Backdoor.Delf.TN_0fc4593f19

by malwarelabrobot on September 4th, 2014 in Malware Descriptions.

Trojan-Dropper.Win32.Danseed.b (Kaspersky), Backdoor.Delf.TN (B) (Emsisoft), Backdoor.Delf.TN (AdAware), Trojan.Win32.FlySky.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR, TrojanFlySky.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Backdoor, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0fc4593f19bbd3232be4da7ecb574d10
SHA1: bd254db3dd6faaf5a4700b9afc1cb88722e8d95a
SHA256: 9f92c1160d9ee49185ded29b355a0d9714ed4abb9d3b525843e3370a840f1177
SSDeep: 12288:uc//////ZOyQR1cHrnNcJMlh86LsJdAhOiv06sWgkn 7CK5oGZbsm6ct3:uc//////0y1pcJMlGbAhMfq ZqY/6
Size: 607232 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: AirInstaller
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Backdoor creates the following process(es):

net1.exe:1800
%original file name%.exe:1932
%original file name%.exe:660
¿á¸ç¿á.exe:1284
net.exe:1852
!@%.exe:1236
@#.exe:1676
&@.EXE:272
BDQX_Beta5.EXE:208

The Backdoor injects its code into the following process(es):

csross.exe:232
ipconfig.exe:572
IPCONFIG.EXE:1288

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1932 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\Common Files\Microsoft Shared\MSInfo\¿á¸ç¿á.jpg (9 bytes)
%Program Files%\Common Files\Microsoft Shared\MSInfo\&@.jpg (30 bytes)
%Program Files%\Common Files\Microsoft Shared\MSInfo\@#.jpg (1866 bytes)

The process ipconfig.exe:572 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\FE067A9E\svchsot.exe (601 bytes)

The process !@%.exe:1236 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\hack\csross.exe (2321 bytes)

The process @#.exe:1676 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\Common Files\Microsoft Shared\MSInfo\ipconfig.jpg (109 bytes)
%Program Files%\Common Files\Microsoft Shared\MSInfo\!@%.jpg (1738 bytes)

The process &@.EXE:272 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\BDQX_Beta5.EXE (30 bytes)

Registry activity

The process csross.exe:232 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 32 D3 BB 79 11 85 C9 15 FC B3 49 80 15 FE D8"

The process net1.exe:1800 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 32 B8 FA 20 05 E8 41 77 4D B1 F0 10 8E 07 B7"

The process %original file name%.exe:1932 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A C2 15 21 84 D2 14 30 5A 94 0F B8 B4 D4 BF F9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\program files\common files\microsoft shared\msinfo]
"&@.EXE" = "&@"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\program files\common files\microsoft shared\msinfo]
"¿á¸ç¿á.exe" = "易语言程序"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\program files\common files\microsoft shared\msinfo]
"@#.exe" = "@#"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:660 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 1F A5 3F 31 89 B2 19 70 6B E9 B0 76 15 A0 E3"

The process ¿á¸ç¿á.exe:1284 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 EB 9F EF A3 6B 42 44 2C 88 72 96 55 22 E1 7F"

The process net.exe:1852 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 6D AA 10 DB BF 8D 2E 96 04 6D D9 DD 5B B9 C9"

The process ipconfig.exe:572 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 AF 46 A7 3F EC 2A 99 5C 11 7D ED 43 7E 38 BF"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FE067A9E" = "%WinDir%\FE067A9E\svchsot.exe"

The process !@%.exe:1236 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 6E 0D C2 A9 C0 37 1F BF E4 8F C2 64 F4 6B 60"

The process @#.exe:1676 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 BB 06 65 5C 5B F1 82 66 67 7F 6A 6D 74 63 6E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\program files\common files\microsoft shared\msinfo]
"ipconfig.exe" = "ipconfig"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\program files\common files\microsoft shared\msinfo]
"!@%.exe" = "!@%"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process IPCONFIG.EXE:1288 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 03 D6 48 DF C7 64 A9 8C DA F1 8E F1 6B 20 7F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process &@.EXE:272 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 C0 65 69 99 B0 ED 5B 98 41 93 6D 6B 25 76 4D"

[HKLM\SOFTWARE\BDX]
"1" = "2014-9-3 7:18:57"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDX" = "%WinDir%\BDQX_Beta5.EXE"

The process BDQX_Beta5.EXE:208 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 EE 83 AA 59 87 56 4B CE 5A 38 A1 DF 7F A8 2B"

Dropped PE files

MD5 File path
c57fa2998a0b4e2f8e201c894cafed79 c:\Program Files\Common Files\Microsoft Shared\MSInfo\!@%.exe
164f465dc2dabe4e749e902d2d2076dc c:\Program Files\Common Files\Microsoft Shared\MSInfo\&@.EXE
be42bfa3f00664d58407b9c1074042ea c:\Program Files\Common Files\Microsoft Shared\MSInfo\@#.exe
d9a186c1b8bca10959e9797726202f88 c:\Program Files\Common Files\Microsoft Shared\MSInfo\¿á¸ç¿á.exe
c57fa2998a0b4e2f8e201c894cafed79 c:\Program Files\hack\csross.exe
164f465dc2dabe4e749e902d2d2076dc c:\WINDOWS\BDQX_Beta5.EXE

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 13396 13824 4.45645 74ab1940780c8fbf5b37236e0d01b799
DATA 20480 4304 4608 5.33436 0a417e897f77bab422c671eb67f2d2d1
BSS 28672 4217 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 36864 920 1024 2.81443 9a0c1525f12a1eea726ee25e706b5535
.tls 40960 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 45056 24 512 0.136854 51f930393084813dbf4be96aa18f3d08
.rsrc 49152 585148 585216 5.54491 cabc90c6a7ae4dcd4b86e8a67db3f667
.reloc 634880 1000 1024 4.35896 ae1a6c3cbbbdb8b94e54b75e6102daa8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
panda2.f3322.org 115.230.124.27


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Backdoor connects to the servers at the folowing location(s):

¿á¸ç¿á.exe_1284:

.text
`.rdata
@.data
.rsrc
krnln.fnr
krnln.fne
USER32.dll
KERNEL32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
N?9.PA;
1.0.0.0

ipconfig.exe_572:

.text
`.rdata
@.data
.rsrc
<4,$?7/'
(3-!0,1'8"5.*2$
USER32.dll
GetProcessHeap
KERNEL32.dll
MSVCRT.dll
_acmdln
Server.Dat
.nsp0
.nsp1
.nsp2
KERNEL32.DLL
USER32.DLL
GDI32.DLL
ADVAPI32.DLL
SHELL32.DLL
OLE32.DLL
OLEAUT32.DLL
WININET.DLL
AVICAP32.DLL
SHLWAPI.DLL
MSVCRT.DLL
MSVCP60.DLL
NETAPI32.DLL
URLMON.DLL
PSAPI.DLL
WINMM.DLL
WS2_32.DLL
SETUPAPI.DLL
IPHLPAPI.DLL
ACTIVEDS.DLL
WTSAPI32.DLL
VERSION.DLL
GDIPLUS.DLL
ShellExecuteA
URLDownloadToFileA
flyboy.dll
rcrt
C.ZU1
n%3x%
Y.XV/-
panda2.f3322.org
127.0.0.1

ipconfig.exe_572_rwx_10039000_00016000:

KERNEL32.DLL
USER32.DLL
GDI32.DLL
ADVAPI32.DLL
SHELL32.DLL
OLE32.DLL
OLEAUT32.DLL
WININET.DLL
AVICAP32.DLL
SHLWAPI.DLL
MSVCRT.DLL
MSVCP60.DLL
NETAPI32.DLL
URLMON.DLL
PSAPI.DLL
WINMM.DLL
WS2_32.DLL
SETUPAPI.DLL
IPHLPAPI.DLL
ACTIVEDS.DLL
WTSAPI32.DLL
VERSION.DLL
GDIPLUS.DLL
ShellExecuteA
URLDownloadToFileA
flyboy.dll
rcrt
C.ZU1
n%3x%
Y.XV/-

IPCONFIG.EXE_1288:

.rsrc
TTCPClient
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\*.url
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe
BDQX_Beta5.EXE
SYSTEM32\IPCONFIG.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Program Files\Internet Explorer\iexplore.exe
KWindows
`u_CmdShell
vu_MemRunExe
WinExec
PeekNamedPipe
CreatePipe
RegOpenKeyExA
RegCloseKey
RegOpenKeyA
RegEnumKeyA
RegDeleteKeyA
RegCreateKeyA
ShellExecuteA
SHFileOperationA
URLDownloadToFileA
keybd_event
ExitWindowsEx
EnumWindows
GetKeyboardType
InternetOpenUrlA
HttpQueryInfoA
.idata
.rdata
P.rsrc
DD.IE
Scr%sI
e`Cmd&
version="2.3.0.0"
name="Win32-API-Tutorials.Win32-API-Tutorials.Sample Code"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
KERNEL32.DLL
advapi32.dll
oleaut32.dll
PsApi.DLL
shell32.dll
shlwapi.dll
URLMON.dll
user32.dll
wininet.dll
ws2_32.dll

IPCONFIG.EXE_1288_rwx_10000000_0002B000:

.rsrc
TTCPClient
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\*.url
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe
BDQX_Beta5.EXE
SYSTEM32\IPCONFIG.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Program Files\Internet Explorer\iexplore.exe
KWindows
`u_CmdShell
vu_MemRunExe
WinExec
PeekNamedPipe
CreatePipe
RegOpenKeyExA
RegCloseKey
RegOpenKeyA
RegEnumKeyA
RegDeleteKeyA
RegCreateKeyA
ShellExecuteA
SHFileOperationA
URLDownloadToFileA
keybd_event
ExitWindowsEx
EnumWindows
GetKeyboardType
InternetOpenUrlA
HttpQueryInfoA
.idata
.rdata
P.rsrc
DD.IE
Scr%sI
e`Cmd&
version="2.3.0.0"
name="Win32-API-Tutorials.Win32-API-Tutorials.Sample Code"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
KERNEL32.DLL
advapi32.dll
oleaut32.dll
PsApi.DLL
shell32.dll
shlwapi.dll
URLMON.dll
user32.dll
wininet.dll
ws2_32.dll

csross.exe_232:

`.rsrc
t$(SSh
~%UVW
u$SShe
user32.dll
EnumWindows
GetKeyState
GetAsyncKeyState
QQSG.exe
@SG.jpg
playerdata/AccountHis.ini
Zone.ini
smtp.yeah.net@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[email protected]//////////////////////////////////////////////////////////
@pandatwo@yeah.net-------------------------------------------------------------------
csross.exe
%Program Files%
%Program Files%\hack
%Program Files%\hack\csross.exe
>0123456789ABCDEF deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
HELO %s
SMTP
AUTH LOGIN
LOGIN
AUTH=LOGIN
EHLO %s
Content-Type: application/octet-stream; name=%s
Content-Disposition: attachment; filename=%s
MAIL FROM:<%s>
RCPT TO:<%s>
1.0.6
\shell32.dll
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Arithmetic table 0xx was not defined
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
Component index %d: mismatching sampling ratio %d:%d, %d:%d, %c
DCT scaled block size %dx%d not supported
Invalid component ID %d in SOS
1.1.3
NULL row buffer for row %ld, pass %d
libpng error: %s
libpng warning: %s
Unknown zTXt compression type %d
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
%s: Cannot open
%s: Write error at scanline %lu
%s: Seek error at scanline %lu
%u: Sample out of range, max %u
%s: Cannot modify tag "%s" while writing
%s: Unknown %stag %u
%f: Bad value for "%s"
%s: Invalid %stag "%s" (not supported by codec)
TIFFVSetField ... pass by value not imp.
%ld: Bad value for "%s"
%d: Bad value for "%s"
Nonstandard tile length %d, convert file
Nonstandard tile width %d, convert file
Bad value %ld for "%s" tag ignored
%s: Invalid InkNames value; expecting %d names, found %d
TIFFVGetField ... pass by value not imp.
Sorry, can not handle images with %d-bit samples
Sorry, can not handle LogLuv images with %s=%d
Sorry, LogLuv data must have %s=%d or %d
Sorry, can not handle image with %s=%d
Sorry, LogL data must have %s=%d
Sorry, can not handle separated image with %s=%d
Sorry, can not handle RGB image with %s=%d
Sorry, can not handle YCbCr images with %s=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d
Missing needed %s tag
Sorry, can not image with %d-bit samples
"%s": Bad mode
Not a TIFF file, bad version number %d (0x%x)
Not a TIFF file, bad magic number %d (0x%x)
%s: Out of memory (TIFF structure)
Sample %d out of range, max %u
Internal error, unknown tag 0x%x
Tag %d
%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu
%s: Read error at scanline %lu; got %lu bytes, expected %lu
%s: Seek error at scanline %lu, strip %lu
%s: Data buffer too small to hold strip %lu
%s: Read error on strip %lu; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu
%s: Seek error at row %ld, col %ld, tile %ld
%s: Data buffer too small to hold tile %ld
%s: No space for data buffer at scanline %ld
Compression scheme %u %s encoding is not implemented
%s %s encoding is not implemented
%s %s encoding is no longer implemented due to Unisys patent enforcement
Compression scheme %u %s decoding is not implemented
%s %s decoding is not implemented
Compression algorithm does not support random access
Bogus "%s" field, ignoring and calculating from imagelength
TIFF directory is missing required "%s" field, calculating from imagelength
wrong data type %d for "%s"; tag ignored
unknown field with tag %d (0x%x) encountered
No space %s
TIFF directory is missing required "%s" field
incorrect count for field "%s" (%lu, expecting %lu); tag ignored
Error fetching data for field "%s"
%s: Rational with zero denominator (num = %lu)
Cannot handle different per-sample values for field "%s"
cannot read TIFF_ANY type %d for field "%s"
"%s": Information lost writing value (%g) as (unsigned) RATIONAL
Error writing data for field "%s"
%s: Error writing SubIFD directory link
%s compression support is not configured
?%s: No space for LogLuv state block
Inappropriate photometric interpretation %d for SGILog compression; %s
LogL16Decode: Not enough data at row %d (short %d pixels)
LogLuvDecode24: Not enough data at row %d (short %d pixels)
LogLuvDecode32: Not enough data at row %d (short %d pixels)
%s: No space for SGILog translation buffer
No support for converting user data format to LogL
No support for converting user data format to LogLuv
SGILog compression supported only for %s, or raw data
Unknown data format %d for LogLuv compression
Unknown encoding %d for LogLuv compression
%s: No space for state block
%s: Bad code word at scanline %d (x %lu)
%s: %s at scanline %d (got %lu, expected %lu)
%s: Premature EOF at scanline %d (x %lu)
%s: No space for Group 3/4 reference line
%s: No space for Group 3/4 run arrays
%s: Uncompressed data (not supported) at scanline %d (x %lu)
Fax SubAddress: %s
(%u = 0x%x)
%suncompressed data
%sEOL padding
%s2-d encoding
Improper JPEG sampling factors %d,%d
Apparently should be %d,%d,decompressor will try reading with sampling %d,%d
Improper JPEG strip/tile size, expected %dx%d, got %dx%d
RowsPerStrip must be multiple of %d for JPEG
JPEG tile width must be multiple of %d
JPEG tile height must be multiple of %d
BitsPerSample %d not allowed for JPEG
PhotometricInterpretation %d not allowed for JPEG
ThunderDecode: %s data at scanline %ld (%lu != %lu)
PackBitsDecode: discarding %d bytes to avoid buffer overrun
LZWDecode: Not enough data at scanline %d (short %d bytes)
LZWDecode: Strip %d not terminated with EOI code
LZWDecode: Bogus encoding, loop in the code table; scanline %d
LZWDecodeCompat: Not enough data at scanline %d (short %d bytes)
DumpModeDecode: Not enough data for scanline %d
Horizontal differencing "Predictor" not supported with %d-bit samples
"Predictor" value %d not supported
%u (0x%x)
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
ec.exe
GetCPInfo
WinExec
GetProcessHeap
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
GetViewportExtEx
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
ShellExecuteA
SetWindowsHookExA
CreateDialogIndirectParamA
UnhookWindowsHookEx
.text
`.rdata
@.data
.rsrc
#include "l.chs\afxres.rc" // Standard components
jFF&&ÿFFF
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
ole32.dll
OLEAUT32.dll
RASAPI32.dll
SHELL32.dll
USER32.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
]:;=<,_>?~`{[|\}]"'
(*.*)

csross.exe_232_rwx_00401000_0013A000:

t$(SSh
~%UVW
u$SShe
user32.dll
EnumWindows
GetKeyState
GetAsyncKeyState
QQSG.exe
@SG.jpg
playerdata/AccountHis.ini
Zone.ini
smtp.yeah.net@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[email protected]//////////////////////////////////////////////////////////
@pandatwo@yeah.net-------------------------------------------------------------------
csross.exe
%Program Files%
%Program Files%\hack
%Program Files%\hack\csross.exe
>0123456789ABCDEF deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
HELO %s
SMTP
AUTH LOGIN
LOGIN
AUTH=LOGIN
EHLO %s
Content-Type: application/octet-stream; name=%s
Content-Disposition: attachment; filename=%s
MAIL FROM:<%s>
RCPT TO:<%s>
1.0.6
\shell32.dll
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Arithmetic table 0xx was not defined
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
Component index %d: mismatching sampling ratio %d:%d, %d:%d, %c
DCT scaled block size %dx%d not supported
Invalid component ID %d in SOS
1.1.3
NULL row buffer for row %ld, pass %d
libpng error: %s
libpng warning: %s
Unknown zTXt compression type %d
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
%s: Cannot open
%s: Write error at scanline %lu
%s: Seek error at scanline %lu
%u: Sample out of range, max %u
%s: Cannot modify tag "%s" while writing
%s: Unknown %stag %u
%f: Bad value for "%s"
%s: Invalid %stag "%s" (not supported by codec)
TIFFVSetField ... pass by value not imp.
%ld: Bad value for "%s"
%d: Bad value for "%s"
Nonstandard tile length %d, convert file
Nonstandard tile width %d, convert file
Bad value %ld for "%s" tag ignored
%s: Invalid InkNames value; expecting %d names, found %d
TIFFVGetField ... pass by value not imp.
Sorry, can not handle images with %d-bit samples
Sorry, can not handle LogLuv images with %s=%d
Sorry, LogLuv data must have %s=%d or %d
Sorry, can not handle image with %s=%d
Sorry, LogL data must have %s=%d
Sorry, can not handle separated image with %s=%d
Sorry, can not handle RGB image with %s=%d
Sorry, can not handle YCbCr images with %s=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d
Missing needed %s tag
Sorry, can not image with %d-bit samples
"%s": Bad mode
Not a TIFF file, bad version number %d (0x%x)
Not a TIFF file, bad magic number %d (0x%x)
%s: Out of memory (TIFF structure)
Sample %d out of range, max %u
Internal error, unknown tag 0x%x
Tag %d
%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu
%s: Read error at scanline %lu; got %lu bytes, expected %lu
%s: Seek error at scanline %lu, strip %lu
%s: Data buffer too small to hold strip %lu
%s: Read error on strip %lu; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu
%s: Seek error at row %ld, col %ld, tile %ld
%s: Data buffer too small to hold tile %ld
%s: No space for data buffer at scanline %ld
Compression scheme %u %s encoding is not implemented
%s %s encoding is not implemented
%s %s encoding is no longer implemented due to Unisys patent enforcement
Compression scheme %u %s decoding is not implemented
%s %s decoding is not implemented
Compression algorithm does not support random access
Bogus "%s" field, ignoring and calculating from imagelength
TIFF directory is missing required "%s" field, calculating from imagelength
wrong data type %d for "%s"; tag ignored
unknown field with tag %d (0x%x) encountered
No space %s
TIFF directory is missing required "%s" field
incorrect count for field "%s" (%lu, expecting %lu); tag ignored
Error fetching data for field "%s"
%s: Rational with zero denominator (num = %lu)
Cannot handle different per-sample values for field "%s"
cannot read TIFF_ANY type %d for field "%s"
"%s": Information lost writing value (%g) as (unsigned) RATIONAL
Error writing data for field "%s"
%s: Error writing SubIFD directory link
%s compression support is not configured
?%s: No space for LogLuv state block
Inappropriate photometric interpretation %d for SGILog compression; %s
LogL16Decode: Not enough data at row %d (short %d pixels)
LogLuvDecode24: Not enough data at row %d (short %d pixels)
LogLuvDecode32: Not enough data at row %d (short %d pixels)
%s: No space for SGILog translation buffer
No support for converting user data format to LogL
No support for converting user data format to LogLuv
SGILog compression supported only for %s, or raw data
Unknown data format %d for LogLuv compression
Unknown encoding %d for LogLuv compression
%s: No space for state block
%s: Bad code word at scanline %d (x %lu)
%s: %s at scanline %d (got %lu, expected %lu)
%s: Premature EOF at scanline %d (x %lu)
%s: No space for Group 3/4 reference line
%s: No space for Group 3/4 run arrays
%s: Uncompressed data (not supported) at scanline %d (x %lu)
Fax SubAddress: %s
(%u = 0x%x)
%suncompressed data
%sEOL padding
%s2-d encoding
Improper JPEG sampling factors %d,%d
Apparently should be %d,%d,decompressor will try reading with sampling %d,%d
Improper JPEG strip/tile size, expected %dx%d, got %dx%d
RowsPerStrip must be multiple of %d for JPEG
JPEG tile width must be multiple of %d
JPEG tile height must be multiple of %d
BitsPerSample %d not allowed for JPEG
PhotometricInterpretation %d not allowed for JPEG
ThunderDecode: %s data at scanline %ld (%lu != %lu)
PackBitsDecode: discarding %d bytes to avoid buffer overrun
LZWDecode: Not enough data at scanline %d (short %d bytes)
LZWDecode: Strip %d not terminated with EOI code
LZWDecode: Bogus encoding, loop in the code table; scanline %d
LZWDecodeCompat: Not enough data at scanline %d (short %d bytes)
DumpModeDecode: Not enough data for scanline %d
Horizontal differencing "Predictor" not supported with %d-bit samples
"Predictor" value %d not supported
%u (0x%x)
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
ec.exe
GetCPInfo
WinExec
GetProcessHeap
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
GetViewportExtEx
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
ShellExecuteA
SetWindowsHookExA
CreateDialogIndirectParamA
UnhookWindowsHookEx
.text
`.rdata
@.data
.rsrc
]:;=<,_>?~`{[|\}]"'


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    net1.exe:1800
    %original file name%.exe:1932
    %original file name%.exe:660
    ¿á¸ç¿á.exe:1284
    net.exe:1852
    !@%.exe:1236
    @#.exe:1676
    &@.EXE:272
    BDQX_Beta5.EXE:208

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Program Files%\Common Files\Microsoft Shared\MSInfo\¿á¸ç¿á.jpg (9 bytes)
    %Program Files%\Common Files\Microsoft Shared\MSInfo\&@.jpg (30 bytes)
    %Program Files%\Common Files\Microsoft Shared\MSInfo\@#.jpg (1866 bytes)
    %WinDir%\FE067A9E\svchsot.exe (601 bytes)
    %Program Files%\hack\csross.exe (2321 bytes)
    %Program Files%\Common Files\Microsoft Shared\MSInfo\ipconfig.jpg (109 bytes)
    %Program Files%\Common Files\Microsoft Shared\MSInfo\!@%.jpg (1738 bytes)
    %WinDir%\BDQX_Beta5.EXE (30 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "FE067A9E" = "%WinDir%\FE067A9E\svchsot.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BDX" = "%WinDir%\BDQX_Beta5.EXE"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now