemprofile (4 bytes)
%Program Files%\COMMON FILES (4 bytes)
C:\PROGRAM FILES (4 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%System%\config (96 bytes)
%System%\wbem (1064 bytes)
%System%\drivers (32 bytes)
%WinDir%\phpq.dll (22141559 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (8 bytes)
C:\1.exe (32 bytes)
%System% (8408 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)

The process %original file name%.exe:1752 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\v13-200.exe (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QvodSetupPlus3.0.exe (3497 bytes)

The Adware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsrB2.tmp (0 bytes)

The process QvodSetupPlus3.0.exe:548 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qd.ini (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QvodSetupPlus.exe.!qd (1807330 bytes)

Registry activity

The process taskkill.exe:1568 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B E5 46 04 74 E8 4D D5 A1 17 2A 71 64 E5 8A 55"

The process taskkill.exe:768 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 BD 5A 92 18 46 AD 6E AE 61 7B 07 BC A5 70 A9"

The process taskkill.exe:168 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 9C 16 7A E7 9D 52 70 CA 06 FC 43 7E B8 12 2A"

The process sc.exe:816 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 A4 2C E0 17 02 EB 9F 02 EE F5 EA 82 2F AF 29"

The process rundll32.exe:628 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 41 82 48 BD 8C 89 AB F2 DF FA 51 1C 64 1A 45"

The process %original file name%.exe:1752 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 40 8D 6D A3 15 C8 11 53 D2 2A 35 6D AB C0 95"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"QvodSetupPlus3.0.exe" = "QvodInstall Module"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"v13-200.exe" = "Windows Calculator"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process QvodSetupPlus3.0.exe:548 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 52 F4 37 26 27 7B CC 41 CE 94 9A 38 6D 18 10"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"QvodSetupPlus3.0.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\QvodSetupPlus3.0.exe:*:Enabled:QVOD"

The process cacls.exe:1920 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 2B FE 8E 75 20 80 C4 16 85 75 89 59 4D 30 7A"

The process cacls.exe:1736 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 B2 F7 F6 C3 BC 00 E9 43 35 11 92 7B 44 38 4F"

Dropped PE files

HOSTS file anomalies

The Adware modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Adware installs the following kernel-mode hooks:

ZwQuerySystemInformation

Using the driver "%System%\drivers\pcidump.sys" the Adware substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Adware's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 27
655ebda89a8c316de7ce5873ff1deb61
e3b9552542da4baa880577ebf97a9b86
fc673a5d1b15dbfdd0d897a7f69aaf3b
f979ad42b1f8cf01c151d3d09a437fb6
268211e652c08efd0d26a3e0d668f571
b7cc8824a4b6d007ae046922d488bc8d
f045fd21b3c9462938fe27e5ee4f06a3
66e69190d8ef735a301516e348c35190
790ada328637bd837b55fbf63280816d
bfc04c03ea863ac32e915d9255c7d9b8
917a7bea1c81ec3b61eeef59c454ed84
3b962c5e68dc495b9dac718c305f1cce
5ac95b4cbac570ac3674c873669ca552
1fbd74b51c3a6f9f3cea8425d96177fc
963c483fda50e85a28f852983123eb15
e391435dfa53cd9dbfdb42fba8d059f1
5551794e263875a795c680479c97527f
4bf082ed0c0a5e6821c59f6873c506c8
6cfc96e51ddd7beb1294cb8d0836a751
4980695fdfef0015de369e969c0df056
ee881ac1ac662ffa662dd5b30fda6ab3
95759d0e94837f34197e14a949bc6525
dffa87da1c5f035a69fe01d7593329ef
61ce4dd0f1b7482b6cdbed621f45c762
e3425dd32acaa9f1830c97a82f44bc35

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Adware connects to the servers at the folowing location(s):

`.rsrc

.tTPV

u.hH.C

FTPjK

FtPj;

F.PjRWj

u.WWj

u.VVj

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

user32.dll

portuguese-brazilian

GET /%s HTTP/1.1

Accept: application/vnd.ms-powerpoint, application/msword, */*

Host: %s

%s (%s)

Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.

%s %.2f GB

%s %.2f MB

%s %I64d KB

%s %I64d Byte

Httpurl

hXXp://update.qvod.com/qd.jpg

%s\qd.ini

%s\%s

%s_1.%s

QvodSetupPlus.exe

hXXp://

QVODd
2I64X

tcp connecting limit is %d

\drivers\tcpip.sys

stun01.sipphone.com

stun.qvod.com

61.139.219.200

track.qvod.com

TCP Port

61.139.219.203

221.194.134.216

agent.qvod.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)

Range: bytes=%u-

Port Restricted Nat

, random port

, preserves ports

PWindowsFirewallAppIsEnabled failed: 0xlx

M-SEARCH * HTTP/1.1

HOST: 239.255.255.250:1900

controlURL

URLBase

HTTP/1.1

s:encodingStyle="hXXp://schemas.xmlsoap.org/soap/encoding/">

xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/"

AddPortMapping

NewPortMappingDescription

NewInternalPort

NewExternalPort

DeletePortMapping

External NAT port in use

External NAT port in use: Too many retries

Port mapping not owned by this class

Error getting StaticPortMappingCollection

problem parsing Password

Password =

ipv6 not supported

HMAC with password:

Encoding Password:

About to send msg of len

Some problem opening port/interface to send on

POST /service HTTP/1.1

Content-Length: %d

Host: %s:%d

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)

127.0.0.1

recv %d

Opened port

Port

for receiving UDP is in use

Could not bind UDP receive port

Could not create a UDP socket:

err EAFNOSUPPORT in send

zcÁ

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\QvodSetupPlus3.0.exe

GetCPInfo

.text

`.rdata

@.data

.rsrc

@.MNe|

version="5.1.0.0"

name="test.exe"/>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

USER32.dll

VERSION.dll

WS2_32.dll

.torrent

: %d K/S

%s ...

%s...

3, 0, 0, 0

QvodInstall.exe

QvodSetupPlus3.0.exe_548_rwx_00401000_0004A000:

.tTPV

u.hH.C

FTPjK

FtPj;

F.PjRWj

u.WWj

u.VVj

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

user32.dll

portuguese-brazilian

GET /%s HTTP/1.1

Accept: application/vnd.ms-powerpoint, application/msword, */*

Host: %s

%s (%s)

Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.

%s %.2f GB

%s %.2f MB

%s %I64d KB

%s %I64d Byte

Httpurl

hXXp://update.qvod.com/qd.jpg

%s\qd.ini

%s\%s

%s_1.%s

QvodSetupPlus.exe

hXXp://

QVODd
2I64X

tcp connecting limit is %d

\drivers\tcpip.sys

stun01.sipphone.com

stun.qvod.com

61.139.219.200

track.qvod.com

TCP Port

61.139.219.203

221.194.134.216

agent.qvod.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)

Range: bytes=%u-

Port Restricted Nat

, random port

, preserves ports

PWindowsFirewallAppIsEnabled failed: 0xlx

M-SEARCH * HTTP/1.1

HOST: 239.255.255.250:1900

controlURL

URLBase

HTTP/1.1

s:encodingStyle="hXXp://schemas.xmlsoap.org/soap/encoding/">

xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/"

AddPortMapping

NewPortMappingDescription

NewInternalPort

NewExternalPort

DeletePortMapping

External NAT port in use

External NAT port in use: Too many retries

Port mapping not owned by this class

Error getting StaticPortMappingCollection

problem parsing Password

Password =

ipv6 not supported

HMAC with password:

Encoding Password:

About to send msg of len

Some problem opening port/interface to send on

POST /service HTTP/1.1

Content-Length: %d

Host: %s:%d

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)

127.0.0.1

recv %d

Opened port

Port

for receiving UDP is in use

Could not bind UDP receive port

Could not create a UDP socket:

err EAFNOSUPPORT in send

zcÁ

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\QvodSetupPlus3.0.exe

GetCPInfo

.text

`.rdata

@.data

.rsrc

.torrent

: %d K/S

%s ...

%s...

v13-200.exe_1316:

.nsp0

.nsp1

.nsp2

GetWindowsDirectoryA

WinExec

\phpq.dll

rundll32.exe func.dll, droqp

\system32\func.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cmd /c cacls "%s" /e /p everyone:f

cmd /c cacls %s /e /p everyone:f

\temp\explorer.exe

\drivers\gm.dls

Explorer.EXE

explorer.EXE

EXPLORER.EXE

EXPLORER.exe

Explorer.exe

explorer.exe

GetProcAddressLoadLibraryACloseHandleGetSystemTimeGetModuleHandleASleepGetTempPathACopyFileAGetWindowsDirectoryAGetSystemDirectoryAGetModuleFileNameACreateMutexAGlobalAddAtomAOpenMutexAGlobalFindAtomAstrcpymemsetsprintfstrcatstrstrstrlen

[ffi][nil:>:,::mn^::K<?CRT

 ,1(*(*( 

 ,1(*(*(,

 ,1(*(*(-

 ,1(*(*(*

 , ( .( * (02

 ,1( ( ( 

 ,1(*( ( 

0 ( ,2( 1 (  /42*2*

 , (  (3*(13

 ,/(3*(22(-2

,*.( 11(3,(02

, *(1.( ./(,-0

, *(10(*( --

, 3( ,3(,-3(,,*

0 ( 00(-,(,

, 3( /-(.*(,, 

, 2(3,( 20(,1

, 3( /-(.0(,1

, 3( /-(/,( ,-

,, ( 3/(.,(1 

,,,(1-(, 2(  /

,*-(  *( 02(,--42*

,*-(  *( 02(,, 42*

/3(-.( - (/.

, *(/ (./(/

/3(-.( 32(,,2

/3(-.( 32(22

/3(-.( 32(31

0*( 3*(  .( * 

0*( 3*(, 2(-.

0*( 3 ( ,.(,/,

0 ( ./(  1(, ,

0 ( /1( *3(,,,

1/( ,0(-(, 0

1/( ,0(-(, 1

1/( ,0(-(, 2

/3( ,/(,- ( 114 1111

1/( ,0(-(,,*

1/( ,0(-(,, 

1/( ,0(-(,,,

Ci>_f_n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

KERNEL32.DLL

MSVCRT.DLL

Ev%f|8

S%S5s

Windows Calculator application file

5.1.2600.0 (xpclient.010817-1148)

CALC.EXE

Microsoft(R) Windows(R) Operating System

5.1.2600.0

v13-200.exe_1316_rwx_00404000_00017000:

GetWindowsDirectoryA

WinExec

\phpq.dll

rundll32.exe func.dll, droqp

\system32\func.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cmd /c cacls "%s" /e /p everyone:f

cmd /c cacls %s /e /p everyone:f

\temp\explorer.exe

\drivers\gm.dls

Explorer.EXE

explorer.EXE

EXPLORER.EXE

EXPLORER.exe

Explorer.exe

explorer.exe

GetProcAddressLoadLibraryACloseHandleGetSystemTimeGetModuleHandleASleepGetTempPathACopyFileAGetWindowsDirectoryAGetSystemDirectoryAGetModuleFileNameACreateMutexAGlobalAddAtomAOpenMutexAGlobalFindAtomAstrcpymemsetsprintfstrcatstrstrstrlen

[ffi][nil:>:,::mn^::K<?CRT

 ,1(*(*( 

 ,1(*(*(,

 ,1(*(*(-

 ,1(*(*(*

 , ( .( * (02

 ,1( ( ( 

 ,1(*( ( 

0 ( ,2( 1 (  /42*2*

 , (  (3*(13

 ,/(3*(22(-2

,*.( 11(3,(02

, *(1.( ./(,-0

, *(10(*( --

, 3( ,3(,-3(,,*

0 ( 00(-,(,

, 3( /-(.*(,, 

, 2(3,( 20(,1

, 3( /-(.0(,1

, 3( /-(/,( ,-

,, ( 3/(.,(1 

,,,(1-(, 2(  /

,*-(  *( 02(,--42*

,*-(  *( 02(,, 42*

/3(-.( - (/.

, *(/ (./(/

/3(-.( 32(,,2

/3(-.( 32(22

/3(-.( 32(31

0*( 3*(  .( * 

0*( 3*(, 2(-.

0*( 3 ( ,.(,/,

0 ( ./(  1(, ,

0 ( /1( *3(,,,

1/( ,0(-(, 0

1/( ,0(-(, 1

1/( ,0(-(, 2

/3( ,/(,- ( 114 1111

1/( ,0(-(,,*

1/( ,0(-(,, 

1/( ,0(-(,,,

Ci>_f_n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

KERNEL32.DLL

MSVCRT.DLL

Windows Calculator application file

5.1.2600.0 (xpclient.010817-1148)

CALC.EXE

Microsoft(R) Windows(R) Operating System

5.1.2600.0

v13-200.exe_1316_rwx_10000000_00001000:

.data

.rsrc

@.reloc

psapi.dll

\patch.exe

\dstdisk.exe

\defence.exe

192yuioealdjfiefjsdfas.txt

%SystemRoot%\System32\DRIVERS\puid.sys

\drivers\pcidump.sys

System32\DRIVERS\pcidump.sys

%SystemRoot%\system32\drivers\puid.sys

\\.\pcidump

\drivers\gm.dls

Windows

1.exe

autorun.inf

Open=1.exe

urlmon

\setup.exe

?mac=%s&ver=%s&key=%d&os=windows

.html

.hhqg

qq.exe

360safe.exe

\explorer.exe

\temp\explorer.exe

nfect_exe

v13-200.exe_1316_rwx_10005000_00001000:

\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\v13-200.exe

\??\%WinDir%\explorer.exe

ers\gm.dls

WinExec

CreatePipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

ADVAPI32.dll

InternetOpenUrlA

WININET.dll

rundll32.exe_628:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   taskkill.exe:1568
   taskkill.exe:768
   taskkill.exe:168
   sc.exe:816
   rundll32.exe:628
   %original file name%.exe:1752
   cacls.exe:1920
   cacls.exe:1736

3. Delete the original Adware file.
   
4. Delete or disinfect the following files created/modified by the Adware:
   

   %System%\drivers\acpiec.sys (14 bytes)
   %Documents and Settings% (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\QvodSetupPlus.exe.!qd (7912 bytes)
   %System%\config\systemprofile\Application Data\Microsoft (4 bytes)
   %System%\func.dll (18563831 bytes)
   %System%\CatRoot2 (96 bytes)
   C:\autorun.inf (21 bytes)
   %WinDir%\WinSxS (12 bytes)
   %System%\drivers\etc\hosts (5 bytes)
   %WinDir%\AppPatch (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (10756 bytes)
   %Documents and Settings%\All Users (4 bytes)
   %WinDir%\REGISTRATION (4 bytes)
   C:\$Directory (1984 bytes)
   %System%\dllcache (4 bytes)
   %WinDir%\inf (400 bytes)
   %System%\config\SysEvent.Evt (920 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Program Files%\COMMON FILES (4 bytes)
   C:\PROGRAM FILES (4 bytes)
   %System%\drivers\pcidump.sys (5404535 bytes)
   %System%\wbem (1064 bytes)
   %WinDir%\phpq.dll (22141559 bytes)
   C:\1.exe (32 bytes)
   %Program Files%\Common Files\VMware\Drivers (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\v13-200.exe (414 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\QvodSetupPlus3.0.exe (3497 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qd.ini (144 bytes)
   

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.