MD5: 1216728a4137b88f3a8bd940a4d00049
SHA1: d2760169f2a8954b0f87e9d5e66a6769599f12f6
SHA256: dcdd998cd6836e49c4faa4030c0ae670cf44690aa6b556b53c560c04fd1f3e9d
SSDeep: 24576:MK6WrH3ERenow4W Bt7hUIgYF jmhPMpZ8N3FscMbsJOTdXILMEPE9 mAQ4NBFpp:Me3E6Mb7hUYAj7Y3Ms4yMEM9Co8x5T/
Size: 2273280 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: iWebar
Created at: 2014-10-27 20:25:12
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:576

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:576 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\%original file name%.exe (15506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\drivers\etc\hosts (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (4545 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
C:\%original file name%.exe{9D5B0E38-5BC3-4e96-BB03-405EA86B8DCA} (15506 bytes)
C:\RCXB6.tmp (296281 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@163[1].txt (169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (3361 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (0 bytes)
C:\%original file name%.exe{9D5B0E38-5BC3-4e96-BB03-405EA86B8DCA} (0 bytes)
%System%\drivers\etc\hosts (0 bytes)

Registry activity

The process %original file name%.exe:576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 15 AE 4E 2A 0F 4C 94 9F 24 92 AA 57 D8 14 9B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_@B5.tmp,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 3143 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

|$D.tm

~%UVW

u$SShe

kernel32.dll

advapi32.dll

ntdll.dll

Kernel32.dll

user32.dll

Shlwapi.dll

Psapi.dll

RegOpenKeyExA

MsgWaitForMultipleObjects

00000000

gdi32.dll

WScript.Shell

krnln.fnr

krnln.fne

@.reloc

winmm.dll

GetAsyncKeyState

1026072572

(v1.0).txt

ZwReadVirtualMemorykernel32.dll

-1957298293

crossfire.exe

Super-EChXXp://VVV.super-ec.cnhXXp://VVV.eyybc.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php

hXXp://VVV.super-ec.cn

<input type="text" name="field_2new" size="25" value="" disabled class="txt" />" class="txt" />Function Getcpuid()

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

getcpuid=cpu.ProcessorId

ws2_32.dll

psapi.dll

shlwapi.dll

ifTp

x,-l}x

keYV7

?%XiS

.jiee

~.xnO

xl.mN

.XL}.Z

.CB<1

C:\]_

>%xB_

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

USER32.dll

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

RegCloseKey

RegCreateKeyA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

1.1.3

;3 #>6.&

'2, / 0&7!4-)1#

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

9%9U9e:

01q1

1-2r2

0(1,1014181<1@1{1

2"3'3-343

$0(0,0004080<0@0

6a6D6[6a6m6

8094989<9@9

9’9C9Y9y9

4$5(5,50545

7$8(8,80848

4 545@5\5|5

'6\~%System%\drivers\etc\hosts

127.0.0.1 cfluoye.cc

127.0.0.1 cfluoye.net

127.0.0.1 cfluoye.com

127.0.0.1 cfluoye.cn

127.0.0.1 cfluoye.tk

127.0.0.1 cfwudao.cc

127.0.0.1 cfwudao.net

127.0.0.1 cfwudao.com

127.0.0.1 cfwudao.cn

127.0.0.1 cfwudao.tk

127.0.0.1 cfmogu.cc

127.0.0.1 cfmogu.net

127.0.0.1 cfmogu.com

127.0.0.1 cfmogu.cn

127.0.0.1 cfmogu.tk

127.0.0.1 cfty.cc

127.0.0.1 cfty.net

127.0.0.1 cfty.com

127.0.0.1 cfty.cn

127.0.0.1 cfty.tk

127.0.0.1 cftianyue.cc

127.0.0.1 cftianyue.net

127.0.0.1 cftianyue.com

127.0.0.1 cftianyue.cn

127.0.0.1 cftianyue.tk

127.0.0.1 cfbingyue.cc

127.0.0.1 cfbingyue.net

127.0.0.1 cfbingyue.com

127.0.0.1 cfbingyue.cn

127.0.0.1 cfbingyue.tk

127.0.0.1 cfpanguan.cc

127.0.0.1 cfpanguan.net

127.0.0.1 cfpanguan.com

127.0.0.1 cfpanguan.cn

127.0.0.1 cfpanguan.tk

127.0.0.1 cflingyu.cc

127.0.0.1 cflingyu.net

127.0.0.1 cflingyu.com

127.0.0.1 cflingyu.cn

127.0.0.1 cflingyu.tk

127.0.0.1 cfmaidang.cc

127.0.0.1 cfmaidang.net

127.0.0.1 cfmaidang.com

127.0.0.1 cfmaidang.cn

127.0.0.1 cfmaidang.tk

127.0.0.1 cfxingyu.cc

127.0.0.1 cfxingyu.net

127.0.0.1 cfxingyu.com

127.0.0.1 cfxingyu.cn

127.0.0.1 cfxingyu.tk

127.0.0.1 cfhongchen.cc

127.0.0.1 cfhongchen.net

127.0.0.1 cfhongchen.com

127.0.0.1 cfhongchen.cn

127.0.0.1 cfhongchen.tk

127.0.0.1 cfyalan.cc

127.0.0.1 cfyalan.net

127.0.0.1 cfyalan.com

127.0.0.1 cfyalan.cn

127.0.0.1 cfyalan.tk

127.0.0.1 VVV.cfwudao.cc

127.0.0.1 VVV.cfwudao.net

127.0.0.1 VVV.cfwudao.com

127.0.0.1 VVV.cfwudao.cn

127.0.0.1 VVV.cfwudao.tk

127.0.0.1 VVV.cfmogu.cc

127.0.0.1 VVV.cfmogu.net

127.0.0.1 VVV.cfmogu.com

127.0.0.1 VVV.cfmogu.cn

127.0.0.1 VVV.cfmogu.tk

127.0.0.1 VVV.cfty.cc

127.0.0.1 VVV.cfty.net

127.0.0.1 VVV.cfty.com

127.0.0.1 VVV.cfty.cn

127.0.0.1 VVV.cfty.tk

127.0.0.1 VVV.cftianyue.cc

127.0.0.1 VVV.cftianyue.net

127.0.0.1 VVV.cftianyue.com

127.0.0.1 VVV.cftianyue.cn

127.0.0.1 VVV.cftianyue.tk

127.0.0.1 VVV.cfbingyue.cc

127.0.0.1 VVV.cfbingyue.net

127.0.0.1 VVV.cfbingyue.com

127.0.0.1 VVV.cfbingyue.cn

127.0.0.1 VVV.cfbingyue.tk

127.0.0.1 VVV.cfpanguan.cc

127.0.0.1 VVV.cfpanguan.net

127.0.0.1 VVV.cfpanguan.com

127.0.0.1 VVV.cfpanguan.cn

127.0.0.1 VVV.cfpanguan.tk

127.0.0.1 VVV.cflingyu.cc

127.0.0.1 VVV.cflingyu.net

127.0.0.1 VVV.cflingyu.com

127.0.0.1 VVV.cflingyu.cn

127.0.0.1 VVV.cflingyu.tk

127.0.0.1 VVV.cfmaidang.cc

127.0.0.1 VVV.cfmaidang.net

127.0.0.1 VVV.cfmaidang.com

127.0.0.1 VVV.cfmaidang.cn

127.0.0.1 VVV.cfmaidang.tk

127.0.0.1 VVV.cfxingyu.cc

127.0.0.1 VVV.cfxingyu.net

127.0.0.1 VVV.cfxingyu.com

127.0.0.1 VVV.cfxingyu.cn

127.0.0.1 VVV.cfxingyu.tk

127.0.0.1 VVV.cfhongchen.cc

127.0.0.1 VVV.cfhongchen.net

127.0.0.1 VVV.cfhongchen.com

127.0.0.1 VVV.cfhongchen.cn

127.0.0.1 VVV.cfhongchen.tk

127.0.0.1 VVV.cfyalan.cc

127.0.0.1 VVV.cfyalan.net

127.0.0.1 VVV.cfyalan.com

127.0.0.1 VVV.cfyalan.cn

127.0.0.1 VVV.cfyalan.tk

127.0.0.1 VVV.cfluoye.cc

127.0.0.1 VVV.cfluoye.net

127.0.0.1 VVV.cfluoye.com

127.0.0.1 VVV.cfluoye.cn

127.0.0.1 VVV.cfluoye.tk

127.0.0.1 yy.cfyalan.cc

127.0.0.1 yy.cfyalan.net

127.0.0.1 yy.cfyalan.com

127.0.0.1 yy.cfyalan.cn

127.0.0.1 yy.cfyalan.tk

Client.exe

tcls\Client.exe

BugTrap.dll

tGHt.Ht&

message.txt

MAPI32.DLL

PSAPI.DLL

IMPORTANT

d/d/d d:d:d

%s.bmp

%s%d.bmp

FLT_INVALID_OPERATION

FLT_DENORMAL_OPERAND

EAX=X EBX=X ECX=X EDX=X

ESI=X EDI=X FLG=X

EBP=X ESP=X EIP=X

CS=X DS=X SS=X ES=X FS=X GS=X

Windows NT 3.51

Windows 95

Windows NT 4.0

Windows 98

Windows Me

Windows 2000

Windows XP

Windows Server 2003

Windows Vista

Windows 7

OS Version: %s %s

Build Number: %s

%s_ddd-ddd.%s

error_report

line %s

line %s %s byte(s)

%s() %s byte(s)

cmdline

usermsg

report

This %s was automatically generated

by BugTrap for Win32-x86 on %s

error report

Operating System:

KERNEL32.DLL

crashdump.dmp

errorlog.%s

UxTheme.dll

reports

\StringFileInfo\xx\ProductVersion

\StringFileInfo\xx\ProductName

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

x,

hex(x):

dword:x

; Error: cannot open registry key [

Windows Registry Editor Version 5.00

BT01Error Report

"%s" Error Report

wininet.dll

BugTrap-1.3.3661.37713.dmp

DBGHELP.DLL

--BUGTRAP-7A1D6378-1294-491B-996C-37D4FF91D184--

Content-Type: multipart/form-data; boundary=BUGTRAP-7A1D6378-1294-491B-996C-37D4FF91D184

--BUGTRAP-7A1D6378-1294-491B-996C-37D4FF91D184

Content-Disposition: form-data; name="reportData"; filename="report.dat"

Content-Disposition: form-data; name="reportFileExtension"

hXXp://

%s\TEMP%lu

Unuspported URL scheme

Invalid URL

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

1.2.3

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

d:\1.

_ERS\BugTrapSrc\BugTrap\Win32\Bin\BugTrap.pdb

PathCreateFromUrlA

UrlIsA

PathIsURLA

HttpEndRequestA

HttpSendRequestExA

HttpOpenRequestA

InternetCrackUrlA

GetConsoleOutputCP

RegEnumKeyExA

BT_ExportRegistryKey

BT_GetReportFilePath

BT_GetReportFormat

BT_GetSupportEMail

BT_GetSupportHost

BT_GetSupportPort

BT_GetSupportURL

BT_SetReportFilePath

BT_SetReportFormat

BT_SetSupportEMail

BT_SetSupportHost

BT_SetSupportPort

BT_SetSupportServer

BT_SetSupportURL

check.avi Video #1

[,|46~=_

O$%C)*>*.?,(6&*8'#2!

$KÜB

)J'1G.JUEFC?WQRQOOOOOOOONNNKKKHHHEEECCC???:::444///   '''$$$

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

161@1`1~1

6'747 :5:?:`:

:.;4;8;<;@;

2*3034383<3

Adobe Photoshop CS3 Windows

2014:10:12 17:58:49

urlTEXT

MsgeTEXT

hXXp://ns.adobe.com/xap/1.0/

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c036 46.276720, Mon Feb 19 2007 22:40:08 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xap="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xapMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xap:CreateDate="2014-10-12T17:55:10 08:00" xap:ModifyDate="2014-10-12T17:58:49 08:00" xap:MetadataDate="2014-10-12T17:58:49 08:00" xap:CreatorTool="Adobe Photoshop CS3 Windows" dc:format="image/jpeg" photoshop:ColorMode="3" photoshop:History="" xapMM:InstanceID="uuid:CF772E16F651E4118F20C69095130466" tiff:Orientation="1" tiff:XResolution="960000/10000" tiff:YResolution="960000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;0AEF806470E7FAF8AB026717B2FA68C3" exif:PixelXDimension="190" exif:PixelYDimension="44" exif:ColorSpace="-1" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;A7A55819FF2931235B313E10F9CADC5C"/> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>

.llSu,

.owIo

%u}5K

it.nl

#.Soe0

RASAPI32.dll

WSOCK32.dll

HttpQueryInfoA

HttpSendRequestA

InternetCanonicalizeUrlA

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

049.exe

c:\%original file name%.exe

{31C1CE39-A2B2-41e9-B024-0B8684AB53BE}PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING

(*.*)

mscoree.dll

Um den entwicklungsprozess zu unterst?zen wird dieses programm alle n?igen informationen ?er den absturz sammeln. Diese daten k?nen dann an den produktsupport ?ertragen, oder gespeichert werden.

Produktsupport:

To help the development process, this program will try and gather the information about the crash, and the state of your machine at the time of the crash. This data can then be submitted to product support or saved to a file.

Product support site:

hXXp://VVV.intellesoft.net

BugTrap - software error reporting tool

Operating System

Vorschau der Reportdateien

Preview Report Files

Report senden...

Sending error report

Vorschau der reportdateien.,Fehlerinformationen in eine datei speichern. Eine email an den produktsupport versenden.EEinen automatisch generierten report an den produktsupport versenden..Informationen ?er das betriebssystem anzeigen.6Alle laufenden prozesse und geladenen module anzeigen.

BugTrap"Terminate interrupted application.!Preview contents of report files.(Save detailed error information to file..Send custom e-mail message to product support.;Send automatically generated bug report to product support. Display information about operating system.*List running processes and loaded modules.

Neowiz Games"Terminate interrupted application.!Preview contents of report files.(Save detailed error information to file..Send custom e-mail message to product support.;Send automatically generated bug report to product support. Display information about operating system.*List running processes and loaded modules.

Fehlerbericht fertig.7Fehler: konnte den report nicht an den server versenden

Error report complete.,Error: can't send error report to the server

Bild einpassen

1.3.3661.37713

20141012175509

H.HNHSHmHrH

%original file name%.exe_576_rwx_0049C000_00006000:

00000000

ntdll.dll

user32.dll

gdi32.dll

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\%original file name%.exe (15506 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (1425 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %System%\drivers\etc\hosts (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (4545 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
   C:\%original file name%.exe{9D5B0E38-5BC3-4e96-BB03-405EA86B8DCA} (15506 bytes)
   C:\RCXB6.tmp (296281 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@163[1].txt (169 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (3361 bytes)

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.