Dropped.Application.Generic.1693143_56c39a1dce

by malwarelabrobot on March 17th, 2017 in Malware Descriptions.

not-a-virus:HEUR:AdWare.Win32.Dotdo.gen (Kaspersky), Dropped:Application.Generic.1693143 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 56c39a1dcef4a7f6755c63f70391094a
SHA1: 115d16ecd7fc98e0b6c31433ffef205bf1ed3560
SHA256: c4129598dfcac8dae8065f858ce5409104f2412159553db5c48a3003fb727bb5
SSDeep: 12288:qP6loS8dLkwrxfBMLEracHo6Br/aZX7qTp0xCKtvs7aHeDoqfNTuscRfkc:w62LdL1ViMH/wAp0xfuaPa6r
Size: 830408 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Installshield Software Corporation
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):
No processes have been created.
The Dropped injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

Dropped PE files

MD5	File path
8b9031f5b50d41bc99adf692e8807f2a	c:\Program Files\Pentameter\glaciated.exe
8b9031f5b50d41bc99adf692e8807f2a	c:\Program Files\Sweetener\glaciated.exe
04bf135c23f1ae399952112497915f94	c:\Program Files\Sweetener\settings.dll
e2684e24f0e9b6e80a50389ef0121bc8	c:\Program Files\dissuade\dissuade.exe
87a27e7fcc8d22a489ac22074890233c	c:\Program Files\hasidim\heinrichs.exe
b9380b0bea8854fd9f93cc1fda0dfeac	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nseF547.tmp\ExecCmd.dll
b3d9028f33c0d4e352c4212d5edcf0eb	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjB2BC.tmp\115033.exe
0daaf37d35dec581f8ffcb517c312840	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjB2BC.tmp\26646.exe
f97126915a1616f517bfdf9d4626194b	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjB2BC.tmp\49411.exe
9e60773c5a631af05ff7ac4dbe01927f	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjB2BC.tmp\54198.exe
77314ee74a19615770c9e96f55b84b9d	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjB2BC.tmp\NMcohort.exe
a7fea62c5d309d8b362d82b5a650ac0a	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjB2BC.tmp\cohort.exe
8b9031f5b50d41bc99adf692e8807f2a	c:\Users\"%CurrentUserName%"\AppData\Local\glaciated.exe
8b9031f5b50d41bc99adf692e8807f2a	c:\Windows\witchy.exe

HOSTS file anomalies

The Dropped modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1094 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	validation.sls.microsoft.com
162.222.193.86	aoaomo.tremorhub.com
188.95.50.62	bobomo.tremorhub.com
162.222.193.86	www.howcast.com
162.222.193.86	howcast.com
192.192.3.8	www.virustotal.com
192.192.3.8	virustotal.com

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46394	856b32eb77dfd6fb67f21d6543272da5
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	154712	1024	3.3278	7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata	192512	65536	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	258048	33944	34304	2.97823	dc440d19566b71fb909decc41f1762b6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://d32y1g8ebsdjp3.cloudfront.net/homepage.php?id=01A1GWybNKig0XmOX0T6&date=2017-01-09&p=none&t=&ca=4384443
hxxp://d32y1g8ebsdjp3.cloudfront.net/jquery.min.js
hxxp://aoaomo.tremorhub.com/wp-content/themes/howcast/images/icons/love.png
hxxp://ww.ladaubert.pw/a.png?id=01A1GWybNKig0XmOX0T6&date=2017-01-09&p=none&t=&ca=4384443&gif=yes&rnd=1489623958000	162.222.193.17
hxxp://ww1.ladaubert.pw/a.png?id=01A1GWybNKig0XmOX0T6&date=2017-01-09&p=none&t=&ca=4384443&gif=yes&rnd=1489623958000	188.95.50.96
hxxp://aoaomo.tremorhub.com/itd.php?id=01A1GWybNKig0XmOX0T6&date=2017-01-09&p=none&t=&ca=4384443
hxxp://bobomo.tremorhub.com/itd.php?id=01A1GWybNKig0XmOX0T6&date=2017-01-09&p=none&t=&ca=4384443
hxxp://d32y1g8ebsdjp3.cloudfront.net/amg.php
hxxp://aoaomo.tremorhub.com/o.php?id=01A1GWybNKig0XmOX0T6&date=2017-01-09
hxxp://bobomo.tremorhub.com/o.php?id=01A1GWybNKig0XmOX0T6&date=2017-01-09
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png	67.202.94.94
hxxp://a5f50dedef.site.internapcdn.net/page-1.html?lid=937115
hxxp://a5f50dedef.site.internapcdn.net/page-2.html?lid=937115
hxxp://vi.ivids.net/report3.php?lid=937115	109.201.148.40
hxxp://ivids.net/jwplayer1.js	162.222.194.11
hxxp://whos.amung.us/draw/?w=colored&n=2482&c=000000ffffff&p=	67.202.94.94
hxxp://whos.amung.us/draw/?w=colored&n=2521&c=000000ffffff&p=	67.202.94.94
hxxp://vi.ivids.net/bck.php?1489623962000	109.201.148.40
hxxp://a5f50dedef.site.internapcdn.net/page-1.htm?lid=937115
hxxp://a5f50dedef.site.internapcdn.net/page-2.htm?lid=937115
hxxp://vi.ivids.net/bck.php?1489623965000	109.201.148.40
hxxp://www.statcounter.com.cdnga.net/counter/counter.js	174.35.61.213
hxxp://ivids.net/player1.swf	162.222.194.11
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=E7B0A1AC3FB14F5D7ED93655281D1DFE&sc_random=0.578439388503037&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1916&h=902&camefrom=http://www.everclips.net/page-2.html?lid=937115&u=http://www.everclips.net/page-2.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1	104.20.3.47
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=BD2B1393CD4E4FFE22787D912B7C5D2D&sc_random=0.08525973389069952&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1916&h=902&camefrom=http://www.ivids.net/page-1.html?lid=937115&u=http://www.ivids.net/page-1.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1	104.20.3.47
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://a5f50dedef.site.internapcdn.net/css1.css
hxxp://a5f50dedef.site.internapcdn.net/img/logo.png
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j49&a=2009820665&t=pageview&_s=1&dl=http://www.ivids.net/page-1.htm?lid=937115&ul=en-us&de=utf-8&sd=24-bit&sr=1916x902&vp=850x480&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=529385969&gjid=1659227578&cid=1157917606.1489623983&tid=UA-74694740-2&_r=1&z=873997192
hxxp://a5f50dedef.site.internapcdn.net/img/lbg.png
hxxp://a5f50dedef.site.internapcdn.net/style.css
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j49&a=1612319237&t=pageview&_s=1&dl=http://www.everclips.net/page-2.htm?lid=937115&ul=en-us&de=utf-8&sd=24-bit&sr=1916x902&vp=850x480&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=1443758657&gjid=463850582&cid=1465818909.1489623989&tid=UA-74694740-2&_r=1&z=1031565432
hxxp://a5f50dedef.site.internapcdn.net/img/bgg.png
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://ivids.net/ova-jw.swf	162.222.194.11
hxxp://vi.ivids.net/crossdomain.xml	109.201.148.40
hxxp://vi.ivids.net/v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hxxp://www.ivids.net/1.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Entertainment videos ivids.net&LR_FORMAT=application/x-shockwave-flash	109.201.148.40
hxxp://vi.ivids.net/v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hxxp://www.everclips.net/2.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Entertainment videos at everclips.net - 2&LR_FORMAT=application/x-shockwave-flash	109.201.148.40
hxxp://thumb.none1366649718.netdna-cdn.com/crossdomain.xml
hxxp://thumb.none1366649718.netdna-cdn.com/abcd.mp4
hxxp://ww1.ladaubert.pw/a.png?id=01A1GWybNKig0XmOX0T6&date=2017-01-09&p=none&t=&ca=4384443&gif=yes&rnd=1489624018000	188.95.50.96
hxxp://ww.ladaubert.pw/a.png?id=01A1GWybNKig0XmOX0T6&date=2017-01-09&p=none&t=&ca=4384443&gif=yes&rnd=1489624018000	162.222.193.17
hxxp://www.ivids.net/img/lbg.png	95.172.71.44
hxxp://vi.everclips.net/v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hxxp://www.everclips.net/2.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Entertainment videos at everclips.net - 2&LR_FORMAT=application/x-shockwave-flash	109.201.148.40
hxxp://www.howcast.com/wp-content/themes/howcast/images/icons/love.png
hxxp://www.ladaubert.pw/amg.php	52.222.174.127
hxxp://widgets.amung.us/draw/?w=colored&n=2482&c=000000ffffff&p=	67.202.94.93
hxxp://www.google-analytics.com/analytics.js	216.58.214.206
hxxp://vi.everclips.net/crossdomain.xml	109.201.148.40
hxxp://www.ladaubert.pw/homepage.php?id=01A1GWybNKig0XmOX0T6&date=2017-01-09&p=none&t=&ca=4384443	52.222.174.127
hxxp://www.ivids.net/page-1.htm?lid=937115	95.172.71.44
hxxp://www.google-analytics.com/r/collect?v=1&_v=j49&a=1612319237&t=pageview&_s=1&dl=http://www.everclips.net/page-2.htm?lid=937115&ul=en-us&de=utf-8&sd=24-bit&sr=1916x902&vp=850x480&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=1443758657&gjid=463850582&cid=1465818909.1489623989&tid=UA-74694740-2&_r=1&z=1031565432	216.58.214.206
hxxp://www.everclips.net/page-2.html?lid=937115	95.172.71.39
hxxp://everclips.net/ova-jw.swf	162.222.194.11
hxxp://109.201.148.40/bck.php?1489623965000
hxxp://widgets.amung.us/draw/?w=colored&n=2521&c=000000ffffff&p=	67.202.94.93
hxxp://www.everclips.net/page-2.htm?lid=937115	95.172.71.39
hxxp://www.ivids.net/css1.css	95.172.71.44
hxxp://everclips.net/player1.swf	162.222.194.11
hxxp://thm.vidvib.com/abcd.mp4	94.31.29.128
hxxp://thm.vidvib.com/crossdomain.xml	94.31.29.128
hxxp://vi.everclips.net/report3.php?lid=937115	109.201.148.40
hxxp://www.ivids.net/page-1.html?lid=937115	95.172.71.44
hxxp://www.google-analytics.com/r/collect?v=1&_v=j49&a=2009820665&t=pageview&_s=1&dl=http://www.ivids.net/page-1.htm?lid=937115&ul=en-us&de=utf-8&sd=24-bit&sr=1916x902&vp=850x480&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=529385969&gjid=1659227578&cid=1157917606.1489623983&tid=UA-74694740-2&_r=1&z=873997192	216.58.214.206
hxxp://www.everclips.net/style.css	95.172.71.39
hxxp://www.ivids.net/img/logo.png	95.172.71.44
hxxp://www.statcounter.com/counter/counter.js	174.35.61.213
hxxp://l.longtailvideo.com/5/10/logo.png	93.184.221.48
hxxp://109.201.148.40/bck.php?1489623962000
hxxp://www.ladaubert.pw/jquery.min.js	52.222.174.127
hxxp://everclips.net/jwplayer1.js	162.222.194.11
hxxp://www.everclips.net/img/bgg.png	95.172.71.39
hxxp://www.everclips.net/img/logo.png	95.172.71.39

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /5/10/logo.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://everclips.net/player1.swf

x-flash-version: 23,0,0,185

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: l.longtailvideo.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=604800

Content-Type: image/png

Date: Thu, 16 Mar 2017 00:26:38 GMT

Etag: "3015243340"

Expires: Thu, 23 Mar 2017 00:26:38 GMT

Last-Modified: Fri, 22 Jun 2012 18:10:31 GMT

Server: ECAcc (vie/F29C)

X-Cache: HIT

Content-Length: 1845
.PNG........IHDR...].........9.".....IDATh..Zo..E...e...*!.......RP...
.0H.|).Y...).4C.#H..2....g{.....GO.....A...(.?H....B..wf.....{.......c
v..9sv...3g....A-.).8j......J..*[email protected] u(.....k.Nt.3..yR....~*]. 
...Y...v..........\.YO....0.....bZ.=...e..ji.g..S..Z.t.9?..N).]`.K !..
...Y..?..<.h.v.<.........%..6.O.......R..g.}.i.?.Vh.....?..[..C{
.h.-%......s.\..:.M.p.K..u.5....c...X.>..........m.........._.%.d9k
L....t..t..N...#...|..VV.2...w.....X.W:^.:.S...n6....E=...$.i......(.j
.}[email protected]./.....U.u.-.U\..../B......;[email protected]....=.'.~Jm0t<c.
]...-....D...~......<...X....&....Ky%..j...[...Nk.6.....7.._.e!h...
........T7(q..q..v.J=c.^..............--.>......=.....n."...("....0
.Z..<... .q!.`.....N...Z....b.....g.,..UjA.j..7{.H...Pa.. /...l(...
S.j.Q0.u`...LcthJ.. .BN..............P....e...BPZ...W.I...........Sc.j
.!..'..d>c.....xV..2.i#.Z...#j >wa.......[.Y.../.6.g.j'.m...y..O
.\..W.....ar.J~..B...0...........~1M....].......;f...>>$...h.{..
....>zpI/...!>........0...f..ez.....b..!.....X....R..H.l|.r9.#'.
...x..1.A.qy.......M......Y&}..I...-} ..X.....(..17(...EJ.l..T..(8;.`.
..8o.{..r@..]..Z.......^n...vy.3S....%^'....)..nDeg..'.1. $....C...x..
t...x.d#.......t...?...N.N.............%`..Kc....#4.x....#.....9.ps.a.
q........G..R..........B... .S.K$......]..2..-..Hn..t'....4UA9P..69Q.'
.......2..d.<b.....{m....).dd...d.(..G.1`*.....<..ql.zs.On......
j..$..Fnf.T.Y........}.z....N.ZS.]........U)..K...xJFf........S....&.b
i..Mv.F..r....Z...`.~_........._ y.......(.b..f..m....R..k......se<<< skipped >>>

GET /t.php?sc_project=10675947&java=1&security=299981d6&u1=BD2B1393CD4E4FFE22787D912B7C5D2D&sc_random=0.08525973389069952&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1916&h=902&camefrom=http://VVV.ivids.net/page-1.html?lid=937115&u=http://VVV.ivids.net/page-1.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-1.htm?lid=937115

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: c.statcounter.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 16 Mar 2017 00:26:20 GMT

Content-Type: image/gif

Content-Length: 49

Connection: keep-alive

Set-Cookie: __cfduid=dcb9b922d38a2c4ecba5f30497ba13d751489623980; expires=Fri, 16-Mar-18 00:26:20 GMT; path=/; domain=.statcounter.com; HttpOnly

P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Set-Cookie: is_unique=sc10675947.1489623980.0; expires=Tue, 15-Mar-2022 00:26:20 GMT; path=/; domain=.statcounter.com

Set-Cookie: is_visitor_unique=1489623980369982738; expires=Sat, 16-Mar-2019 00:26:20 GMT; path=/; domain=.statcounter.com

Server: cloudflare-nginx

CF-RAY: 340394945691648d-FRA
GIF89a...................!.......,...........T..;HTTP/1.1 200 OK..Date
: Thu, 16 Mar 2017 00:26:20 GMT..Content-Type: image/gif..Content-Leng
th: 49..Connection: keep-alive..Set-Cookie: __cfduid=dcb9b922d38a2c4ec
ba5f30497ba13d751489623980; expires=Fri, 16-Mar-18 00:26:20 GMT; path=
/; domain=.statcounter.com; HttpOnly..P3P: policyref="hXXp://VVV.statc
ounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"..Expire
s: Mon, 26 Jul 1997 05:00:00 GMT..Set-Cookie: is_unique=sc10675947.148
9623980.0; expires=Tue, 15-Mar-2022 00:26:20 GMT; path=/; domain=.stat
counter.com..Set-Cookie: is_visitor_unique=1489623980369982738; expire
s=Sat, 16-Mar-2019 00:26:20 GMT; path=/; domain=.statcounter.com..Serv
er: cloudflare-nginx..CF-RAY: 340394945691648d-FRA..GIF89a............
.......!.......,...........T..;..

GET /jwplayer1.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-1.html?lid=937115

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 16 Mar 2017 08:22:59 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT

ETag: "4403af-25d37-53444eccf91c0"

Accept-Ranges: bytes

Content-Length: 154935

Cache-Control: max-age=2592000, public

Expires: Thu, 15 Feb 2018 08:22:59 GMT

Connection: close

Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'

heinrichs.exe_4012:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

Gw2.Hw

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

ers\"%CurrentUserName%"\AppData\Local\Temp\nseF547.tmp\ExecCmd.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nseF547.tmp\ExecCmd.dll

"%Program Files%\Pentameter\glaciated.exe"

ExecCmd.dll

.reloc

EnumWindows

Kernel32.DLL

%Program Files%

\Pentameter\glaciated.exe"

\ExecCmd.dll

%SystemRoot%\

eq glaciated.exe" | %SystemRoot%\

\find /I "glaciated.exe"

\Pentameter\glaciated.exe

\glaciated.exe"

$$\wininit.ini

e%uy%u

=m.pJod

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nseF547.tmp

nseF547.tmp

rogram Files\Pentameter\glaciated.exe"

ecCmd.dll

ciated.exe" | %SystemRoot%\System32\find /I "glaciated.exe"

\Users\"%CurrentUserName%"\AppData\Local\Temp\nseF547.tmp

"%Program Files%\hasidim\heinrichs.exe"

%Program Files%\hasidim

heinrichs.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nszD7A9.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

%Program Files%\hasidim\heinrichs.exe

Software\Microsoft\Windows\CurrentVersion\Run

Windows\

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

idim\heinrichs.exe"

meter\glaciated.exe"

dw20.exe_364:

.text

`.data

.rsrc

WerReportCloseHandle

WerReportAddDump

WerReportSubmit

WerReportSetUIOption

WerReportAddFile

WerReportSetParameter

WerReportCreate

dw20.pdb

_amsg_exit

MSVCR80.dll

_crt_debugger_hook

RegCloseKey

RegOpenKeyExW

ReportEventW

ADVAPI32.dll

KERNEL32.dll

USER32.dll

VERSION.dll

PSAPI.DLL

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="dw20" type="win32" publicKeyToken="000000000000000"></assemblyIdentity><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50608.0" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

e\wer.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug

\StringFileInfo\xx\%s

%d.%d.%d.%d

Microsoft .NET Error Reporting Shim

2.0.50727.4927 (NetFXspW7.050727-4900)

dw20.exe

.NET Framework

2.0.50727.4927

svchost.exe_668:

.text

`.data

.rsrc

@.reloc

msvcrt.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

KERNEL32.dll

NTDLL.DLL

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-WIN-Service-Core-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

RPCRT4.dll

ole32.dll

ntdll.dll

_amsg_exit

RegCloseKey

RegOpenKeyExW

GetProcessHeap

svchost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Services.SvcHost"

<description>Host Process for Windows Services</description>

<requestedExecutionLevel

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost

\PIPE\

Host Process for Windows Services

6.1.7600.16385 (win7_rtm.090713-1255)

svchost.exe

Windows

Operating System

6.1.7600.16385

dw20.exe_1652:

.text

`.data

.rsrc

WerReportCloseHandle

WerReportAddDump

WerReportSubmit

WerReportSetUIOption

WerReportAddFile

WerReportSetParameter

WerReportCreate

dw20.pdb

_amsg_exit

MSVCR80.dll

_crt_debugger_hook

RegCloseKey

RegOpenKeyExW

ReportEventW

ADVAPI32.dll

KERNEL32.dll

USER32.dll

VERSION.dll

PSAPI.DLL

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="dw20" type="win32" publicKeyToken="000000000000000"></assemblyIdentity><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50608.0" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

e\wer.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug

\StringFileInfo\xx\%s

%d.%d.%d.%d

Microsoft .NET Error Reporting Shim

2.0.50727.4927 (NetFXspW7.050727-4900)

dw20.exe

.NET Framework

2.0.50727.4927

dw20.exe_1956:

.text

`.data

.rsrc

WerReportCloseHandle

WerReportAddDump

WerReportSubmit

WerReportSetUIOption

WerReportAddFile

WerReportSetParameter

WerReportCreate

dw20.pdb

_amsg_exit

MSVCR80.dll

_crt_debugger_hook

RegCloseKey

RegOpenKeyExW

ReportEventW

ADVAPI32.dll

KERNEL32.dll

USER32.dll

VERSION.dll

PSAPI.DLL

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="dw20" type="win32" publicKeyToken="000000000000000"></assemblyIdentity><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50608.0" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

e\wer.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug

\StringFileInfo\xx\%s

%d.%d.%d.%d

Microsoft .NET Error Reporting Shim

2.0.50727.4927 (NetFXspW7.050727-4900)

dw20.exe

.NET Framework

2.0.50727.4927

dw20.exe_1572:

.text

`.data

.rsrc

WerReportCloseHandle

WerReportAddDump

WerReportSubmit

WerReportSetUIOption

WerReportAddFile

WerReportSetParameter

WerReportCreate

dw20.pdb

_amsg_exit

MSVCR80.dll

_crt_debugger_hook

RegCloseKey

RegOpenKeyExW

ReportEventW

ADVAPI32.dll

KERNEL32.dll

USER32.dll

VERSION.dll

PSAPI.DLL

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="dw20" type="win32" publicKeyToken="000000000000000"></assemblyIdentity><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50608.0" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

e\wer.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug

\StringFileInfo\xx\%s

%d.%d.%d.%d

Microsoft .NET Error Reporting Shim

2.0.50727.4927 (NetFXspW7.050727-4900)

dw20.exe

.NET Framework

2.0.50727.4927

taskeng.exe_2208:

.text

`.data

.rsrc

@.reloc

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-Debug-L1-1-0.dll

API-MS-Win-Core-ErrorHandling-L1-1-0.dll

API-MS-Win-Core-File-L1-1-0.dll

API-MS-Win-Core-Handle-L1-1-0.dll

API-MS-Win-Core-Heap-L1-1-0.dll

API-MS-Win-Core-Interlocked-L1-1-0.dll

API-MS-Win-Core-LibraryLoader-L1-1-0.dll

API-MS-Win-Core-Misc-L1-1-0.dll

API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

API-MS-Win-Core-Profile-L1-1-0.dll

API-MS-Win-Core-Synch-L1-1-0.dll

API-MS-Win-Core-SysInfo-L1-1-0.dll

API-MS-Win-Core-ThreadPool-L1-1-0.dll

API-MS-Win-Security-Base-L1-1-0.dll

ole32.dll

OLEAUT32.dll

RPCRT4.dll

KERNEL32.dll

d:\w7rtm\admin\wmi\jobs\server\session\session\main.cpp

Session::ChannelMsgReceived

d:\w7rtm\admin\wmi\jobs\server\session\session\session.cpp

d:\w7rtm\admin\wmi\jobs\server\session\session\clientchannel2.cpp

d:\w7rtm\admin\wmi\jobs\server\engine\task.cpp

d:\w7rtm\admin\wmi\jobs\server\engine\comhandlerbase.cpp

StopJobMsg

StartJobMsg

ClientPipeName

Invalid parameter passed to C runtime function.

d:\w7rtm\admin\wmi\jobs\common\xml\taskxmlreader.cpp

TaskScheduler.log

j%Xf;

d:\w7rtm\admin\wmi\jobs\server\engine\action.cpp

API-MS-WIN-Service-Management-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

ADVAPI32.dll

SHELL32.dll

SHLWAPI.dll

SspiCli.dll

XmlLite.dll

MPR.dll

RegOpenKeyTransactedW

RegCloseKey

RegOpenKeyExW

RegNotifyChangeKeyValue

RegCreateKeyExW

FindExecutableW

MsgWaitForMultipleObjects

EnumThreadWindows

EnumWindows

GetProcessWindowStation

_wcmdln

_amsg_exit

GetProcessHeap

SetProcessShutdownParameters

TaskEng.pdb

version="5.1.0.0"

name="Microsoft.Windows.WMI.TaskScheduler.TaskEng"

<requestedExecutionLevel

8 8$8(878

3=4Z4w4

=!=(=0=4=?=>>

5 5U5_5

5b6u6

-131J1X1o1}1

=$=<=\=|=

Password

hXXp://schemas.microsoft.com/windows/2004/02/mit/task

Aieframe.dll

%SystemRoot%\SYSTEM32\cmd.exe

%SystemRoot%\System32\Tasks

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake

WindowSeconds

InitializeCmdlineProcessing()

pCrimson provider registration failed for taskeng, hr=0x%x

CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]

InteractiveTokenOrPassword

Aurl

%d.%d

%s, (%d)

hXXp://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout

hXXp://schemas.microsoft.com/cdo/configuration/smtpauthenticate

hXXp://schemas.microsoft.com/cdo/configuration/sendusing

hXXp://schemas.microsoft.com/cdo/configuration/smtpserver

201ef99a-7fa0-444c-9399-19ba84f12a1a

C:\Windows\SYSTEM32\cmd.exe

6.1.7601.17514 (win7sp1_rtm.101119-1850)

taskeng.exe

Windows

Operating System

6.1.7601.17514

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Delete the original Dropped file.
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.