MD5: 0bdd03e344c9840a792568ba7980dc06
SHA1: 151cbcb324112f4dbcfc16e316ddef298b3eb860
SHA256: 704f8ff8e90efa548ed3939a9ff72dcf0f5e55a016034cb63c19da4864e24ea9
SSDeep: 49152:GKve2yFhoncdWVWqfyom4gUSCzdPVicaP6go1Z:jG2yzocEpfyoyCTicq6f
Size: 2020864 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-03-08 13:32:38
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

OLLYDBG.EXE:608
PDLX.exe:752
Install.exe:1084
%original file name%.exe:1956

The Dropped injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process PDLX.exe:752 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk (702 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Ardamax Keylogger\Help.lnk (658 bytes)
%System%\28463\PDLX.002 (560 bytes)

The process Install.exe:1084 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\@2.tmp (91332 bytes)
%System%\28463\PDLX.chm (4708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\@1.tmp (4 bytes)
%System%\28463\PDLX.007 (196 bytes)
%System%\28463\PDLX.006 (196 bytes)
%System%\28463\PDLX.001 (396 bytes)
%System%\28463\PDLX.exe (84668 bytes)
%System%\28463\key.bin (106 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\@1.tmp (0 bytes)

The process %original file name%.exe:1956 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Install.exe (12907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\TBar manager.ini (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dbghelp.dll (20550 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\ollydbg.ini (595 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\readme.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\OLLYDBG.EXE (20264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\register.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\RecoverMyFiles.udd (15142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\license.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BOOKMARK.DLL (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\OLLYDBG.HLP (5936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PSAPI.DLL (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Cmdline.dll (1961 bytes)

Registry activity

The process OLLYDBG.EXE:608 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 09 DB 42 D7 FF 4E 58 08 21 37 F8 6D CA 44 2B"

The process PDLX.exe:752 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCR\TypeLib\{5A7FBC51-12ED-E03F-2C46-7D38CD5509CF}\1.0]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\ASProtect\SpecData]
"F74DB923F74DB923" = "4A DB FE 77 DE C8 20 5A BA 15 C7 F8 45 94 75 4F"

[HKCR\TypeLib\{5A7FBC51-12ED-E03F-2C46-7D38CD5509CF}\1.0\0]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger]
"UninstallString" = "%System%\28463\Uninstall.exe"

[HKCR\CLSID\{FB175790-F92E-4B22-CC9A-87AB384D297E}\InprocServer32]
"(Default)" = ""

[HKCR\CLSID\{FB175790-F92E-4B22-CC9A-87AB384D297E}]
"(Default)" = "Imoneliv"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger]
"DisplayName" = "Ardamax Keylogger 3.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\CLSID\{FB175790-F92E-4B22-CC9A-87AB384D297E}\MiscStatus]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCR\CLSID\{FB175790-F92E-4B22-CC9A-87AB384D297E}\ToolboxBitmap32]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{FB175790-F92E-4B22-CC9A-87AB384D297E}\Version]
"(Default)" = ""

[HKCR\CLSID\{FB175790-F92E-4B22-CC9A-87AB384D297E}\TypeLib]
"(Default)" = ""

[HKCR\TypeLib\{5A7FBC51-12ED-E03F-2C46-7D38CD5509CF}\1.0\FLAGS]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCR\TypeLib\{5A7FBC51-12ED-E03F-2C46-7D38CD5509CF}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\TypeLib\{5A7FBC51-12ED-E03F-2C46-7D38CD5509CF}\1.0\0\win32]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCR\CLSID\{FB175790-F92E-4B22-CC9A-87AB384D297E}\Control]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 6C 01 D1 6B 21 0B B1 D2 60 C9 2D DB 1F E7 0A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\CLSID\{FB175790-F92E-4B22-CC9A-87AB384D297E}\Programmable]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\TypeLib\{5A7FBC51-12ED-E03F-2C46-7D38CD5509CF}]
"(Default)" = ""

[HKCU\Software\ASProtect\SpecData]
"(Default)" = "F74DB923F74DB923"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDLX Agent" = "%System%\28463\PDLX.exe"

The process Install.exe:1084 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 3B 05 D8 B5 8D 4E D0 6E B8 A7 20 D9 B0 74 95"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%\28463]
"PDLX.exe" = "PDLX"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:1956 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 8F 1E 70 05 1D 95 46 9D BC 9C 61 7C 23 F0 7B"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 8.00.6001.18702
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Dropped connects to the servers at the folowing location(s):

.text

`.data

.rsrc

@.reloc

advapi32.dll

wininit.ini

advpack.dll

Software\Microsoft\Windows\CurrentVersion\App Paths

setupapi.dll

setupx.dll

IXPd.TMP

TMP4351$.TMP

FINISHMSG

USRQCMD

ADMQCMD

msdownld.tmp

wextract.pdb

PSSSSSSh

RegCloseKey

RegOpenKeyExA

RegQueryInfoKeyA

RegCreateKeyExA

ADVAPI32.dll

GetWindowsDirectoryA

KERNEL32.dll

GDI32.dll

ExitWindowsEx

MsgWaitForMultipleObjects

USER32.dll

_acmdln

_amsg_exit

msvcrt.dll

COMCTL32.dll

VERSION.dll

rundll32.exe %s,InstallHinfSection %s 128 %s

SHELL32.DLL

Software\Microsoft\Windows\CurrentVersion\RunOnce

PendingFileRenameOperations

System\CurrentControlSet\Control\Session Manager\FileRenameOperations

wextract_cleanup%d

%s /D:%s

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"

Command.com /c %s

zcÁ

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\

BOOKMARK.DLL

Cmdline.dll

dbghelp.dll

license.txt

OLLYDBG.EXE

OLLYDBG.HLP

ollydbg.ini

PSAPI.DLL

readme.txt

RecoverMyFiles.udd

register.txt

TBar manager.ini

Install.exe

.Xu's{#

W|e6T'%u

l.KeM

.PBA:

u%xM@

xzpX%x

AM.Dq

B:\CMy

6^P%S0{

^.bA_

f*m 

.AlZ/j_

dUT.Sh

.BN5IP

%s8 (

Nmr%x10

m!9.hiN7

fzw.kTOH

%uN=p

D.Zhs

%UKf2

?/.MU

-_%F;

L2.rw?

<).tP

ÛYI

dL.Do

.pE!vw

T;%cH

<%U8~&H

mSgz

k.WjD

e8.tex-

)s.JC

gv>%Uu

Av÷G

%fgMO

p<.vUhw

%u\gC

.uZ;.

f0J%U

8{m%c

.Jk8&

5YË

{.qNys

=~<%[email protected]]o

"l.Mr

P%Xp't

>2|J{.bV

.mgeK.

5M.DO

%CKY(l

.WQf'

SmD.ob

W%sw#bU

%uN"o

}%S7f

d}%CN

9;.yZ<

*lr}%f

,dUI%c

.hmYE

3%D;x

W.snA

%C`;nk

|.gU)5V

^m/w%d

%XTQ:7

%Di)4

Gz.wptO

7.oqr

.QOMD

o<bd

Zw:%c

<a.Xd

& .yE

w|x-X}||

&0.UP'

rlR %D

;2rj|B

F\.ih0&D

2y%z%se

%C|lv

^Uy&ftpz

.XI82

.pUG#

Ie.le

.ub6[&R

4.RBj

:%FtM

z"n.qQ

~i.QC

.AI.@

aC.QL

.Th j

.BVF%

%~}3

BZ.jW

8.Isg

25517*25

F.nVWEG.r^

Rbb%%Xd

<.FdeLX

$tB.RD"

Sw^.RT

dV%U7

\dÇ

.eI3g

fU>8.sp

.XfCH

%dXi.

c`P%CV4Z

5CCY

pY.cOr

.Yt^Cd

4z.jw

/7L%c

aa%xjU

4,4,4,4,6,3

%Xo!2

q.qf;

c1c%c 

f%f-fcfKf{f

H|.JD

%dLrt

.tv1_>

o.rV0S

;.pvT]U

PX%0u

%Cw>K

OE.hY

KvRh%CNR4

JWmn%d

{;9];<\~

ff4C

 .jOb

%sldzf

%u'aZ

<Dt4.zv

Õ#f<j`

a.qG/

G:=.kE

g.oo[

l.pd{

.dQ /`U

U  %S}C?6

K.grr

tB%c[$Y

Nl%csO

.Ti5i

p2c%D

OV8.IO

O%uJ44

vrexE

%x{Le2

Ad.xn

 D.zb

Z;.GQ

QA7.nV

8.uQ1

}UW.OF]

%s~ZT

ô<6

.DUt%

"OLLYDBG.EXE"

"Install.exe"

wextract.manifest

Manifest to support IExpress WExtract.exe.

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

0
0F0x0

Kernel32.dll

Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.

CFailed to get disk space information from: %s.

System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?

8Unable to retrieve operating system version information.!Memory allocation request failed.

Filetable full.Ên not change to destination folder.

Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.

(Error creating process <%s>. Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.

Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install

Could not create folder '%s'

To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.

Error retrieving Windows folder

$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .

System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.

/C:<Cmd> -- Override Install Command defined by author.

eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?

Could not find the file: %s.

:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.

8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

WEXTRACT.EXE

Windows

8.00.6001.18702

OLLYDBG.EXE_608:

.text

`.data

.rdata

P.idata

@.edata

@.rsrc

@.reloc

032010/.-, **)('&%$#"#"!

t.HtXH

%u8F3

FPU registers have indexes 0 to 7

Unknown import name

Too long import name

Unterminated import name

Sorry, 16-bit addressing is not supported

Unrecognized operand

Unsupported size of floating constant

REP %s

REPE %s

REPNE %s

Extra input after operand

Too few operands

Too many operands

Command does not support given operands

Wrong number of operands

Please specify operand size

Bad operand size

Different size of operands

Constant does not fit into operand

Relative jump out of range, use %s LONG form

Unary operation not supported for this data type

Unsupported size declaration

Left operand of IN must be integer

Operation is not supported for these data types

Port I/O

Loading function descriptions from '%.*s.arg'

EXPORT

Too many keys

Unknown keyword

Line %i: %s in

Writing compiled function descriptions to 'known.bin'

known.bin

%s.%.*s

%.*s.X

X,

X ???

%s %s

hw = %X

("%s")

(class="%s")

X {%i.,%i.,%i.,%i.}

'%s',

class='%s',

wndproc=X,

parent=X

Processing string data from '%.*s.dat'

Line %i: %s

Unable to create output file 'loaddll.bin'

('%c')

%s X

,X

CHAR '%c'

XX

1/(2**1/3)

CONST %s

CONST -%s

%s=lX (decimal %lu.)

%s=lX (decimal %lu.)

%s=X

%s=lX

%s.%.*s

%s=lX

%s(%i)

%s=<empty>

XMMWORD %s

%s %s

(%i-BYTE) %s

X:

lX=%s

%s X:X

%s X:X

%s=X

(%s-bit, base %lX, size %lX)

%s=X

Return to X:X

Return to X (%.*s)

Return to X

X (O%i D%i T%i S%i Z%i A%i P%i C%i)

AH=X

FL=X

X:

PREFIX %s:

ATTENTION, %s!

Unaligned stack operation

Unable to restore access to memory block %s

OllyDbg is unable to activate memory breakpoint on address range %s. Breakpoint is completely removed.

OllyDbg is unable to activate memory breakpoint on the whole specified address range (%s). Breakpoint is reduced to range lX..lX.

You are going to set memory breakpoint in system area. This breakpoint may freeze Windows or cause system crash. Do you really want to set this breakpoint?

You are going to set memory breakpoint on resource. This breakpoint, when hit within system DLL, may freeze Windows or cause system crash. Do you really want to set this breakpoint?

You are going to set memory breakpoint on stack. This doesn't work on Win95-based operating systems.

Corrupted breakpoint, in memory: X, old command: X

OllyDbg set byte at address X to X (code of command INT3, used as breakpoint). Now this byte contains its original value X. Probably you are debugging self-modified code or set breakpoint on data.

OllyDbg set byte at address X to X (code of command INT3, used as breakpoint). Now this byte contains X. Do you want to keep modified command? (If you answer 'No', old code X will be restored).

It looks like you are trying to set breakpoint in the middle of some command or data. If this is really the case, such breakpoint will not execute and may have disastrous influence on the debugged program. Do you really want to set breakpoint here?

It looks like you are trying to set breakpoint on the data. If this is really the case, such breakpoint will not execute and may have disastrous influence on the debugged program. Do you really want to set breakpoint here?

You want to place breakpoint outside the code section. INT3 breakpoint set on data will not execute and may have disastrous influence on the debugged program. Do you really want to set breakpoint here?

%s condition at

when %s

When %s

, inactive condition %s

%sass count=%u.

Change condition at X

OllyDbg set byte at address X to X (code of command INT3, used as breakpoint). Now this byte contains X. (Original code contained X). Probably you are debugging self-modified code or set breakpoint on data.

CPU subwindows

Run trace %i. step%s back

%smodule %.*s

%s %s at X

The byte you are pointing at lies outside the executable code of any known module. Invalid EIP may have disastrous effects on the debugged program. Do you still want to change origin?

Edit code at X

&Hardware, on execution

Case %s

Call DLL export

Copy to executable

Modify %s at X

Modify float at X

Modify MMX data at X

Modify 3DNow! data at X

Modify SSE data at X

Unable to locate data in executable file

OS will adjust fixups, thus modifying your code. Were you not carefull enough, this may have disastrous effects on the debugged program. Do you still want to update executable file?

Copy selection to executable file?

%s label at X

Modify stack at X

Edit stack at X

Modify %s

Modify %s as 3DNow!

%.3s X

EIP X

%.1s %c %.2s X

%s %lX(%lX)

%.1s %c

LastErr %s (lX)

EFL X (

FST X Cond %i %i %i %i Err %i %i %i %i %i %i %i %i

FCW X

s, s

DR%i X

??? , ??? , ??? , ???

s,

MXCSR X %i %4.4s %i %i %i %i %i %i %i %i %i %i %i %i %i

%s,%s

%s - %s

Open 32-bit executable

.exe|.dll

ollydbg.hlp

Open new executable (F3)

Pause execution (F12)

WINDOWS

Show windows

.exe;*.dll|.obj;*.lib

.c;*.cpp;*.h;*.hpp;*.asm;*.pas|.c;*.cpp|.h;*.hpp|.asm|.pas|.txt|.bak

COND: %s

Entry point of %s

DebugBreak called from X

$use Shift F7/F8/F9 to pass exception to program

Memory breakpoint when executing [lX]

read=X

write=X

Access violation when %s [lX]%s

Access violation%s

Break-on-access when %s [lX]

Array bounds exceeded%s

Denormalized floating-point operand%s

Floating-point division by zero%s

Inexact floating-point result%s

Invalid floating-point operation%s

Floating-point overflow%s

FPU stack error%s

Floating-point underflow%s

Integer division by zero%s

Integer overflow%s

Privileged instruction%s

Illegal instruction%s

Exception is not continuable%s

Stack overflow%s

Exception X%s

Exception X (%s)%s

New thread with ID X created

New process with ID X created

Main thread with ID X created

Thread X terminated, exit code %X

Thread X terminated, exit code %X (%i.)

Break on thread X termination

Thread X terminated, trace stopped

LOADDLL.EXE: %s

LOADDLL terminated: %s

LOADDLL terminated, exit code %X

Process terminated, exit code %X

Process terminated, exit code %X (%i.)

In order to perform action that is not supported by OS, OllyDbg has injected short piece of code into the debugged application, but received no response within 5 seconds. Do you want to wait for another 5 seconds? (If you answer No, the consistency and stability of program is not guaranteed and you should restart it as soon as possible).

Unexpected event X in injected code. Debugged program may get unstable, please reload it as soon as possible.

Unexpected exception X in injected code. Debugged program may get unstable, please reload it as soon as possible.

%s Do you REALLY want to execute this code at address X?

Don't know how to step because memory at address X is not readable. Try to change EIP or pass exception to program.

Don't know how to step over command at address X. Try to step in, run, change EIP or pass exception to program.

Don't know how to step over command at address X. Try to step in, run or change EIP.

Don't know how to step command at address X. Try to run, change EIP or pass exception to program.

Don't know how to step command at address X. Try to change EIP or pass exception to program.

Debugged program set single step flag (bit T in EFL). I don't know how to step command at address X correctly. Try to %sset breakpoint on next command and run.

Don't know how to continue because memory at address X is not readable. Try to change EIP or pass exception to program.

Don't know how to bypass breakpoint at address X. Try to delete breakpoint, change EIP or pass exception to program.

Don't know how to bypass command at address X. Try to change EIP or pass exception to program.

Dynamic link library '%s%s' that resides in OllyDbg directory is intended for use on NT-based operating systems only. Delete it?

Dynamic link library '%s%s' that resides in OllyDbg directory has lower file version (%s) than corresponding DLL in system directory (%s). Delete old library from the OllyDbg directory? (If necessary, you can restore it later from the original .zip archive)

Sorry, unable to debug under Windows 3.1

Dosapp.fon

Operands[%i]

Import library

log.txt

rtrace.txt

Restore windows

Letter key in Disassembler

Accept unaligned stack operations

%X,%X

PSAPI.DLL

DBGHELP.DLL

PSAPI.DLL is not found. This library contains important process- and module-oriented functions for Windows NT (version for NT 4.0 is shipped with OllyDbg). Normal debugging is hardly possible. Do you nevertheless want to continue?

KERNEL32.DLL

Strange as it seems to be, KERNEL32.DLL is not found. This library contains important process- and module-oriented functions. Normal debugging is hardly possible. Do you nevertheless want to continue?

KERNEL32.DLL on your system does not contain functions VirtualQueryEx and/or VirtualProtectEx. Maybe you have old version of the operating system. Normal debugging is hardly possible. Do you nevertheless want to continue?

SHELL32.DLL

IMAGEHLP.DLL

SHLWAPI.DLL

ADVAPI32.DLL

NTDLL.DLL

OllyDbg v%i.i%s%s

UDD directory '%s' doesn't exist. Please specify valid path in Options|Appearance|Directories, otherwise breakpoints, comments and analysis data will be lost after debugged program terminates.

OllyDbg is unable to attach to process X as a "just-in-time" debugger.

%u. commands traced

X,X

\xX

X lX lX

Assemble at X

Undefined operands allowed only for search

HEX  X

hXXp://home.t-online.de/home/Ollydbg

Virtual key code (VK_xxx)

Pointer to MSG structure (ASCII)

Pointer to MSG structure (UNICODE)

%s conditional log breakpoint at

WinProc(hWnd,msg,wParam,lParam)

WinMain(hInst,hPrevInst,CmdLine,ShowState)

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug

"%s" %s

- JIT debugger is %s

X (%s)

"%s" "%1"

0..FFFFFFFF

1,2,10..12,16,81,82,110

114,115,137

220..229,230

Keyboard

170..173,138

39,140..161

[ESP 8] IN (%s)

X %s

[ESP 8]==%s

" && %s

[ESP 4]==X && %s

(Last error = %s)

Unable to create file '%s'

Disk full or I/O error when writing to '%s'

%.*s_X.mem

unknown_file.mem

Unable to open file '%s'

File '%s' (%li bytes) is longer than memory block (%li bytes). Load anyway and truncate?

File '%s' (%li bytes) is shorter than memory block (%li bytes). Load anyway and fill rest of backup with actual data?

Error reading file '%s'. Backup copy may be corrupted.

Error writing file '%s'

Dump of file '%s' differs from original. Do you want to save modified file to disk? If you answer 'Yes', you will be asked for the filename. If you answer 'No', you will lose any changes you have made.

Dump of file '%s' is not modified. Do you really want to save unchanged dump to disk?

File '%s' already exists. Do you REALLY want to overwrite it?

File '%s' is system or read-only. Please try another name.

Unable to backup file '%s'. Please try another name

Unable to create file '%s'. Please try another name

Error writing file '%s'. Please try another name

Edit data at X

View &executable file

Copy to executable file

Modify data at X

Unable to open file '%s' for dump.

Sorry, OllyDbg is unable to allocate %lu. bytes of memory necessary to display dump of file '%s'.

File %s

%s is full, some data will be lost!

%-*.*s

lX %s

Unable to allocate %li bytes of memory for log data buffer. Log window is not available in this session. All other functions, including logging data to file, are not influenced.%s

%s%s%s*.udd

%s%s%s

%s%s%s_%i.udd

Error reading .udd file

Different path, discarding .udd data

Size changed, discarding .udd data

Date/time changed, discarding .udd data

CRC changed, discarding .udd data

\StringFileInfo\xx\FileVersion

Module %s

SectionAlignment in Optional Header is less than 0x1000 (0x%X bytes)

Code size in header is X, extending to size of section

at X

.data

Invalid or compressed Image Export Directory

Import Lookup Table outside .idata

%s.#%i_%s

%s.%s

%s.#%i

Unable to open or read executable file '%s'

Bad or unknown format of 32-bit executable file '%s'

File '%s' contains too much data

Unload %s

X (%i.)

%-*.*s

imports,

exports,

operator %s

%-*.*s

Export

Import

Follow import in Disassembler

Find references to import

&Toggle breakpoint on import

&Conditional breakpoint on import

Conditional &log breakpoint on import

Find: %s

Unknown record type X

Source file %s

Found %i segment%s, %i IMPLIB ordinal%s

Found %i matching segment%s

Scanning import library '%.*s'$press SPACE to interrupt

Scanning import library '%.*s'

Unable to open import library

Unable to read import library

Resolved %i ordinal%s

.obj;*.lib

%i,%s

Import libraries

Select import libraries

Save user data outside any module to main .udd file

Ignore (pass to program) following exceptions:

After Executing till RET, step over RET

Pass exceptions to SFX extractor

Specify size of 16-byte SSE operands as:

XMMWORD (eXtended MMX operand)

Always show size of memory operands

Letter key in Disassembler starts:

Unaligned stack operations

Note that default settings have no influence on existing windows, or on windows

Select path where .udd files will be stored

Backup old .udd files

Highlight operands:

You have asked to allocate %i MB memory for %s. Currently, operating system has only %i MB free virtual memory. Do you want to reduce your request to %i MB?

X (%.*s)

X .. X

% i %s

Processor doesn't support SSE instructions

OS doesn't support hardware breakpoints

UDD directory '%s' doesn't exist. Create it?

Unable to create directory '%s'. Please specify different name.

UDD path '%s' is not a directory. Do you want to use directory '%s' instead?

Plugin directory '%s' doesn't exist. Please select another direcory.

Plugin path '%s' is not a directory. Do you want to use directory '%s' instead?

Portuguese

%s (Unknown sublanguage)

%s at X

Resource at X

String %X

Table of windows

Process '%s' is active. If you terminate it now, process will be unable to clean up and write unsaved data to disk. Do you really want to terminate active process?

X (%li.)

Unable to terminate process '%s'. Operating system reports error %s

Any file (*.*)

.exe;*.dll

Executable file or DLL (*.exe,*.dll)

Executable file (*.exe)

Dynamic-link library (*.dll)

Object file or library (*.obj,*.lib)

Object file (*.obj)

Import or object library (*.lib)

.c;*.cpp;*.h;*.hpp;*.asm;*.pas

Source (*.c,*.cpp,*.h,*.hpp,*.asm,*.pas)

.c;*.cpp

C/C   source (*.c,*.cpp)

C   source (*.cpp)

.h;*.hpp

Header file (*.h,*.hpp)

C   Header file (*.hpp)

Assembler source (*.asm)

Delphi/Pascal source (*.pas)

Text file (*.txt)

Backup file (*.bak)

Argument descriptions (*.arg)

Help file (*.hlp)

*%s file (*%s)

&%i %s

Unable to extract name of executable file from link '%s'

Unable to locate file '%s'

Unable to open or read file '%s'

File '%s' is probably not a 32-bit Portable Executable. Try to load it anyway?

File '%s' probably will not run under Win95-based OS. Try to load it anyway?

File '%s' is a Dynamic Link Library. Windows can't execute DLLs directly. Launch LOADDLL.EXE?

Unable to extract LOADDLL.EXE. If OllyDbg directory is write-protected, please enable writing or move OllyDbg to another directory.

"%s\LOADDLL.EXE" %s

Unable to start file '%s'

Console file '%s'

File '%s'

Arguments '%s'

%s - %s%s

The process '%s' is one you are currently debugging. You are already attached to it.

Unable to attach to process '%s'

%chread lX

Êin

%s (lX)

You are going to kill thread X. Note

X (%i.)

%%B = X

Inspect %s in

Win95/98 may crash when NEG ESP is executed

Win95/98 may crash when NOT ESP is executed

Win95/98 may crash when VxD call is executed in user mode

LOCK CMPXCHG8B may crash some processors when executed

<%s.%s>

<%s.&%s>

<%s.&%.*s.%s>

ASCII X,

%cNAN X lX lX

%c??? X lX lX

%cUNORM X lX lX

Quick statistical test of module '%.*s' reports that its code section is either compressed, encrypted, or contains large amount of embedded data. Results of code analysis can be very unreliable or simply wrong. Do you want to continue analysis?

Struct 'IMAGE_IMPORT_DESCRIPTOR'

Import lookup table for '%.*s'

Struct 'IMAGE_EXPORT_DIRECTORY'

Export Address Table

Export Name Pointer Table

Export Ordinal Table

Call switch table used at < X>

Index table to switch < X>

Switch table %sused at < X>

Switch table (reverse%s) used at < X>

RET used as a jump to < X>

(WM_USER %X)

of switch < X>

Default case of switch < X>

Switch (cases -%X..%X)

Switch (cases %X..%X)

{ %X}

{[ %X]}

%i %s procedure%s

1 call to known%s

%i calls to known%s

Analysing %.*s: %s

Analysing %.*s: %s, %s

%i loops%s

%i switches%s

Unable to allocate %i bytes of memory%s

%s X

%s X

Warning, debug data subsection %i (type X) is too long

Unrecognized AlignSym 0xX (size %i)

Unrecognized GlobalSym 0xX (size %i)

Unknown debug data subsection type X

Debugging information (%s format) available

%.*s.%s

Size of source file exceeds 16 M: '%s'

Error reading source file '%s'

Source - %s%s (%s)

*.dll

Plugin '%s' has invalid version (%i.i)

_ODBG_Plugincmd

Plugin '%s' failed to initialize (code %i)

Plugin %s

=Handle X

AWINDOWS

ICO_WINDOWS

Windows

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_USERS

.Default

HKEY_LOCAL_MACHINE

HKEY_CURRENT_CONFIG

File (pipe)

WindowStation

ACCESS_MASK_PIPE

ACCESS_MASK_KEY

Size %i. (X) bytes

Hide unimportant handles

Show unimportant handles

Arg %i: %s

%s: %s

%s: Integer expression expected

X %s

Unable to access LOADDLL.EXE

Call export in %s%s

Export:

Please wait till previous call is executed

xxtype.cpp

derv->tpClass.tpcFlags & CF_HAS_BASES

Inappropriate I/O control operation

Broken pipe

Operation not permitted

%H:%M:%S

%m/%d/%y

%A, %B %d, %Y

d/d/d d:d:d.d

kernel32.dll

xx.cpp

varType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpClass.tpcDtorAddr

(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags

memType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR

dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR

IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)

elemType->tpClass.tpcFlags & CF_HAS_DTOR

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\OLLYDBG.EXE

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP

C:\Users\NISAR\Desktop\Cracking toolz\odbg110\udd

C:\Users\NISAR\Desktop\Cracking toolz\odbg110\plugin

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\ollydbg.ini

%Documents and Settings%\Wij\Bureaublad\nag2.txt

%System%\

C:\ReverseIt Programs\Win32API\win32.hlp

%Documents and Settings%\Ik\Bureaublad\RVA.txt

c:\Program Files\OllyDbg

VERSION.DLL

COMCTL32.DLL

COMDLG32.DLL

GDI32.DLL

USER32.DLL

OLE32.DLL

RegCloseKey

RegCreateKeyA

RegDeleteKeyA

RegOpenKeyA

GetCPInfo

GetProcessHeap

GetWindowsDirectoryA

ShellExecuteA

EnumChildWindows

EnumThreadWindows

EnumWindows

GetKeyState

MapVirtualKeyA

ollydbg.exe

_Findimportbyname

_Getcputhreadid

_OpenEXEfile

_Setcpu

xM{%u

Q%1UvxU

.idK$

CRS%S

.Tw'p

$z =-q}

ËvlD~

.ZSK_

`e.dz

'rQ%2U%w

.ZG}3

Pu#%uFyr

V F%F

.Juxq3

.Hc|}*

=*=/=5=>=

6#6*60666>6

2(2/252=2

<!<%<)<-<1<

5b6U6k6

252;2[2`2}2

6"6,656:6?6

7 7&7 7}7

=$=3=:=?=]=

;!2@2_2~2

5%5,545:5`5}5

84999@6`6

1#2x2~2

6#6'6 6/63676;6

1$1(1,1014181<1

6"6.686 7

5V5F5

4%4S4j4

Id X

&Executable modules

&Windows

Select import &libraries

Change arguments of executable file

Pass count (dec.)

If program pauses, pass following commands to plugins:

Copy selection to executable file

Add to Windows Explorer

Add OllyDbg to menu in Windows Explorer

Break on all windows with same title

1.0.10.0

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   OLLYDBG.EXE:608
   PDLX.exe:752
   Install.exe:1084
   %original file name%.exe:1956

2. Delete the original Dropped file.
   
3. Delete or disinfect the following files created/modified by the Dropped:
   

   %Documents and Settings%\All Users\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk (702 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\Ardamax Keylogger\Help.lnk (658 bytes)
   %System%\28463\PDLX.002 (560 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\@2.tmp (91332 bytes)
   %System%\28463\PDLX.chm (4708 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\@1.tmp (4 bytes)
   %System%\28463\PDLX.007 (196 bytes)
   %System%\28463\PDLX.006 (196 bytes)
   %System%\28463\PDLX.001 (396 bytes)
   %System%\28463\PDLX.exe (84668 bytes)
   %System%\28463\key.bin (106 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Install.exe (12907 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\TBar manager.ini (33 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dbghelp.dll (20550 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\ollydbg.ini (595 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\readme.txt (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\OLLYDBG.EXE (20264 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\register.txt (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\RecoverMyFiles.udd (15142 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\license.txt (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BOOKMARK.DLL (1568 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\OLLYDBG.HLP (5936 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PSAPI.DLL (17 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Cmdline.dll (1961 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "PDLX Agent" = "%System%\28463\PDLX.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.