MD5: b4b116587cf977db9735cff9f977da38
SHA1: f3ea3064bbe1c9bae42a22ced6c5a763565ce8f0
SHA256: ad66ec991e6920ef32a6208f080bc175b139d59695d4c2ed2b7b324b546a6cf6
SSDeep: 12288:Ja9gChm0Be4Rh9OJvhjpOz 463peQpk3ER8YpxPKcwnAmB8P0OlvR85JDvlrR/Wu:prZ9Ov6xpk7FAm9EvmJDr/WmA5X7iUq
Size: 972288 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: Install Manager
Created at: 1970-01-01 03:00:00
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:616

Mutexes

The following mutexes were created/opened:

CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
RasPbFile
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ShimCacheMutex

File activity

The process %original file name%.exe:616 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cf[1].htm (736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\253[1].png (324 bytes)
C:\FapCF.dll (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%System%\drivers\etc\hosts (0 bytes)

Registry activity

The process %original file name%.exe:616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 F0 4E 94 20 C7 57 23 D0 C3 D0 40 76 91 F0 EC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: 11111
Product Name: z
Product Version: 1.00
Legal Copyright:
Legal Trademarks:
Original Filename: anti.exe
Internal Name: anti
File Version: 1.00
File Description:
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://wm.sumohit.com/cf.html	192.186.243.2
hxxp://whos.amung.us/swidget/fapcfmodz.png	67.202.94.93
hxxp://widgets.amung.us/small/02/253.png	173.192.170.82

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /small/02/253.png HTTP/1.1

Accept: */*

Referer: hXXp://wm.sumohit.com/cf.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: widgets.amung.us

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Tue, 11 Nov 2014 22:00:47 GMT

Content-Type: image/png

Content-Length: 324

Last-Modified: Sun, 13 Jun 2010 09:48:29 GMT

Connection: keep-alive

Expires: Thu, 11 Dec 2014 22:00:47 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes
.PNG........IHDR...P.........D......9PLTE.bM.nX.82.G:................z
c.....z.UC..n.'-00/...555...........IDAT8...... .. ......?v..`..%rDRL.
rm...%#...kPB...RU.....u..xu.eb.6^..........s...N.u$.b....QY.....$.\,d
u.4..%.1..v...q.`.!k..0..e....P.....g.8..............j..L...

GET /swidget/fapcfmodz.png HTTP/1.1

Accept: */*

Referer: hXXp://wm.sumohit.com/cf.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: whos.amung.us

Connection: Keep-Alive

HTTP/1.1 303 See Other

Date: Tue, 11 Nov 2014 22:00:47 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://widgets.amung.us/small/02/253.png

Set-Cookie: uid=CgH9JlRihw MEChCMS20Ag==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=atta; path=/
0..

GET /cf.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: wm.sumohit.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 11 Nov 2014 22:00:42 GMT

Server: Apache mod_fcgid/2.3.10-dev

Last-Modified: Sun, 05 Oct 2014 06:09:29 GMT

ETag: "83e08af-ada-504a6cf169840"

Accept-Ranges: bytes

Content-Length: 2778

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html
<script type="text/javascript">.    var webLink = new Array("htt
p://fpsmodz.net/game/crossfire/synboz-working-world-wide.html",.      
                      "hXXp://fpsmodz.net/game/crossfire/synboz-workin
g-world-wide.html",.                            "hXXp://fpsmodz.net/ga
me/crossfire/synboz-working-world-wide.html");.    var randNumber = Ma
th.floor(Math.random() * webLink.length);.    var linkActive = webLink
[randNumber];.    var linkTut;.    if(linkActive == "hXXp://fpsmodz.ne
t/game/crossfire/synboz-working-world-wide.html"){.        linkTut = "
hXXp://fpsmodz.net/synboz-fps.html";.    }else if(linkActive == "http:
//fpsmodz.net/game/crossfire/synboz-working-world-wide.html"){.       
 linkTut = "hXXp://fpsmodz.net/synboz-fps.html";.    }else if(linkActi
ve == "hXXp://fpsmodz.net/game/crossfire/synboz-working-world-wide.htm
l"){.        linkTut = "hXXp://fpsmodz.net/synboz-fps.html";.    }else
 if(linkActive == "hXXp://fpsmodz.net/game/crossfire/synboz-working-wo
rld-wide.html"){.        linkTut = "hXXp://fpsmodz.net/synboz-fps.html
";.    }else if(linkActive == "hXXp://fpsmodz.net/game/crossfire/synbo
z-working-world-wide.html"){.        linkTut = "hXXp://fpsmodz.net/syn
boz-fps.html";.    }else if(linkActive == "hXXp://fpsmodz.net/game/cro
ssfire/synboz-working-world-wide.html"){.        linkTut = "hXXp://fps
modz.net/synboz-fps.html";.    }.    function eLinkActiveTut(){.      
          document.write("<font color='red'size='5'><b><
;strong>-Press<a rel='nofollow' id='randomlink' target='_bla
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

.idata

.reloc0

.reloc1

.rsrc

.enigma1

.enigma2

KERNEL32.dll

GetCPInfo

SHDocVwCtl.WebBrowser

WWW.CROSSFIRE-MEGACHEAT.RU

RED-HACK.RU

shdocvw.dll

WebBrowser

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX28\AutoPlay\Docs\Portable.VB6\VB6.OLB

%System%\ieframe.oca

ShellExecuteA

user32.dll

shell32.dll

kernel32.dll

PSAPI.DLL

ntdll.dll

VBA6.DLL

sKey

MSVBVM60.DLL

b52.sSku

XLCRTE

fe4wEBf

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

msvbvm60.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

c:\%original file name%.exe

Q&%U3$

JP.dS6

Hn.Hq

<8~b&f%d

 .NKW

?_5.%C

.Hjv}i

Rh.hr

.aF3|f

v1.ZF

 .awZn

.btu7

N14.kx%P

%SCLiJM

%c}x>OS-M

.hvs5#

j|%DK

kd[bTa%f*k o-h

f.nxe)3[

.lz{8y8

z8q4.QM

0.WnA

.npy=\

.RN!J

.AJ*=-

BG(j.fC

_9%d!o!e's?|7sH1->[

%drw7

RH2.hvw2o

H.fzc

:dFTP)^

v).vl%

@Ôd]W

;.fYB

%Dyb3

da.Hqoj%

tA/b|}0.vQ

.bMc$

s;-9}

EN.JC

;xc(m%c&

6[.cgr

*%F!I

I.HG\

rG-fp}<*

C:\ttR

.iNl9x

.Lb O

@f/n g'l#m%d

,nB.mt{

R.KNW

.jI3s>e

Y-5}Z[

%un-`"m%n.

%d%e*i2r2z0r7z

.Xn2]A

v5 .mw

$po.ku

.iwr5 r@

kI6.WO

}.fpu='

)!.CP

n#l .hv

S2.nx0M] <

>}cf%C

iu2,%dr

'5.mR

G1-c}

dp=%cZc)~2}=A]

fS..bA

&=%c%

5.hvo#

.jtq:

5?{m)7.bt

K2.lr

0 0<0@0`0

0i%fZc-h%

*.)!bk.Va

USER32.dll

jh.imI

1O.Iu

wO.kN-

}6v.aJ9c!

zL|.WR

.FaQ;L

ST.gP

n.VL3}

}tJ-%.ohD{

)Ÿg

-(J.EnMuQ

.oFRJ

d.Atj

Q.mb&U

&F-o}

.NOHO

n.EaJ)l

j.aUE

J.BbXc

.JDaFyn

9*.Li

*p>?.Dx kU

J.fm&k

6h.wY

.'7:797<7

\~0.ZF

c.VF>

.THEM

.jR,}?r

.edata

P.reloc

P.rsrc

1234567

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

Uh.GR

ole32.dll

!"#$%&*;<=>@[]^_`{|}

ZwOpenKey

ZwEnumerateValueKey

ZwQueryKey

ZwQueryValueKey

ZwCreateKey

ZwEnumerateKey

ZwSetValueKey

ZwDeleteKey

ZwDeleteValueKey

ZwFlushKey

ZwLoadKey

ZwLoadKey2

ZwNotifyChangeKey

ZwQueryMultipleValueKey

ZwReplaceKey

ZwRestoreKey

ZwSaveKey

ZwSetInformationKey

ZwUnloadKey

ZwOpenKeyEx

ZwQuerySection, Unsupported class %d

KeySetValue unsupported value type

ZwQueryValueKey, unsupported class %d

ZwQueryKey, unsupported class %d

ZwQueryObject with unsupported class

ZwReadFileInformation with unsupported class

ZwSetInformationFile with unsupported class

sxs.dll

THookWindowsAPI

Cannot find function %s in library %s

Cannot find function ordinal %d in library %s

.section

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

RegOpenKeyA

GetWindowsDirectoryW

GetWindowsDirectoryA

RtlFormatCurrentUserKeyPath

SHFolder.dll

shlwapi.dll

loaderx86.dll

KWindows

TntWindows

UrlMon

virtualboximportunit

*\AE:\srouce\modznc\Project1.vbp

C:\aim1

C:\aim2.dat

\system32\Drivers\etc\hosts.ics

crossfire.dat

@ti.exe

HGWC.exe

iexplore.exe

hXXp://wm.sumohit.com/cf.html

InternetExplorer.Application

\ddraw.dll

0123456789

\FapCF.dll

Windows Internet Explorer

Web Browser

iexplore.exe - Application Error

crossfire.exe

\CShell.dll

LocationURL

adf.ly

hXXp://6b188f15.linkbucks.com

hXXp://e96c08fe.linkbucks.com

hXXp://197290c7.linkbucks.com

hXXp://863ffe29.linkbucks.com

hXXp://adf.ly/Wo4hu

hXXp://adf.ly/Wo4pL

hXXp://adf.ly/XX1H9

hXXp://adf.ly/XX1JN

hXXp://adf.ly/XX1FB

hXXp://adf.ly/ruqY2

hhXXp://adf.ly/ruqY2

hXXp://adf.ly/ruqZ7

hXXp://adf.ly/ruqdu

hXXp://adf.ly/ruqbS

@*\AE:\srouce\modznc\Project1.vbp

anti.exe

KERNEL32.DLL

mscoree.dll

Error at initialization of bundled DLL: %s

Error at hooking API "%S"

Dumping first %d bytes:

ÞFAULT FOLDER%

FapCF.dll

%SYSTEM FOLDER%

%WINDOWS FOLDER%

%Cookies FOLDER%

hh.exe

write.exe

attrib.exe

chkdsk.exe

compact.exe

find.exe

help.exe

winver.exe

regsvr32.exe

replace.exe

dllhost.exe

ntvdm.exe

tcpsvcs.exe

Was not able to create virtual value at ImportCall_ZwSetValueKey

Was not able to create virtual key at ImportCall_ZwSetValueKey

ImportCall_ZwLoadKey

ImportCall_ZwLoadKey2

ImportCall_ZwNotifyChangeKey

ImportCall_ZwQueryMultipleValueKey

ImportCall_ZwReplaceKey

ImportCall_ZwRestoreKey

ImportCall_ZwSaveKey

ImportCall_ZwSetInformationKey

ImportCall_ZwUnloadKey

evb*.tmp

.manifest

Unsupported call of ZwSetVolumeInformationFile

7Dispatch methods do not support more than 64 parameters

Cannot assign a %s to a %s%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d)

%s.Seek not implemented$Operation not allowed on sorted list

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

%original file name%.exe_616_rwx_00401000_00092000:

SHDocVwCtl.WebBrowser

WWW.CROSSFIRE-MEGACHEAT.RU

RED-HACK.RU

shdocvw.dll

WebBrowser

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX28\AutoPlay\Docs\Portable.VB6\VB6.OLB

%System%\ieframe.oca

ShellExecuteA

user32.dll

shell32.dll

kernel32.dll

PSAPI.DLL

ntdll.dll

VBA6.DLL

sKey

MSVBVM60.DLL

b52.sSku

XLCRTE

fe4wEBf

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

msvbvm60.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

c:\%original file name%.exe

Q&%U3$

JP.dS6

Hn.Hq

<8~b&f%d

 .NKW

?_5.%C

.Hjv}i

Rh.hr

.aF3|f

v1.ZF

 .awZn

.btu7

N14.kx%P

%SCLiJM

%c}x>OS-M

.hvs5#

j|%DK

kd[bTa%f*k o-h

f.nxe)3[

.lz{8y8

z8q4.QM

0.WnA

.npy=\

.RN!J

.AJ*=-

BG(j.fC

_9%d!o!e's?|7sH1->[

%drw7

RH2.hvw2o

H.fzc

:dFTP)^

v).vl%

@Ôd]W

;.fYB

%Dyb3

da.Hqoj%

tA/b|}0.vQ

.bMc$

s;-9}

EN.JC

;xc(m%c&

6[.cgr

*%F!I

I.HG\

rG-fp}<*

C:\ttR

.iNl9x

.Lb O

@f/n g'l#m%d

,nB.mt{

R.KNW

.jI3s>e

Y-5}Z[

%un-`"m%n.

%d%e*i2r2z0r7z

.Xn2]A

v5 .mw

$po.ku

.iwr5 r@

kI6.WO

}.fpu='

)!.CP

n#l .hv

S2.nx0M] <

>}cf%C

iu2,%dr

'5.mR

G1-c}

dp=%cZc)~2}=A]

fS..bA

&=%c%

5.hvo#

.jtq:

5?{m)7.bt

K2.lr

0 0<0@0`0

KERNEL32.dll

GetCPInfo

0i%fZc-h%

*\AE:\srouce\modznc\Project1.vbp

C:\aim1

C:\aim2.dat

\system32\Drivers\etc\hosts.ics

crossfire.dat

@ti.exe

HGWC.exe

iexplore.exe

hXXp://wm.sumohit.com/cf.html

InternetExplorer.Application

\ddraw.dll

0123456789

\FapCF.dll

Windows Internet Explorer

Web Browser

iexplore.exe - Application Error

crossfire.exe

\CShell.dll

LocationURL

adf.ly

hXXp://6b188f15.linkbucks.com

hXXp://e96c08fe.linkbucks.com

hXXp://197290c7.linkbucks.com

hXXp://863ffe29.linkbucks.com

hXXp://adf.ly/Wo4hu

hXXp://adf.ly/Wo4pL

hXXp://adf.ly/XX1H9

hXXp://adf.ly/XX1JN

hXXp://adf.ly/XX1FB

hXXp://adf.ly/ruqY2

hhXXp://adf.ly/ruqY2

hXXp://adf.ly/ruqZ7

hXXp://adf.ly/ruqdu

hXXp://adf.ly/ruqbS

@*\AE:\srouce\modznc\Project1.vbp

anti.exe

KERNEL32.DLL

mscoree.dll

Error at initialization of bundled DLL: %s

Error at hooking API "%S"

Dumping first %d bytes:

%original file name%.exe_616_rwx_0049F000_00001000:

msvbvm60.dll

%original file name%.exe_616_rwx_00512000_00001000:

.THEM

.jR,}?r

ÞFAULT FOLDER%

FapCF.dll

%original file name%.exe_616_rwx_00544000_00002000:

ntdll.dll

.section

iexplore.exe_884:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

%original file name%.exe_616_rwx_00547000_00002000:

kernel32.dll

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyA

GetWindowsDirectoryW

GetWindowsDirectoryA

GetCPInfo

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cf[1].htm (736 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\253[1].png (324 bytes)
   C:\FapCF.dll (87 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.