MD5: 09a49e8f5aedfb1219d54d6e2141012c
SHA1: bbbf5fd06e556de62b88c96569ca9298da9b0ae7
SHA256: b880ffd0aa8e608ed1a41829fa0a88804a8ca406e809122f85308d649689c878
SSDeep: 49152:d w20/0so8x5TGyTB/w0IpdFKxcyMEQCf:gw280D8lt/qpdsxEER
Size: 2269184 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2014-10-25 23:00:23
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2008

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2008 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\%original file name%.exe{183A1AE6-895A-4c83-B991-69E906491862} (15506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EF.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7J6844YF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ED.tmp (4545 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%System%\drivers\etc\hosts (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SLMZWDIR\desktop.ini (67 bytes)
C:\RCXF1.tmp (295602 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@163[1].txt (165 bytes)
C:\%original file name%.exe (15506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EE.tmp (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FYJBLB51\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PPJNZEPJ\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

C:\%original file name%.exe{183A1AE6-895A-4c83-B991-69E906491862} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ED.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EF.tmp (0 bytes)
%System%\drivers\etc\hosts (0 bytes)

Registry activity

The process %original file name%.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 71 2F 7C EE 86 BF 34 54 3E ED 9A 5C 25 D8 B3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\[email protected],"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 3143 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

|$D.tm

~%UVW

u$SShe

kernel32.dll

advapi32.dll

ntdll.dll

Kernel32.dll

user32.dll

Shlwapi.dll

Psapi.dll

RegOpenKeyExA

MsgWaitForMultipleObjects

00000000

gdi32.dll

Client.exe

tcls\Client.exe

BugTrap.dll

@.reloc

tGHt.Ht&

message.txt

MAPI32.DLL

PSAPI.DLL

IMPORTANT

d/d/d d:d:d

%s.bmp

%s%d.bmp

FLT_INVALID_OPERATION

FLT_DENORMAL_OPERAND

EAX=X EBX=X ECX=X EDX=X

ESI=X EDI=X FLG=X

EBP=X ESP=X EIP=X

CS=X DS=X SS=X ES=X FS=X GS=X

Windows NT 3.51

Windows 95

Windows NT 4.0

Windows 98

Windows Me

Windows 2000

Windows XP

Windows Server 2003

Windows Vista

Windows 7

OS Version: %s %s

Build Number: %s

%s_ddd-ddd.%s

error_report

line %s

line %s %s byte(s)

%s() %s byte(s)

cmdline

usermsg

report

This %s was automatically generated

by BugTrap for Win32-x86 on %s

error report

Operating System:

KERNEL32.DLL

crashdump.dmp

errorlog.%s

UxTheme.dll

reports

\StringFileInfo\xx\ProductVersion

\StringFileInfo\xx\ProductName

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

x,

hex(x):

dword:x

; Error: cannot open registry key [

Windows Registry Editor Version 5.00

BT01Error Report

"%s" Error Report

wininet.dll

BugTrap-1.3.3661.37713.dmp

DBGHELP.DLL

--BUGTRAP-7A1D6378-1294-491B-996C-37D4FF91D184--

Content-Type: multipart/form-data; boundary=BUGTRAP-7A1D6378-1294-491B-996C-37D4FF91D184

--BUGTRAP-7A1D6378-1294-491B-996C-37D4FF91D184

Content-Disposition: form-data; name="reportData"; filename="report.dat"

Content-Disposition: form-data; name="reportFileExtension"

hXXp://

%s\TEMP%lu

Unuspported URL scheme

Invalid URL

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

1.2.3

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

d:\1.

_ERS\BugTrapSrc\BugTrap\Win32\Bin\BugTrap.pdb

WS2_32.dll

COMCTL32.dll

PathCreateFromUrlA

UrlIsA

PathIsURLA

SHLWAPI.dll

VERSION.dll

HttpEndRequestA

HttpSendRequestExA

HttpOpenRequestA

InternetCrackUrlA

WININET.dll

GetConsoleOutputCP

KERNEL32.dll

USER32.dll

SetViewportOrgEx

GDI32.dll

RegCloseKey

RegEnumKeyExA

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

GetProcessHeap

BT_ExportRegistryKey

BT_GetReportFilePath

BT_GetReportFormat

BT_GetSupportEMail

BT_GetSupportHost

BT_GetSupportPort

BT_GetSupportURL

BT_SetReportFilePath

BT_SetReportFormat

BT_SetSupportEMail

BT_SetSupportHost

BT_SetSupportPort

BT_SetSupportServer

BT_SetSupportURL

zcÁ

check.avi Video #1

[,|46~=_

O$%C)*>*.?,(6&*8'#2!

$KÜB

)J'1G.JUEFC?WQRQOOOOOOOONNNKKKHHHEEECCC???:::444///   '''$$$

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

161@1`1~1

6'747 :5:?:`:

:.;4;8;<;@;

2*3034383<3

'6\~%System%\drivers\etc\hosts

127.0.0.1 cfluoye.cc

127.0.0.1 cfluoye.net

127.0.0.1 cfluoye.com

127.0.0.1 cfluoye.cn

127.0.0.1 cfluoye.tk

127.0.0.1 cfwudao.cc

127.0.0.1 cfwudao.net

127.0.0.1 cfwudao.com

127.0.0.1 cfwudao.cn

127.0.0.1 cfwudao.tk

127.0.0.1 cfmogu.cc

127.0.0.1 cfmogu.net

127.0.0.1 cfmogu.com

127.0.0.1 cfmogu.cn

127.0.0.1 cfmogu.tk

127.0.0.1 cfty.cc

127.0.0.1 cfty.net

127.0.0.1 cfty.com

127.0.0.1 cfty.cn

127.0.0.1 cfty.tk

127.0.0.1 cftianyue.cc

127.0.0.1 cftianyue.net

127.0.0.1 cftianyue.com

127.0.0.1 cftianyue.cn

127.0.0.1 cftianyue.tk

127.0.0.1 cfbingyue.cc

127.0.0.1 cfbingyue.net

127.0.0.1 cfbingyue.com

127.0.0.1 cfbingyue.cn

127.0.0.1 cfbingyue.tk

127.0.0.1 cfpanguan.cc

127.0.0.1 cfpanguan.net

127.0.0.1 cfpanguan.com

127.0.0.1 cfpanguan.cn

127.0.0.1 cfpanguan.tk

127.0.0.1 cflingyu.cc

127.0.0.1 cflingyu.net

127.0.0.1 cflingyu.com

127.0.0.1 cflingyu.cn

127.0.0.1 cflingyu.tk

127.0.0.1 cfmaidang.cc

127.0.0.1 cfmaidang.net

127.0.0.1 cfmaidang.com

127.0.0.1 cfmaidang.cn

127.0.0.1 cfmaidang.tk

127.0.0.1 cfxingyu.cc

127.0.0.1 cfxingyu.net

127.0.0.1 cfxingyu.com

127.0.0.1 cfxingyu.cn

127.0.0.1 cfxingyu.tk

127.0.0.1 cfhongchen.cc

127.0.0.1 cfhongchen.net

127.0.0.1 cfhongchen.com

127.0.0.1 cfhongchen.cn

127.0.0.1 cfhongchen.tk

127.0.0.1 cfyalan.cc

127.0.0.1 cfyalan.net

127.0.0.1 cfyalan.com

127.0.0.1 cfyalan.cn

127.0.0.1 cfyalan.tk

127.0.0.1 VVV.cfwudao.cc

127.0.0.1 VVV.cfwudao.net

127.0.0.1 VVV.cfwudao.com

127.0.0.1 VVV.cfwudao.cn

127.0.0.1 VVV.cfwudao.tk

127.0.0.1 VVV.cfmogu.cc

127.0.0.1 VVV.cfmogu.net

127.0.0.1 VVV.cfmogu.com

127.0.0.1 VVV.cfmogu.cn

127.0.0.1 VVV.cfmogu.tk

127.0.0.1 VVV.cfty.cc

127.0.0.1 VVV.cfty.net

127.0.0.1 VVV.cfty.com

127.0.0.1 VVV.cfty.cn

127.0.0.1 VVV.cfty.tk

127.0.0.1 VVV.cftianyue.cc

127.0.0.1 VVV.cftianyue.net

127.0.0.1 VVV.cftianyue.com

127.0.0.1 VVV.cftianyue.cn

127.0.0.1 VVV.cftianyue.tk

127.0.0.1 VVV.cfbingyue.cc

127.0.0.1 VVV.cfbingyue.net

127.0.0.1 VVV.cfbingyue.com

127.0.0.1 VVV.cfbingyue.cn

127.0.0.1 VVV.cfbingyue.tk

127.0.0.1 VVV.cfpanguan.cc

127.0.0.1 VVV.cfpanguan.net

127.0.0.1 VVV.cfpanguan.com

127.0.0.1 VVV.cfpanguan.cn

127.0.0.1 VVV.cfpanguan.tk

127.0.0.1 VVV.cflingyu.cc

127.0.0.1 VVV.cflingyu.net

127.0.0.1 VVV.cflingyu.com

127.0.0.1 VVV.cflingyu.cn

127.0.0.1 VVV.cflingyu.tk

127.0.0.1 VVV.cfmaidang.cc

127.0.0.1 VVV.cfmaidang.net

127.0.0.1 VVV.cfmaidang.com

127.0.0.1 VVV.cfmaidang.cn

127.0.0.1 VVV.cfmaidang.tk

127.0.0.1 VVV.cfxingyu.cc

127.0.0.1 VVV.cfxingyu.net

127.0.0.1 VVV.cfxingyu.com

127.0.0.1 VVV.cfxingyu.cn

127.0.0.1 VVV.cfxingyu.tk

127.0.0.1 VVV.cfhongchen.cc

127.0.0.1 VVV.cfhongchen.net

127.0.0.1 VVV.cfhongchen.com

127.0.0.1 VVV.cfhongchen.cn

127.0.0.1 VVV.cfhongchen.tk

127.0.0.1 VVV.cfyalan.cc

127.0.0.1 VVV.cfyalan.net

127.0.0.1 VVV.cfyalan.com

127.0.0.1 VVV.cfyalan.cn

127.0.0.1 VVV.cfyalan.tk

127.0.0.1 VVV.cfluoye.cc

127.0.0.1 VVV.cfluoye.net

127.0.0.1 VVV.cfluoye.com

127.0.0.1 VVV.cfluoye.cn

127.0.0.1 VVV.cfluoye.tk

127.0.0.1 yy.cfyalan.cc

127.0.0.1 yy.cfyalan.net

127.0.0.1 yy.cfyalan.com

127.0.0.1 yy.cfyalan.cn

127.0.0.1 yy.cfyalan.tk

winmm.dll

GetAsyncKeyState

1026072572

(v1.0).txt

ZwReadVirtualMemorykernel32.dll

-1957298293

crossfire.exe

Super-EChXXp://VVV.super-ec.cnhXXp://VVV.eyybc.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php

hXXp://VVV.super-ec.cn

<input type="text" name="field_2new" size="25" value="" disabled class="txt" />" class="txt" />Function Getcpuid()

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

getcpuid=cpu.ProcessorId

ws2_32.dll

psapi.dll

shlwapi.dll

ifTp

x,-l}x

keYV7

?%XiS

.jiee

~.xnO

xl.mN

.XL}.Z

.CB<1

C:\]_

>%xB_

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

iphlpapi.dll

MPR.dll

WINMM.dll

WinExec

GetKeyState

GetViewportOrgEx

WINSPOOL.DRV

RegCreateKeyA

RegCreateKeyExA

ShellExecuteA

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

1.1.3

;3 #>6.&

'2, / 0&7!4-)1#

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

1"262=2}2

-03090?0

: ;$;(;,;0;

1%1S1\1i1{1

>!? ?0?:?

3 3$3(3,3034383

5 5$5(5,5

4*5a6U7

01Q1~1

Adobe Photoshop CS3 Windows

2014:10:12 17:58:49

urlTEXT

MsgeTEXT

hXXp://ns.adobe.com/xap/1.0/

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c036 46.276720, Mon Feb 19 2007 22:40:08 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xap="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xapMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xap:CreateDate="2014-10-12T17:55:10 08:00" xap:ModifyDate="2014-10-12T17:58:49 08:00" xap:MetadataDate="2014-10-12T17:58:49 08:00" xap:CreatorTool="Adobe Photoshop CS3 Windows" dc:format="image/jpeg" photoshop:ColorMode="3" photoshop:History="" xapMM:InstanceID="uuid:CF772E16F651E4118F20C69095130466" tiff:Orientation="1" tiff:XResolution="960000/10000" tiff:YResolution="960000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;0AEF806470E7FAF8AB026717B2FA68C3" exif:PixelXDimension="190" exif:PixelYDimension="44" exif:ColorSpace="-1" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;A7A55819FF2931235B313E10F9CADC5C"/> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>

.llSu,

.owIo

%u}5K

it.nl

#.Soe0

RASAPI32.dll

WSOCK32.dll

HttpQueryInfoA

HttpSendRequestA

InternetCanonicalizeUrlA

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

12c.exe

c:\%original file name%.exe

{D67584FF-E55D-4b29-9E9B-27BE35AA4D58}PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING

mscoree.dll

Um den entwicklungsprozess zu unterst?zen wird dieses programm alle n?igen informationen ?er den absturz sammeln. Diese daten k?nen dann an den produktsupport ?ertragen, oder gespeichert werden.

Produktsupport:

To help the development process, this program will try and gather the information about the crash, and the state of your machine at the time of the crash. This data can then be submitted to product support or saved to a file.

Product support site:

hXXp://VVV.intellesoft.net

BugTrap - software error reporting tool

Operating System

Vorschau der Reportdateien

Preview Report Files

Report senden...

Sending error report

Vorschau der reportdateien.,Fehlerinformationen in eine datei speichern. Eine email an den produktsupport versenden.EEinen automatisch generierten report an den produktsupport versenden..Informationen ?er das betriebssystem anzeigen.6Alle laufenden prozesse und geladenen module anzeigen.

BugTrap"Terminate interrupted application.!Preview contents of report files.(Save detailed error information to file..Send custom e-mail message to product support.;Send automatically generated bug report to product support. Display information about operating system.*List running processes and loaded modules.

Neowiz Games"Terminate interrupted application.!Preview contents of report files.(Save detailed error information to file..Send custom e-mail message to product support.;Send automatically generated bug report to product support. Display information about operating system.*List running processes and loaded modules.

Fehlerbericht fertig.7Fehler: konnte den report nicht an den server versenden

Error report complete.,Error: can't send error report to the server

Bild einpassen

1.3.3661.37713

(*.*)

20141012175509

%original file name%.exe_2008_rwx_0049B000_00006000:

00000000

ntdll.dll

user32.dll

gdi32.dll

Client.exe

tcls\Client.exe

BugTrap.dll

.text

`.rdata

@.data

.rsrc

@.reloc

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\%original file name%.exe{183A1AE6-895A-4c83-B991-69E906491862} (15506 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\EF.tmp (1425 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7J6844YF\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ED.tmp (4545 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
   %System%\drivers\etc\hosts (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SLMZWDIR\desktop.ini (67 bytes)
   C:\RCXF1.tmp (295602 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@163[1].txt (165 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\EE.tmp (3361 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FYJBLB51\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PPJNZEPJ\desktop.ini (67 bytes)

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.