Trojan-Downloader.Win32.Genome.poac_041d0ccd02

by malwarelabrobot on March 27th, 2015 in Malware Descriptions.

Trojan-Downloader.Win32.Genome.poac (Kaspersky), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 041d0ccd026a9e3153b0f112232317ab
SHA1: 38b9b38dad347837d15ad511a0be6a9a4aac42d6
SHA256: 0d96c6bb49c0ce4eda8ef2073f61a57c4ba167d7f869c4c911272f13c21c543c
SSDeep: 1536:MVdePelp2Xy tuQOzOYE5aXPnECwF8rT62duQt36f2e/23VcynQTlFMEeKqEaXhm:PweqOYEUXPnECXxh6McLlOEvCh9dJ9MZ
Size: 110717 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-02-24 21:19:59
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan-Downloader creates the following process(es):

WebAdSystem_setup.exe:1328

The Trojan-Downloader injects its code into the following process(es):

%original file name%.exe:312

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:312 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp (5390 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WebAdSystem\WebAdSystem_setup.exe (75249 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\inetc.dll (784 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1.tmp (0 bytes)

The process WebAdSystem_setup.exe:1328 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\BootstrapperApplicationData.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\icon.png (834 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\theme_passive.wxl (822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WebAdSystem_20150326024602.log (11443 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\license.rtf (429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\theme.wxl (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\welcome.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\theme.xml (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\logo.png (575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\theme_passive.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\wixstdba.dll (3295 bytes)

Registry activity

The process %original file name%.exe:312 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD BF 8A CA E7 EC 31 E6 DA 3F 6F 58 4A E3 5E 4F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process WebAdSystem_setup.exe:1328 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D B9 E6 5C CF EE BC 38 18 D4 CA FD 6C 7D 4D F2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

Dropped PE files

MD5 File path
1b8f16a91e30d2ba0ca23bcee08ed5a8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WebAdSystem\WebAdSystem_setup.exe
bf712f32249029466fa86756f5546950 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp3.tmp\System.dll
5da9df435ff20853a2c45026e7681cef c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp3.tmp\inetc.dll
6077d25ef6a4b772d49229ad66ee5e34 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\wixstdba.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 28432 28672 4.50399 f569e353af0ed51bf4c216faa9bed4e7
.rdata 32768 10898 11264 3.04561 91eee43954e068e650f7b73a8b0e6915
.data 45056 425660 512 1.02085 db9f7acbf1c3ddfe255077b699955dfa
.ndata 471040 1003520 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 1474560 2552 2560 3.15644 129a024863b92f38fe336e61b65c46f1
.reloc 1478656 3978 4096 3.93376 1a82862ed7bdc9a512f6ff8c4e0579a2

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://webadsystem.com/download/x86/?src_id=144
hxxp://www.webadsystem.com/download/x86/?src_id=144 87.98.134.216


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

GET /download/x86/?src_id=144 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.webadsystem.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 26 Mar 2015 00:45:55 GMT
Content-Type: application/octet-stream
Connection: keep-alive
Vary: Accept-Language, Cookie
Content-Length: 1418784
Content-Language: fr
Content-Disposition: attachment; filename=WebAdSystem_setup.exe
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......O.X...6...6.
..6.......6.....n.6.......6.......6...7.J.6.....l.6.......6.......6...
....6.Rich..6.........PE..L...o..P.................h...........]......
......@.................................|.....@.......................
..............,....p...2.......... ............0......................
....8...........@...............t............................text....f
.......h.................. ..`.rdata...............l..............@..@
.data... [email protected]................
......@[email protected].........`[email protected]..
................@[email protected]...<[email protected].......
......................................................................
......................................................................
......................................................................
...............................................U..Qj.j.j.j.....C..e...
E.P.u..u..u..L.....x..E.....U..Q.e..V....d....W.=x.C.V..\.............
..P....l...P.F.........P.:....E.P..|.C.P. ....E..........`.....HV.X...
....y.hT.C.V.....YY_..^..........t.P...........P.......l...P.......h..
...t.P...........W..t.P..$.C.........=(.C.......P........P.:.........P
...........P..u........P.._........P..A........P.^:........P..-.......
.P..*[email protected](..t.P.............t.P.............t.P.
............t.P.............t.P.......d......t.P..t.C.V..h....j.V.
<<< skipped >>>

The Trojan-Downloader connects to the servers at the folowing location(s):

%original file name%.exe_312:

.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
6%6S6v6~6
FtpCommandW
Filename: %s
MSVCRT.dll
HttpSendRequestW
HttpSendRequestExW
HttpQueryInfoW
FtpCreateDirectoryW
FtpOpenFileW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpOpenRequestW
HttpEndRequestW
InternetCrackUrlW
WININET.dll
inetc.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\WebAdSystem\WebAdSystem_setup.exe"
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp\inetc.dll
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp\inetc.dll
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
Wwininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
/password
Uploading %s
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp
nsp3.tmp
Exec: success (""C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\WebAdSystem\WebAdSystem_setup.exe" ")
tmp\inetc.dll"
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\WebAdSystem\WebAdSystem_setup.exe
\%original file name%.exe
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\WebAdSystem
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
WebAdSystem_setup.exe
hXXp://VVV.webadsystem.com/download/x86/?src_id=144

WebAdSystem_setup.exe_1328:

.text
`.rdata
@.data
.wixburn8
@.tls
.rsrc
@.reloc
Ht.Ht Ht
FtPhD
tù8t
^Xh4%D
.hxcD
t3f98t.WP
SSSSh
j.Yf;
j.Xf;
PSSSSSSh
engine.cpp
Failed to set elevated pipe into thread local storage for logging.
Failed to create pipes to connect to elevated parent process.
3.7.1224.0
Failed to find container info, too few elements: %u
section.cpp
Failed to read section info, unsupported version: x
Failed to read section info, data to short: %u
Failed to read complete image section header, index: %u
Failed to read image section header, index: %u
.wixburn
Failed to allocate pipe secret.
Failed to convert pipe guid into string.
Failed to create pipe guid.
pipe.cpp
Failed to allocate pipe name.
Failed to read ACK from pipe.
Failed to write our process id to pipe.
Failed to write secret to pipe.
Failed to write secret length to pipe.
Failed to reset pipe to blocking.
Failed to set pipe to non-blocking.
Failed to wait for child to connect to pipe.
Failed to write message type to pipe.
Failed to read message from pipe.
Failed to read verification process id from parent pipe.
Failed to read verification secret from parent pipe.
Failed to read size of verification secret from parent pipe.
No status returned to PipePumpMessages()
Failed to read returned restart to PipePumpMessages()
Failed to read returned result to PipePumpMessages()
Failed to get message over pipe
Failed to process message: %u
Failed to allocate full name of cache pipe: %ls
Failed to create pipe: %ls
Failed to allocate full name of pipe: %ls
Failed to create the security descriptor for the connection event and pipe.
Failed to open companion process with PID: %u
Failed to allocate name of parent cache pipe.
Failed to verify parent pipe: %ls
Failed to open parent pipe: %ls
Failed to allocate name of parent pipe.
Failed to pump messages during send message to pipe.
Failed to write send message to pipe.
catalog.cpp
package.cpp
Failed to parse EXE package.
Failed to hex decode @CertificateRootThumbprint.
Failed to get @CertificateRootThumbprint.
Failed to hex decode @CertificateRootPublicKeyIdentifier.
Failed to get @CertificateRootPublicKeyIdentifier.
Failed to get @DownloadUrl.
payload.cpp
Failed to get directory portion of local file path
Failed to open registration key.
Failed to format pending restart registry key to read.
registration.cpp
Failed to build cached executable path.
Failed to build uninstall registry key path.
Failed to write run key value.
Failed to create run key.
Failed to delete run key value.
Failed to format the key path for update registration.
Failed to remove update registration key: %ls
Failed to format key for update registration.
Failed to get @UpdateUrl.
Failed to get @AboutUrl.
Failed to get @ExecutableName.
Failed to get @ProviderKey.
Failed to overwrite the bundle provider key built-in variable.
Failed to delete registration key: %ls
Failed to write volatile reboot required registry key.
Failed to create the key for update registration.
Failed to get the formatted key path for update registration.
Failed to register the bundle dependency key.
Failed to create registration key.
Directory search: %ls, did not find path: %ls, reason: 0x%x
search.cpp
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x
Registry value not found. Key = '%ls', Value = '%ls'
Failed to query registry key value.
Failed to open registry key. Key = '%ls'
Registry key not found. Key = '%ls'
Failed to format key string.
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x
Unsupported registry key value type. Type = '%u'
Failed to query registry key value size.
Failed to open registry key.
MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
Failed to get component path: %d
MsiProductSearch failed: ID '%ls', HRESULT 0x%x
Unsupported product search type: %u
MsiFeatureSearch failed: ID '%ls', HRESULT 0x%x
Failed to get Key attribute.
Unsupported variable type.
variable.cpp
Failed to get msi.dll version info.
Failed to find DllGetVersion entry point in msi.dll.
Failed to get windows directory.
Failed to open Windows folder key.
Setting variable failed: ID '%ls', HRESULT 0x%x
userexperience.cpp
Failed to append passthrough to command-line.
Failed to format passthrough for command-line.
core.cpp
Failed while caching, aborting execution.
Another per-machine setup is already executing.
Another per-user setup is already executing.
Package type not supported by detect yet.
Failed to report detected related bundles.
Failed to detect provider key bundle id.
Failed to execute searches.
Failed to plan passthrough.
Failed to write registration operations to message buffer.
Failed to write dependent provider key to message buffer.
elevation.cpp
Failed to read file name: %u
Failed to read MSI data: %u
Failed to read registration operations.
Invalid data passed to cache or layout payload.
Failed to execute dependent registration action for provider key: %ls
Failed to read dependent provider key.
Failed to execute package provider action.
Failed to execute package dependency action.
Failed to read bundle dependency key from message buffer.
Invalid message type: %d
Failed to create pipe and cache pipe.
Failed to create pipe name and client token.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_EXE_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSI_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSP_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSU_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_PROVIDER message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_DEPENDENCY message to per-machine process.
Failed to write bundle dependency key to message buffer.
Unexpected elevated cache message sent to child process, msg: %u
Failed to execute EXE package.
Failed to read exe package.
Failed to execute MSI package.
Failed to execute MSP package.
Failed to execute MSU package.
Failed to set elevated cache pipe into thread local storage for logging.
Unexpected elevated message sent to child process, msg: %u
uithread.cpp
logging.cpp
Failed to set download password.
Failed to set download URL.
UX denied while trying to set download URL on embedded payload: %ls
EngineForApplication.cpp
Failed to send embedded message over pipe.
Failed to send embedded progress message over pipe.
Failed to grow plan's array of execute actions.
Failed to insert keep registration execute action.
Failed to insert remove registration execute action.
Failed to copy executable path to resume command-line.
plan.cpp
Failed to copy dependent provider key to rollback registration action.
Failed to copy dependent provider key to registration action.
Failed to add dependent bundle provider key to ignore dependents.
Unexpected relation type encountered during plan: %d
Failed to append execute action.
Failed to get path for executing module as attached container working path.
Failed to finalize slipstream execute actions.
Failed to remove unnecessary execute actions.
Failed to append execute checkpoint for cache rollback.
Failed to to copy executable name for bundle.
Failed to get executing process as layout directory.
Failed to get path for current executing process as layout directory.
Failed to append execute checkpoint.
Failed to plan execute package.
Failed to plan rollback boundary for passthrough package.
Failed to process passthrough package.
splashscreen.cpp
Failed to parse condition "%ls". Unexpected '~' operator at position %d.
Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.
Failed to parse condition "%ls". Constant too big, at position %d.
Failed to parse condition "%ls". Invalid version format, at position %d.
Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.
Failed to parse condition "%ls". Unexpected character at position %d.
Failed to parse condition "%ls". Unterminated literal at position %d.
condition.cpp
Failed to parse condition '%ls' at position: %u
cache.cpp
Failed to seek to original data in exe burn section header.
Failed to seek to signature table in exe header.
Failed to seek to checksum in exe header.
Failed to find expected public key in certificate chain.
Failed to read certificate thumbprint.
Failed to get certificate public key identifier.
Failed to verify expected payload against actual certificate chain.
Failed to get signer chain from authenticode certificate.
Failed to get provider state from authenticode certificate.
Failed to evaluate executable package detect condition.
Invalid package current state: %d.
exeengine.cpp
Failed to insert execute action.
Failed to wait for executable to complete: %ls
Bootstrapper application aborted during EXE progress.
Process returned error: 0x%x
Failed to create obfuscated executable command.
Failed to create executable command.
Failed to get action arguments for executable package.
Failed to build executable path.
msiengine.cpp
Failed to calculate execute feature state.
Invalid package current state result encountered during plan: %d
mspengine.cpp
msuengine.cpp
Failed to allocate WUSA.exe path.
Unrecognized registration action type: %d
dependency.cpp
Failed to append the key "%ls".
Failed to add the provider key "%ls" to the list of ignored dependencies.
Failed to add the package provider key "%ls" to the list of ignored dependencies.
Failed to add the bundle provider key "%ls" to the list of ignored dependencies.
Failed to get the Key attribute.
Failed to get the Imported attribute.
Failed to initialize provider key bundle id.
Failed to get provider key bundle id.
Failed to add the bundle provider key to the list of dependencies to ignore.
Failed to join the list of dependencies to ignore.
Failed to add the package provider key "%ls" to the planned list.
Failed to append provider execute action.
Failed to insert provider execute action.
Failed to get @DownloadUrl. Either @SourcePath or @DownloadUrl needs to be provided.
container.cpp
Failed to get path for executing module.
Failed to read provider key from registry for bundle: %ls
relatedbundle.cpp
Failed to open uninstall key for potential related bundle: %ls
Failed to enumerate uninstall key for related bundles.
Failed to open uninstall registry key.
Failed to execute dependent registration action.
apply.cpp
Failed attempt to download URL: '%ls' to: '%ls'
UX aborted EXE package execute progress.
Failed to configure per-user EXE package.
Failed to configure per-machine EXE package.
UX aborted EXE progress.
UX aborted execute EXE package begin.
UX aborted MSI package execute progress.
UX aborted execute MSI package begin.
UX aborted MSP package execute progress.
BA aborted execute MSP target.
UX aborted execute MSP package begin.
UX aborted MSU package execute progress.
UX aborted execute MSU package begin.
Invalid execute action.
Failed to execute dependency action.
Failed to execute package provider registration action.
Invalid rollback action: %d.
BA aborted execute begin.
detect.cpp
Unexpected relation type encountered: %d
Failed to copy key for pseudo bundle.
Failed to copy key for pseudo bundle payload.
pseudobundle.cpp
Failed to copy uninstall arguments for passthrough bundle package
Failed to copy related arguments for passthrough bundle package
Failed to copy install arguments for passthrough bundle package
Failed to copy cache id for passthrough pseudo bundle.
Failed to copy download source for passthrough pseudo bundle.
Failed to copy local source path for passthrough pseudo bundle.
Failed to copy filename for passthrough pseudo bundle.
Failed to copy key for passthrough pseudo bundle payload.
Failed to copy key for passthrough pseudo bundle.
Failed to allocate space for burn package payload inside of passthrough bundle.
NetFxChainer.cpp
Unexpected embedded message sent to child process, msg: %u
embedded.cpp
Failed to wait for embedded executable: %ls
Failed to wait for embedded process to connect to pipe.
Failed to create embedded pipe.
Failed to create embedded pipe name and client token.
<the>.cab
Invalid operation for this state.
Failed to reset begin operation event.
Failed to wait for begin operation event.
Failed to set operation complete event.
cabextract.cpp
Failed to set begin operation event.
Failed to reset operation complete event.
Failed to wait for operation complete event.
Failed to move file pointer 0x%x bytes.
Faild to begin and wait for operation.
Failed to initialize cabinet.dll.
Failed to wait for operation complete.
Failed to create operation complete event.
Failed to create begin operation event.
Failed to add header to HTTP request.
downloadengine.cpp
Failed to get redirect url: %ls
Failed to get HTTP status code for request to URL: %ls
Unknown HTTP status code %d, returned from URL: %ls
Failed to get HTTP status code for failed request to URL: %ls
Failed to send request to URL: %ls, trying to process HTTP status code anyway.
Failed to send request to URL: %ls
Failed to open internet URL: %ls
Failed to connect to URL: %ls
Failed to break URL into server and resource parts.
Failed to request URL for download: %ls
Failed to download URL: %ls
Failed to get size and time for URL: %ls
Failed to copy download source URL.
bitsengine.cpp
Failed to copy download URL.
Invalid BITS engine URL: %ls
GetProcessWindowStation
operator
logutil.cpp
Error 0x%x: %ls
Executable: %ls v%d.%d.%d.%d
procutil.cpp
strutil.cpp
pathutil.cpp
memutil.cpp
buffutil.cpp
srputil.cpp
RegDeleteKeyExW
regutil.cpp
wiutil.cpp
xmlutil.cpp
kernel32.dll
fileutil.cpp
dirutil.cpp
wuautil.cpp
dictutil.cpp
aclutil.cpp
cryputil.cpp
certutil.cpp
svcutil.cpp
inetutil.cpp
uriutil.cpp
deputil.cpp
E:\delivery\Dev\wix37_public\build\ship\x86\burn.pdb
RegCloseKey
ADVAPI32.dll
MsgWaitForMultipleObjects
USER32.dll
OLEAUT32.dll
GDI32.dll
SHELL32.dll
ole32.dll
ConnectNamedPipe
SetNamedPipeHandleState
CreateNamedPipeW
GetWindowsDirectoryW
SetThreadExecutionState
KERNEL32.dll
Cabinet.dll
CryptHashPublicKeyInfo
CRYPT32.dll
msi.dll
RPCRT4.dll
HttpAddRequestHeadersW
HttpOpenRequestW
HttpSendRequestW
WININET.dll
WINTRUST.dll
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
RegCreateKeyExW
RegDeleteKeyW
ShellExecuteExW
VERSION.dll
GetCPInfo
GetProcessHeap
CertGetCertificateContextProperty
HttpQueryInfoW
InternetCrackUrlW
Burn v%1!hs!, Windows v%2!d!.%3!d! (Build %4!d!: Service Pack %5!d!), path: %6!ls!, cmdline: '%7!ls!'
Detected related bundle: %1!ls!, type: %2!hs!, scope: %3!hs!, version: %4!hs!, operation: %5!hs!
Detected related package: %1!ls!, scope: %2!hs!, version: %3!hs!, language: %4!u! operation: %5!hs!
Planned package: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, cache: %7!hs!, uncache: %8!hs!, dependency: %9!hs!
Planned feature: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute action: %5!hs!, rollback action: %6!hs!
Planned related bundle: %1!ls!, type: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, dependency: %7!hs!
Planned upgrade bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!
Planned forward compatible bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!
Plan skipped removal of provider key: %1!ls! because it is registered to a different bundle: %2!ls!
Application canceled operation: %2!ls!, error: %1!ls!
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="setup.exe" version="1.0.0.0" processorArchitecture="x86" type="win32"></assemblyIdentity><description>WiX Toolset Bootstrapper</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS></application></compatibility></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
9%9S9x9
9 9-949=9
4"4&4*4.424
3$3(3,3034383<3@3
4(4/44484<4]4
3!4'464}4
burn.runonce
burn.unelevated
burn.elevated
\\.\pipe\%ls.Cache
\\.\pipe\%ls
BurnPipe.%s
.%ls -%ls %ls %ls %u
-q -%ls %ls %ls %u
.Catalog
.PayloadRef
.PatchTargetCode
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage
CertificateRootThumbprint
CertificateRootPublicKeyIdentifier
DownloadUrl
WixBundleProviderKey
BundleProviderKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
ParentKeyName
URLUpdateInfo
URLInfoAbout
%ls.RebootRequired
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
%s\state.rsm
%s\%s
UpdateUrl
AboutUrl
.ProviderKey
.Version
.Registration
keyPath
[\%c]
SOFTWARE\Microsoft\Windows\CurrentVersion
WindowsVolume
WindowsFolder
NTSuiteWebServer
..ba%d
burn.ignoredependencies
burn.disable.unelevate
burn.passthrough
burn.related.update
burn.related.patch
burn.related.addon
burn.related.upgrade
burn.related.detect
burn.log.append
burn.embedded
/passive
passive
%ls%hs%ls_%u_%ls%ls.%ls
SOFTWARE\Policies\Microsoft\Windows\Installer
.unverified
.RepairArguments
.DetectCondition
"%ls" %s
. REMOVE="%s"
ADVERTISE="%s"
REINSTALL="%s"
. ADDDEFAULT="%s"
ADDSOURCE="%s"
ADDLOCAL="%s"
%s$="%s"
.SlipstreamMsp
.MsiFeature
wusa.exe
Imported
.Provides
.Extension
.%ls /pipe %ls
.HEAD
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KERNEL32.DLL
WUSER32.DLL
p%ls[X:X][hu-hu-huThu:hu:hu]%hsd:%ls %ls%ls
0xx
p\\?\UNC
%ls_uuuuuu%ls%ls%ls
srclient.dll
WAdvApi32.dll
Msi.dll
MSXML.DOMDocument
Msxml2.DOMDocument
%u.%u.%u.%u
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Microsoft.Update.AutoUpdate
hu-hu-huThu:hu:hu%cu:u
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\WebAdSystem\WebAdSystem_setup.exe
KalityWeb
WebAdSystem
1.4.17.0
KalityWeb. Tous droits r
WebAdSystem_setup.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WebAdSystem_setup.exe:1328

  2. Delete the original Trojan-Downloader file.
  3. Delete or disinfect the following files created/modified by the Trojan-Downloader:

    %Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp (5390 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WebAdSystem\WebAdSystem_setup.exe (75249 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\BootstrapperApplicationData.xml (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\icon.png (834 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\theme_passive.wxl (822 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WebAdSystem_20150326024602.log (11443 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\license.rtf (429 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\theme.wxl (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\welcome.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\theme.xml (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\logo.png (575 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\theme_passive.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{d5710427-65cc-4faa-9a8f-e6ecfebdd5ca}\.ba1\wixstdba.dll (3295 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now