MD5: f813a93cc9d88d18caf833f24384c0b7
SHA1: 7698918605c8e77333dc8fe82bc9208b56d4862d
SHA256: 6d2d566acda63e7708cf39d72ea2becf437e263d66ca8877cc806f582ac1e0b0
SSDeep: 24576:2GlUiqdfScB40gJYgGMRLKZz73VtSqb3 h:NladfS84LCgGMEBke h
Size: 983756 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2015-06-05 21:49:16
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:320
Setup.exe:452

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:

78ec8a3ee6fb41d9611148b90a933eaa
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex

File activity

The process %original file name%.exe:320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NVCDHR82\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a2B7eLP6Ng\M6m7Vl0h\Setup.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGPAT4R\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\INOPCVW3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5GKUFH0P\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 0C 6F CC AA 18 9B B2 71 17 53 D6 CE 4A A9 6E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process Setup.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND]
"setup.exe" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS]
"setup.exe" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
"setup.exe" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 7A EB 65 AD 97 78 9F 1F E2 35 86 87 36 4A AB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Install Assistant
Product Name: HD Player
Product Version: 3.0.0.105
Legal Copyright: (c) Install Assistant
Legal Trademarks:
Original Filename: Setup_v3.206.exe
Internal Name: Setup_v3.206.exe
File Version: 3.0.0.105
File Description: HD Player
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 58
0702ce4b38ed6f5bc4ab1a0599c41eb3
ef84949a8f96c8aaf30dc06cf2613cac
cf01a8df723bda5647ebb9b7e086f390
c07bcb73b6da1cb92ae80f3a1c68df8c
a73d22a4ff9e5e99447cbe530704d495
98028c0e8395abda4bbc54f3f9f0b1b7
8b71476006381489d17756e623d71b1a
37f71eb2a47861fdff5615bbe4bd5171
32161c0af38094fa64e3176089430e51
1d7228e2995738e03067d75193e33959
15c50be266618178390e9ac12dabfdca
1339386a8d7635df1bfbcafbe5c74607
fe90e24e3319c22dc21155e7c4e7abb2
29342c4f34d54d90a7ae4beb8903838b
26ad89273ce42160801bdb53a83e5904
faa9019c89db3745f0a6fc68540422ee
e2243ef8ab69486e02f05549d9d2b0c4
bcc90bbc21b59a2be6c49f70044da97a
94a63aabfa7562d1c9e186baea4fe89a
8dfcb55ae5756e456c1977e8bcf01645
7bf15f59b972fc2c636c6cf9592cb0d7
68f1efe2aa68c0949471c4f248c0202f
44382ad2539ef5e3f77c369501838997
04b78907360a5b5cce49449c0aa9b527
0285de746776f92c82abfb637d26136f

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

eexef

PSSSSSSh

>.YYu

VWj%S

?%u/F

xSSSh

FTPjKS

FtPj;S

C.PjRV

KERNEL32.dll

&&&&6666????

""""****

2222::::

$$$$\\\\

00006666

####====

function <%s:%d>

function '%s'

(...tail calls...)

%s:%d:

%s: %s

stack overflow (%s)

cannot %s %s: %s

%s: %p

name conflict for module '%s'

PANIC: unprotected error in call to Lua API (%s)

version mismatch: app. needs %f, Lua core provides %f

bad argument #%d to '%s' (%s)

calling '%s' on bad self (%s)

bad argument #%d (%s)

%s expected, got %s

@invalid option '%s'

$LuaVersion: Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $

%s:%d: %s

attempt to %s %s '%s' (a %s value)

attempt to %s a %s value

attempt to compare %s with %s

attempt to compare two %s values

invalid option '%%%c' to 'lua_pushfstring'

attempt to load a %s chunk (mode is '%s')

error in __gc metamethod (%s)

Ainvalid key to 'next'

upvaluejoin

_HKEY

invalid capture index %%%d

missing '[' after '%%f' in pattern

^$* ?.([%-

invalid use of '%c' in replacement string

invalid replacement value (a %s)

\d

invalid option '%%%c' to 'format'

@field '%s' missing in date table

invalid conversion specifier '%%%s'

cannot open file '%s' (%s)

standard %s file is closed

invalid value (%s) at index %d in table for 'concat'

system error %d

no file '%s'

'package.%s' must be a string

error loading module '%s' from file '%s':

luaopen_%s

no module '%s' in file '%s'

no field package.preload['%s']

module '%s' not found:%s

'package.searchers' must be a table

!\?.dll;!\loadall.dll;.\?.dll

!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua

too many %s (limit is %d)

char(%d)

%s near %s

%s expected

too many %s (limit is %d) in %s

function at line %d

%s expected (to close %s at line %d)

<goto %s> at line %d jumps into the scope of local '%s'

no visible label '%s' for <goto> at line %d

<%s> at line %d not inside a loop

label '%s' already defined on line %d

%s: %s precompiled chunk

Visual C   CRT: Not enough memory to complete call to strerror.

cmd.exe

Broken pipe

Inappropriate I/O control operation

Operation not permitted

?#%X.y

%S#[k

portuguese-brazilian

GetProcessWindowStation

operator

xml=hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/2000/xmlns/

?456789:;<=

!"#$%&'()* ,-./0123

bit library self-test failed (%s)

crash report crypt failed

) on url:

CoInternetParseUrl failed (

unsupported

Unsupported data type

lxp `%s' callback is not a function

error closing parser: %s

LuaExpat 1.3.0

requested feature requires XML_DTD support in Expat

unexpected parser state - please send a bug report

POWRPROF.dll

CoInternetParseUrl

URLDownloadToFileW

urlmon.dll

IPHLPAPI.DLL

dbghelp.dll

VERSION.dll

SHFileOperationW

ShellExecuteExW

SHELL32.dll

SHDeleteKeyW

SHLWAPI.dll

GetKeyState

USER32.dll

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegCreateKeyExW

RegQueryInfoKeyW

RegOpenKeyExW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

HttpQueryInfoA

InternetCrackUrlW

HttpSendRequestW

HttpAddRequestHeadersW

HttpOpenRequestW

WININET.dll

GetCPInfo

CreatePipe

GetProcessHeap

zcÁ

c:\%original file name%.exe

ry7reexe?e>7rys

io.stdout:setvbuf('no')

package.path = ''

local s, r = xpcall(function() return require('%M').main(__args) end, debug.traceback)

package.path=''

local s,r,e = xpcall(function() return require('%M').%F(%A) end, debug.traceback)

if r ~= nil then r = ml.tstring(r) end

foundation.encoding

foundation._http

foundation.logic

foundation.misc

foundation.zip

join

key_exists

create_key

enumerate_subkeys

enumerate_subkeys_next

enumerate_subkeys_close

delete_key

shell_execute_ex

load_exe_resource

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS></application></compatibility></assembly>

hsb.gy

QUvE(^&.yf

@^2B%sG

0%XZj

CG.Wi

\%xI2j

.HztL

j&?*@%c

W.WPzq=

|y%sJz\_=E

Fxx$a>9.Yc

.VFIS

CL%-r}A

X O%uPAUz

?,?8?[?~?

5'5-525?5

4%4.4;4@4

3%3S3[3a3l3v3

= =$=(=,=

<$=(=,=0=4=8=<=

7(7,70747

8 8$8(8,8084888

? ?$?(?[?

4#4'4 4/43474

1 11

=#>5>[>~>

8œ9

<$<,<2<7<=<

,=0=4=8=<=@=

: :$:(:,:0:4:

4 4@4`4|4

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

nKERNEL32.DLL

WUSER32.DLL

IDispatch error #%d

" --crash_report="

crash_report

errorUrl

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_CLASSES_ROOT

3.0.0.105

Setup_v3.206.exe

Setup.exe_452:

.text

`.rdata

@.data

.rsrc

@.reloc

eexef

PSSSSSSh

>.YYu

VWj%S

?%u/F

xSSSh

FTPjKS

FtPj;S

C.PjRV

KERNEL32.dll

&&&&6666????

""""****

2222::::

$$$$\\\\

00006666

####====

function <%s:%d>

function '%s'

(...tail calls...)

%s:%d:

%s: %s

stack overflow (%s)

cannot %s %s: %s

%s: %p

name conflict for module '%s'

PANIC: unprotected error in call to Lua API (%s)

version mismatch: app. needs %f, Lua core provides %f

bad argument #%d to '%s' (%s)

calling '%s' on bad self (%s)

bad argument #%d (%s)

%s expected, got %s

@invalid option '%s'

$LuaVersion: Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $

%s:%d: %s

attempt to %s %s '%s' (a %s value)

attempt to %s a %s value

attempt to compare %s with %s

attempt to compare two %s values

invalid option '%%%c' to 'lua_pushfstring'

attempt to load a %s chunk (mode is '%s')

error in __gc metamethod (%s)

Ainvalid key to 'next'

upvaluejoin

_HKEY

invalid capture index %%%d

missing '[' after '%%f' in pattern

^$* ?.([%-

invalid use of '%c' in replacement string

invalid replacement value (a %s)

\d

invalid option '%%%c' to 'format'

@field '%s' missing in date table

invalid conversion specifier '%%%s'

cannot open file '%s' (%s)

standard %s file is closed

invalid value (%s) at index %d in table for 'concat'

system error %d

no file '%s'

'package.%s' must be a string

error loading module '%s' from file '%s':

luaopen_%s

no module '%s' in file '%s'

no field package.preload['%s']

module '%s' not found:%s

'package.searchers' must be a table

!\?.dll;!\loadall.dll;.\?.dll

!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua

too many %s (limit is %d)

char(%d)

%s near %s

%s expected

too many %s (limit is %d) in %s

function at line %d

%s expected (to close %s at line %d)

<goto %s> at line %d jumps into the scope of local '%s'

no visible label '%s' for <goto> at line %d

<%s> at line %d not inside a loop

label '%s' already defined on line %d

%s: %s precompiled chunk

Visual C   CRT: Not enough memory to complete call to strerror.

cmd.exe

Broken pipe

Inappropriate I/O control operation

Operation not permitted

?#%X.y

%S#[k

portuguese-brazilian

GetProcessWindowStation

operator

xml=hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/2000/xmlns/

?456789:;<=

!"#$%&'()* ,-./0123

bit library self-test failed (%s)

crash report crypt failed

) on url:

CoInternetParseUrl failed (

unsupported

Unsupported data type

lxp `%s' callback is not a function

error closing parser: %s

LuaExpat 1.3.0

requested feature requires XML_DTD support in Expat

unexpected parser state - please send a bug report

POWRPROF.dll

CoInternetParseUrl

URLDownloadToFileW

urlmon.dll

IPHLPAPI.DLL

dbghelp.dll

VERSION.dll

SHFileOperationW

ShellExecuteExW

SHELL32.dll

SHDeleteKeyW

SHLWAPI.dll

GetKeyState

USER32.dll

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegCreateKeyExW

RegQueryInfoKeyW

RegOpenKeyExW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

HttpQueryInfoA

InternetCrackUrlW

HttpSendRequestW

HttpAddRequestHeadersW

HttpOpenRequestW

WININET.dll

GetCPInfo

CreatePipe

GetProcessHeap

zcÁ

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\a2B7eLP6Ng\M6m7Vl0h\Setup.exe

ntdll.dll

kernel32.dll

psapi.dll

ry7reexe?e>7rys

io.stdout:setvbuf('no')

package.path = ''

local s, r = xpcall(function() return require('%M').main(__args) end, debug.traceback)

package.path=''

local s,r,e = xpcall(function() return require('%M').%F(%A) end, debug.traceback)

if r ~= nil then r = ml.tstring(r) end

foundation.encoding

foundation._http

foundation.logic

foundation.misc

foundation.zip

join

key_exists

create_key

enumerate_subkeys

enumerate_subkeys_next

enumerate_subkeys_close

delete_key

shell_execute_ex

load_exe_resource

wininet.dll

HttpSendRequest() failed

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS></application></compatibility></assembly>

hsb.gy

QUvE(^&.yf

@^2B%sG

0%XZj

CG.Wi

\%xI2j

.HztL

j&?*@%c

W.WPzq=

|y%sJz\_=E

Fxx$a>9.Yc

.VFIS

CL%-r}A

X O%uPAUz

?,?8?[?~?

5'5-525?5

4%4.4;4@4

3%3S3[3a3l3v3

= =$=(=,=

<$=(=,=0=4=8=<=

7(7,70747

8 8$8(8,8084888

? ?$?(?[?

4#4'4 4/43474

1 11

=#>5>[>~>

8œ9

<$<,<2<7<=<

,=0=4=8=<=@=

: :$:(:,:0:4:

4 4@4`4|4

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

nKERNEL32.DLL

WUSER32.DLL

IDispatch error #%d

" --crash_report="

crash_report

errorUrl

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_CLASSES_ROOT

3.0.0.105

Setup_v3.206.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:320
   Setup.exe:452

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NVCDHR82\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\a2B7eLP6Ng\M6m7Vl0h\Setup.exe (7385 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGPAT4R\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\INOPCVW3\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5GKUFH0P\desktop.ini (67 bytes)

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.