Trojan-Dropper.Win32.Vtimrun_2060679601

by malwarelabrobot on June 22nd, 2014 in Malware Descriptions.

MemScan:Application.Bundler.Outbrowse.E (BitDefender), OutBrowse (fs) (VIPRE), MemScan:Application.Bundler.Outbrowse (FSecure), Generic.EAF (AVG), MemScan:Application.Bundler.Outbrowse.E (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.IEDummy.FD, Trojan.Win32.Swrort.3.FD, TrojanDropperVtimrun.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 20606796012c68c70a6c33f9f5581d82
SHA1: 8a493c37c486cdedbe27031179675146daf48118
SHA256: 6caa6a99178d03ab2d81b72a05f8ac5cb434e0f9079697e5eaf24880914297d0
SSDeep: 24576:IacX5fMvV/ZBjE9EAp3eX/pzrUZYLYWbGF:dTjErp6hzrUeLlbI
Size: 944624 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan-Dropper creates the following process(es):

wmic.exe:1244
dxwsetup.exe:1552
6_Offer_11.exe:504
mscorsvw.exe:172

The Trojan-Dropper injects its code into the following process(es):

f.exe:1548
%original file name%.exe:560

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process f.exe:1548 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D0AD9OBH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PreExe_ID_13667.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7Y1WUEK2\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D0AD9OBH\DynamicOfferScreen[1].htm (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZQVU5YJ\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YAYYR8I4\Setup_product_6416[1].exe (37311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7Y1WUEK2\bodyImg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YAYYR8I4\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YAYYR8I4\BuzzIT2Checker11-6[1].exe (9673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZQVU5YJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7Y1WUEK2\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6_Offer_11.exe (12515 bytes)

The Trojan-Dropper deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\PreExe_ID_13667.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D0AD9OBH\DynamicOfferScreen[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021320130214\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021320130214 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021520130216\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130212\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021520130216 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130212 (0 bytes)

The process wmic.exe:1244 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (238 bytes)

The Trojan-Dropper deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (0 bytes)

The process dxwsetup.exe:1552 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

%System%\DirectX\websetup\SETB9.tmp (10815 bytes)
%WinDir%\DirectX.log (1635 bytes)
%System%\DirectX\websetup\SETB8.tmp (601 bytes)
%WinDir%\setupapi.log (1296 bytes)

The Trojan-Dropper deletes the following file(s):

%System%\DirectX\websetup\SETB9.tmp (0 bytes)
%System%\DirectX\websetup\SETB8.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)

The process 6_Offer_11.exe:504 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dxwsetup.inf (477 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dsetup32.dll (25519 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dxwsetup.exe (8906 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dxwsetup.cif (1111 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dsetup.dll (2104 bytes)

The process %original file name%.exe:560 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\instructionsMad.dat (23779 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\f.exe (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbB5.tmp\System.dll (11 bytes)

The Trojan-Dropper deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsmB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbB5.tmp (0 bytes)

Registry activity

The process f.exe:1548 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\f.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014062120140622]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}]
"(Default)" = "CBrowserExternal Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014062120140622]
"CachePrefix" = ":2014062120140622:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0]
"(Default)" = "SmartInstallerLib"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}]
"(Default)" = "IBrowserExternals"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\f.exe"
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\f.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014062120140622]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 D4 DA DE 78 CE 95 D1 25 CF 38 27 A3 CB 93 38"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014062120140622]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014062120140622\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014062120140622]
"CacheRepair" = "0"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS]
"(Default)" = "0"

The Trojan-Dropper modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Dropper modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Dropper deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130212]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021520130216]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021320130214]

The Trojan-Dropper deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wmic.exe:1244 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 01 41 72 0F D5 BB E1 EE 2D 2C D0 70 CA 85 C3"

The process dxwsetup.exe:1552 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C B4 91 06 60 B9 DA 92 AC BA 96 88 77 2F 00 38"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"
"INF/oem10.PNF" = "1"

The process 6_Offer_11.exe:504 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 4B 25 69 94 DA 84 71 DB D5 1C 49 42 48 C5 06"

To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The process mscorsvw.exe:172 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"

The process %original file name%.exe:560 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 01 04 04 C1 10 6E 7B A2 B0 71 8F 10 6D 99 2D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
8bbb35f59be1f16ca639c8621771f397 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\6_Offer_11.exe
10711c112b8b6b910df358b8d723fdbc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\dsetup.dll
d89abac89ff70bb6de7e287b7200aa91 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\dsetup32.dll
8b40e232719c34324eee465976a5cb16 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\dxwsetup.exe
735074104d8d9b8c51cef0ab489b85b2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\f.exe
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsbB5.tmp\System.dll
b8b654dd30c249e00c79f1508a2736e5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\YAYYR8I4\BuzzIT2Checker11-6[1].exe
8bbb35f59be1f16ca639c8621771f397 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\YAYYR8I4\Setup_product_6416[1].exe
10711c112b8b6b910df358b8d723fdbc c:\WINDOWS\system32\DirectX\websetup\dsetup.dll
d89abac89ff70bb6de7e287b7200aa91 c:\WINDOWS\system32\DirectX\websetup\dsetup32.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: DirectX
Product Version: 3.0
Legal Copyright: DirectX
Legal Trademarks: DirectX
Original Filename:
Internal Name:
File Version:
File Description: DirectX
Comments: setup Installer
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 94208 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 286720 3176 3584 2.75501 7959a1744918265fcb7f6612143a0068

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 17
4b0d8dad4682cffbc9bd8c62c2143550
9feb39bba46bef1dda1ee34dc2f95b0c
9884a2142aaf51b0c0d77fd8efc343c3
3a1a4a12226c6bcb73bab208df95cd53
de5f0a554c64df21bbda84a1e33e515b
9640b658206ba5d0af805274edc9991c
e4b92aa675ade03cd83f6eb0a0a6981c
c8eec5bf1c293359ec2a85d4ed8ca65f
c60f6114d9e2b767ab6c0e6dc07917bf
37ca44844ccef4441b480ffe75f6d6c1
bb2c0e67ac3771e0290f26df57f2eaf4
7ff2ee0c28b89d42a52ed58dceccab94
a8fb547f87caa0da2cc2843390f71042
7df61da5d68edc74e1b1e02750ffd68f
d350865117b02b8037de790369da5415
e7dcdc6f4ee5940d9dbec704833cfa2b
2d7dc2321e16b06c8879d7233d197bee

URLs

URL IP
hxxp://173.194.43.57/tag/js/gpt.js
hxxp://www.googletagservices.com/tag/js/gpt.js
pubads.g.doubleclick.net 173.194.43.58


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /tag/js/gpt.js HTTP/1.1
Accept: */*
Referer: hXXp://installer.apps-track.com/installer/ThankYouInner?productid=6416&productname=DirectX
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.googletagservices.com
Connection: Keep-Alive


HTTP/1.1 200 OK
P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
Content-Type: text/javascript; charset=UTF-8
ETag: 18265200477297712203
Date: Sat, 21 Jun 2014 10:22:05 GMT
Expires: Sat, 21 Jun 2014 11:22:05 GMT
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="f.txt"
Content-Encoding: gzip
Server: cafe
Content-Length: 12551
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=3600
Age: 1015
Alternate-Protocol: 80:quic
...........}kw.........o.}j..l.%.d.R.P.Pn...%................/.....{..
..F..4...F.=Z.x>If........{.x.....a"....y..Zl0..V...<.<.w..`.
ok2.r6.......I.|..,./......H..?.z.'R;.4.....'.y:.E.....".N.....Y.\..%\
.&i ..9.usc..S?L.E5....(....b....,..."7.......B.a._.d..8L....fs.m.d.S.
.M.......j.3..HBT.Aj..e.gaK....3..$.UC......$V.E.....x....w.iK...>.
.A...^*X..Y5.Kw.TmF.f./].5..I..lV..7...X......W...:l>..m....].F0B.&
lt;.~..%a.6.........Ij...y.....n.<.........RE......d...m.8.*.b..'.\
.......4l.rY...f.....].Ij...`g..w{..2.|......^.{.X>..[<.`..9..L.
.*.pJ..iT.....Z....E.._<.X...^.....7S:<....x......f.....3P..S.\.
-.......J..3.Y..O....dlM.W.........[..|.......b.8......!.E.....}......
.../..c.]:...I....[....;..!.Geia.).....D.!?...}..s.}..n..c.].....=.*..
.x.R...b..E.Dg..9."...w...u......NT.f2S . .-.......vE.,..p.o..rw0.....
...\...N.f9.y...f.f...#..&...../..o.{./U.......9.......C...wE....<.
.F..t..sjz..e..fGrI.,.......w.Ip..,uD..W./.N.$Q..,....7.........4.y..L
...&p....S....^.. /.`..&..$..Y...I...)........<g|L .v........Z....I
.....Zs..,..m..g..3.}<.Z........Y'..........3.s....../.p-..F.i.m..C
.0..).....z.8..........l.\.a......8..3....;...N....uO..=@_$......4eN.P
. [email protected]>...........%=.. z..~..h.5.....`dg.........Yw|....Pi
99..4X:...a.A....^..V..M.&....Ny\]5arD.2\l..<..F^ps.k.x..*Z.r....U.
".....cc.....q....ZJ..'..F..0...U@\...LA...|M?....,.`o.Q........g...8.
..L...(...,..~.Z........:.l...5...}1OP...,..lY.....ND.O...Z.I.m.-.j=^.
4.....d'..].[.5P.t>T4.:V....~3..,.......qLrk.oV...G.5~..N...f.:
<<< skipped >>>

The Trojan-Dropper connects to the servers at the folowing location(s):

%original file name%.exe_560:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
http://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\f.exe /PID=1184 /SUBPID=-1 /DISTID=7623 /NETWORKID=1 /CID=0 /PRODUCT_ID=6416 /SERVER_URL=http://installer.apps-track.com /CLICKID=c3ecb8a3926c5182229945ae172508c2 /D1=-1 /D2=-1 /D3=-1 /D4=-1 /D5=-1 /PRODUCT_NAME= /PRODUCT_EULA= /PRODUCT_PRIVACY= /EXE_URL= /EXE_CMDLINE= /HOST_BROWSER=0 /IS_RUNTIME=true /THANKYOU_URL= /RETURNING_USER_DAYS=2 /VM=2
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsbB5.tmp\System.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsbB5.tmp
.reloc
System.dll
callback%d
g.ZO||k[
}.Qn-
.GW/S7
Ef.IH
c%s-u
.ML`E
nsbB5.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsbB5.tmp
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsmB4.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
1441608
9633824
1388480
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\instructionsMad.dat
f.exe
http://installer.apps-track.com
/PID=1184 /SUBPID=-1 /DISTID=7623 /NETWORKID=1 /CID=0 /PRODUCT_ID=6416 /SERVER_URL=http://installer.apps-track.com /CLICKID=c3ecb8a3926c5182229945ae172508c2 /D1=-1 /D2=-1 /D3=-1 /D4=-1 /D5=-1 /PRODUCT_NAME= /PRODUCT_EULA= /PRODUCT_PRIVACY= /EXE_URL= /EXE_CMDLINE= /HOST_BROWSER=0 /IS_RUNTIME=true /THANKYOU_URL= /RETURNING_USER_DAYS=2 /VM=2
Nullsoft Install System v2.46

%original file name%.exe_560_rwx_10004000_00001000:

callback%d

f.exe_1548:

.text
`.rdata
@.data
.rsrc
@.reloc
spKey
szKey
keyCur
hKey
cSubKeys
cmdline
urlStr
wurl
bstrLicKey
cchLicKey
nMsg
vurl
bstrURLOut
rtExecmd
rtExeurl
reportURL
zErrMsg
compiledSql
sqliteCookieFiles
htmlDecodedUrlValue
endParamKeys
dynamicProductKeys
wUrlQS
wUrl
sqliteHistoryFiles
readDownloadUrl
searchUrl
finishUrlForOuterInstaller
reportUrl
httpResponse
fullCmd
subkey
hostBrwCmd
tyUrl
baseKeys
cmdLineW
cmdW
exeUrlW
urlW
cmdLine
exeUrl
offersMainUrl
antivirusesRegKeys64Arr
antivirusesRegKeys32Arr
reg64Key
postExe
preExe
regKey
offerUrl
regKey64
cbSubKeys
zMsg
nCellKey
nMaxKey
nMinKey
nKey
zErrmsg
PhD%S
~)hd%S
keyInfo
errMsg
t.hx#S
osCmd
finalExePath
urlComp
szURLPath
xSSSh
FTPjKS
FtPj;S
C.PjRV
RegDeleteKeyExW
RegDeleteKeyTransactedW
RegCreateKeyTransactedW
RegOpenKeyTransactedW
.vector too long
X:X:X:X:X:X
\Google\Chrome\Application\chrome.exe
%d/%d/%d %d:%d:%d
3.7.16.2
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
\obhhelper.txt
Error %u in WinHttpQueryDataAvailable.
Error %u in WinHttpReadData.
Error %d has occurred.
F%D,3
Run-Time Check Failure #%d - %s
%s%s%s%s
%s%s%p%s%ld%s%d%s
Visual C   CRT: Not enough memory to complete call to strerror.
RegCloseKey
RegOpenKeyExW
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
WinHttpCloseHandle
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpOpenRequest
WinHttpConnect
WinHttpCrackUrl
WinHttpSetTimeouts
WinHttpOpen
WinHttpQueryHeaders
WINHTTP.dll
PSAPI.DLL
GetProcessHeap
KERNEL32.dll
EnumChildWindows
CreateDialogIndirectParamW
USER32.dll
GDI32.dll
RegDeleteKeyW
RegCreateKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
URLDownloadToFileW
urlmon.dll
IPHLPAPI.DLL
GetCPInfo
.?AV?$CAtlExeModuleT@VCSmartInstallerModule@@@ATL@@
SQLITE_
d-d-d d:d:d
d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s-shm
%s\etilqs_
%s\%s
Recovered %d frames from WAL file %s
cannot limit WAL size: %s
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
unknown database %s
keyinfo(%d
%s(%d)
%s-mjXXXXXX9XXz
MJ delete: %s
MJ collide: %s
-mjX9X
foreign key constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
database table is locked: %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
foreign key
indexed
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_parent
%s OR name=%Q
type='trigger' AND (%s)
sqlite_
table %s may not be altered
there is already another table or index with this name: %s
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
invalid name: "%s"
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
sqlite_detach
sqlite_attach
%s %T cannot reference objects in database %s
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
unable to identify the object to be reindexed
no such collation sequence: %s
table %s may not be modified
cannot modify %s because it is a view
sqlite_version
sqlite_source_id
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_get
foreign key mismatch - "%w" referencing "%w"
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
constraint %s failed
PRIMARY KEY must be unique
sqlite3_extension_init
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
foreign_keys
foreign_key_list
foreign_key_check
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s.%s
%s:%d
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
sqlite_subquery_%p_
too many references to "%s": max 65535
%s.%s.%s
no such table: %s
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
-- TRIGGER %s
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s TABLE %s
%s AS %s
%s USING %s%sINDEX%s%s%s
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s (rowid>? AND rowid
%s (rowid>?)
%s (rowid
%s VIRTUAL TABLE INDEX %d:%s
%s (~%lld rows)
at most %d tables in a join
cannot use index: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
.?AVCWebPage@@
zcÁ
{A0386B19-B7E7-4BE7-B567-ABF77CBB6E60} = s `ATLExeServer'
`ATLExeServer.EXE'
val AppID = s {A0386B19-B7E7-4BE7-B567-ABF77CBB6E60}
ForceRemove {FA20B59B-21AA-44FC-8A68-450979B7CC90} = s 'CBrowserExternals Class'
val ServerExecutable = s '%MODULE_RAW%'
TypeLib = s '{03771AEF-400D-4A13-B712-25878EC4A3F5}'
ForceRemove {622D38AD-B4A9-4170-8192-5B865C6A5DCE} = s 'CBrowserExternalImp Class'
ForceRemove {6D4506CE-F855-4657-AA38-DB6B1F733982} = s 'CBrowserExternal Class'
stdole2.tlbWWW
~cmdWd
OpenUrlW
urlWd
method OpenUrl
Created by MIDL version 7.00.0555 at Thu Mar 13 16:11:05 2014
0"080&171
=0>4>8><>
9%9 9;9]9
6i6C6t9
2 2$2(2,2024282
= =$=(=,=0=4=8=<=@=
<(<4<@<}<
0P01P192
8 8$8(8,8084888
4&454<4}4
11T1l1
<*=0=4=8=<=
? ?$?*?.?
303f3v3
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
WAdvapi32.dll
SERVER_URL
EXE_URL
EXE_CMDLINE
THANKYOU_URL
exeurl
execmdline
Exception opening/reading chrome cookies
Exception opening/reading opera cookies
a\Microsoft\Windows\Cookies
a\Mozilla\Firefox\Profiles
\Mozilla\Firefox\Profiles
sqlite
cookies.sqlite
Chrome_WidgetWin_1
a\Opera\Opera\
\..\Local\Google\Chrome\User Data\Default\
\..\Local Settings\Application Data\Google\Chrome\User Data\Default\
cookies4.dat
SELECT value,last_access_utc FROM cookies WHERE host_key LIKE '%
Found cookie in Chrome!
\..\..\Local Settings\Application Data\Opera\Opera\
Found cookie in Opera!
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
OLEACC.DLL
places.sqlite
SELECT url FROM moz_places WHERE url LIKE '%
Found history in Chrome!
SELECT urls.url FROM urls WHERE urls.url LIKE '%
\PreExe_ID_
\default.html
CHROMEVERSION
&chromev=
SOFTWARE\Microsoft\.NETFramework\policy
firefox
chrome
opera
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
ChromeHTML
FirefoxHTML
IE.AssocFile.HTM
Opera.HTML
http\shell\open\command
Opera.exe
Safari.exe
\PostCheck.exe
SOFTWARE\Mozilla\Mozilla FireFox
Software\Mozilla\Mozilla FireFox
SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}
aSoftware\Mozilla\Mozilla Firefox
*.txt
@@exeurl
OfferURL
ExeURL
RegKey
ReportName
PreExe
PostExe
RegKey64
AntivirusesRegKeys
RegKey32
Mscoree.dll
OLEAUT32.DLL
{A33DE4AA-9646-4E33-9E44-E472C6312E2F}
888816666554443
6666554443
!6666554443
VirtualOfferCmd:
VirtualOfferCmd
/REPORTURL=
\obhhelper.txt
user32.dll
mscoree.dll
SKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
MSPDB100.DLL
ADVAPI32.DLL
WUSER32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\f.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}
4.0.0.3
setup.exe
4.0.0.1

6_Offer_11.exe_504:




.text
`.data
.rsrc
advapi32.dll
advpack.dll
wininit.ini
Software\Microsoft\Windows\CurrentVersion\App Paths
setupapi.dll
setupx.dll
IXPd.TMP
TMP4351$.TMP
FINISHMSG
USRQCMD
ADMQCMD
msdownld.tmp
wextract.pdb
PSSSSSSh
t8SShs7
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegQueryInfoKeyA
ADVAPI32.dll
GetWindowsDirectoryA
KERNEL32.dll
GDI32.dll
ExitWindowsEx
MsgWaitForMultipleObjects
USER32.dll
COMCTL32.dll
VERSION.dll
rundll32.exe %s,InstallHinfSection %s 128 %s
SHELL32.DLL
Software\Microsoft\Windows\CurrentVersion\RunOnce
PendingFileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
%s /D:%s
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
Command.com /c %s
DirectX 9.0 Web setup
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
33333330
3333333
33333333
PA"dxwsetup.exe" /windowsupdate
dsetup.dll
dsetup32.dll
dxwsetup.exe
dxwsetup.cif
dxwsetup.inf
.qF'I
w5U.zz
y\2(u%C
hÚF4-
WV.Dmz
)s%S[
O]%D^
r=.bb
t.CTKV
.lDz{
Q:.eHno
ub.AZ
Q%%F|
8A.}%D
.sEn?
%ul'^
j.Ypf
'%xmD
KV.JR
"dxwsetup.exe"
P"dxwsetup.exe" /windowsupdate
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
CFailed to get disk space information from: %s.
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
8Unable to retrieve operating system version information.!Memory allocation request failed.
Filetable full.Ên not change to destination folder.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
(Error creating process <%s>. Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Could not create folder '%s'
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
Error retrieving Windows folder
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
/C: -- Override Install Command defined by author.
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
Could not find the file: %s.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
4.09.00.0904
DXWebSetup
dxwebsetup.exe
Microsoft(R) DirectX for Windows(R)

dxwsetup.exe_1552:




.text
`.data
.rsrc
%s %s: %s: (null)
%s %s: %s: %s
%s%s%s
DirectX.log
DXSETUP_DPF(): GetWindowsDirectory() failed.
DXError.log
%s(): %s
DXSError(): FormatMessage() failed, error = %d.
(0x%x)
%s(): %s failed.
%s(): %s failed, error = %d.
%s(): %s failed, error = 0x%x.
module: %s(%s), file: %s, line: %d, function: %s
[%s %s]
Unable to load %s.
e:\dxsdk\wggt_aug07\private\multimedia\directx\setup\dsetup\inc\dsinline.h
Module: %s, Function: %s
advpack.dll
GetFileVersionInfoBlock(): %s does not have version information.
GetFileVersionInfoBlock(): Unable to get FileVersionInfoSize, file: %s, reason: %d.
ntdll.dll
e:\dxsdk\wggt_aug07\private\multimedia\directx\setup\dxwsetup\dxwsetup.cpp
DSetupCallback(): Phase = %d, Steps = %d
Unable to remove %s.
Unable to create path string, %s%s.
Unable to create path string, %s\*.*.
Unable to remove: %s which is locked, reason = %d.
DeleteFile("%s") return 0, reason = %d.
Unable to create path string, %s\%s.
e:\dxsdk\wggt_aug07\private\multimedia\directx\setup\dxwsetup\inline.h
RegOpenKeyEx()
Software\Microsoft\Windows\CurrentVersion\RunOnce
rundll32.exe %s\advpack.dll,DelNodeRunDLL32 "%s\"
GetFileAttributes() returned -1, reason = %d.
kernel32.dll
e:\dxsdk\wggt_aug07\private\multimedia\directx\setup\dxwsetup\dxwsetup.h
IsIA64(): Windows 2000 or Windows 9x
CDSetup(): try to load dsetup.dll from current dir.
\DirectX\WebSetup
\dsetup.dll
\ntkrnlpa.exe
This platform is not supported.
Unable to create path string, %s\dxupdate.cab.
DXRemoveFile() failed. Unable to remove dxupdate.cab. (Not fatal...)
\dxupdate.cab
%s will be removed at reboot.
Version in CIF: %d.%d.%d.%d
Install Section: [%s]
%s_%s
\system32\drivers\gm.dls
GetWindowsDirectory()
DXVersion: %d.d.d.d
dxwsetup.cif
SetBaseUrl()
http://download.microsoft.com/download/8/0/D/80D7E79D-C0E4-415A-BCCA-E229EAFE2679
IsSupportedPlatform
end of DirectX WindowsUpdate
end of DirectX WindowsUpdate, need to reboot
CreatePropertySheet() returns %d.
dxwsetup.inf
comctl32.dll version: %d.d.d.d
\comctl32.dll
/windowsupdate
OnEngineStatusChange(): EngineStatus = 0x%X, SubStatus = 0x%X
OnStartInstall(): DLSize = %d, InstallSize = %d
OnStartComponent(): ID = %s, DLSize = %d, InstallSize = %d, str = %s
OnComponentProgress(): Phase = %d, Progress = %d
OnStopComponent(): ID = %s, hr = 0x%X, Phase = %d, str = %s, status = 0x%X
OnStopInstall(): hr = 0x%X, str = %s, status = 0x%X
OnEngineProblem(): problem = 0x%X
PlugIn size: %d
e:\dxsdk\wggt_aug07\private\multimedia\directx\setup\dxwsetup\psheets.cpp
Setup Version: %d.d.d.d.d
DirectX Version: %d.d.d.d.d
dxupdate.dll
wintrust.dll
setupapi.dll
RemoveDXUpdateCab(): %s is removed.
e:\dxsdk\wggt_aug07\private\multimedia\directx\setup\dxwsetup\dxupdate.cpp
Unable to remove %s, need to remove this file.
dxupdate.cab
%s is not trusted due to certificate problem. Please check valid certificate is installed and Cryptographic Services are enabled.
%s is not trusted. The file may be damaged. Please check valid certificate is installed and Cryptographic Services are enabled.
%s is not trusted. The file is not signed properly.
DXCheckTrust(): %s is trusted.
Unable to find dxupdate.dll.
GetCDXUpdate(): Loading %s in %s.
Unable to iterate through %s. The file may be damaged.
GetCDXUpdate(): Extracting %s from %s.
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C
e:\dxsdk\wggt_aug07\private\multimedia\directx\setup\dxwsetup\utils.cpp
Currently %s is newer than the one being installed
Target file: '%s'
Target file is Version %d.%d.%d.%d
Source file is Version %d.%d.%d.%d
Unable to get Version on source file %s
Unable to get Version on target file %s
\user.exe
RegCloseKey()
StringToVersionInfo() failed, version = %s.
GetDXVersion(): This may be a older DirectX which does not have the directx key in the registry.
Unable to create path string, %s\directx.log.
\directx.log
SPFILENOTIFY_DELETEERROR: Unable to delete %s.
Deleted file %s.
Deleted file %s with DELAY_UNTIL_REBOOT.
SPFILENOTIFY_COPYERROR: Unable to copy %s.
Installed file %s
Unable to open %s.
Extracted file %s from cab
SPFILENOTIFY_FILEEXTRACTED: error = %d
Unable to proceed %s:[%s]. The file may be damaged.
Unable to copy %s to %s.
[Strings.eng]
Use string section : [Strings.%s]
[Strings.%s]
mscoree.dll
- CRT not initialized
Please contact the application's support team for more information.
GetProcessWindowStation
user32.dll
dxwsetup.pdb
SShp!
SSh %
SShH'
SShl-
P@SShk
9X(t&SShp
u.Sj0ha
SShL;
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
GetWindowsDirectoryA
KERNEL32.dll
GDI32.dll
USER32.dll
COMCTL32.dll
SHFileOperationA
SHELL32.dll
VERSION.dll
ole32.dll
GetProcessHeap
GetCPInfo
%WinDir%\DirectX.log
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\dxwsetup.exe
k2v_.mX0q[,hT9
|/oZ/nY-kV.mX0q[/oZ0r\2u_2v_5}e6
)`N*dQ,gS/nY/nY/oZ/oZ/nY0q[-jV-kV.mXO
?3&YH0q[0q[0q[/nY/nY.mX.mX.mX-jV-jV-kV-kV*dQI
s3xa.mX*cP)`N&YH$UE"O@
H:!N?#RB%VF&ZI(^L*dQ-jV.mX2u_7
l2v_.mX*dQ']K$UE!N?
i4{c1t^.mX eR)aN']K%WF#SC!N?
H:"O@$UE&YH)`N eR.mX1t^3yb7
H:"O@%VF']K*dQ.mX1t^4|d8
E8!N?%WF*cP.mX3xa5}e9
o1t^.mX*dQ(^L%WF$UE#RB"PA#RB"PA#RB#RB#RB#RB%VF']K*dQ-kV1t^7
k3xa0q[/nY.mX-kV-kV-kV-kV-kV-kV-kV-kV-kV-kV-kV.mX.mX/oZ2u_6
version="1.0.0.0"
name="Microsoft.DirectX.WebSetup"
DirectX Web Setup
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
The DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.
o dos componentes de tempo de execu
Sla uw werk op en sluit alle toepassingen voordat u doorgaat.
mto operacn
Instalace byla ukoncena.dInstalacn
.QInstalacn
fen Sie die Netzwerkverbindung.DDie Datei konnte nicht gedownloadet werden, da sie nicht g
Komponenten werden installiertSDirectX-Laufzeitkomponenten werden gedownloadet. Dies kann einige Minuten dauern...jVer
Do you want to continue?ZDirectX is not completely installed on your computer. Are you sure you want to quit setup?7This package is not supported on this Operating System.
Setup is canceled.RSetup could not download the file. Please retry later or check network connection.OSetup could not download the file since the file to be downloaded is not valid.
Installing ComponentsFDownloading DirectX Runtime Components. This may take a few minutes...jSearching for updated DirectX Runtime Components and updating as necessary. This may take a few minutes...
n?9Este paquete no es compatible con este sistema operativo.&Se cancel
n.vEl programa de instalaci
n de red.QEl programa de instalaci
n sea necesario. Esta operaci
e.xLe programme d'installation n'a pas pu t
seau.VLe programme d'installation n'a pas pu t
cution DirectX. Ceci peut prendre quelques minutes...nRecherche des pilotes DirectX modifi
Continuare?FInstallazione di DirectX non completata. Interrompere l'installazione?6Pacchetto non supportato nel sistema operativo in uso.
Installazione annullata.iImpossibile scaricare il file. Riprovare in un secondo momento oppure controllare la connessione di rete.GImpossibile scaricare il file poich
StatoPAttendere. Il programma di installazione sta completando le seguenti operazioni.
in corso il download dei componenti DirectX. L'operazione potrebbe richiedere alcuni minuti...
in corso la ricerca dei componenti di run-time di DirectX. Se necessario, i componenti verranno aggiornati. L'operazione potrebbe richiedere alcuni minuti...
Setup is geannuleerd.dSetup kan het bestand niet downloaden. Probeer het later opnieuw of controleer de netwerkverbinding.DSetup kan het bestand niet downloaden omdat het bestand ongeldig is.
DirectX Setup.Het runtime-onderdeel voor DirectX installeren
VoortgangRSetup is bezig met het voltooien van de volgende handelingen. Een ogenblik geduld.'Bezig met het downloaden van onderdelen(Bezig met het installeren van onderdelenWBezig met het downloaden van DirectX-runtimeonderdelen. Dit kan enkele minuten duren...qBezig met zoeken naar ge
Czy chcesz kontynuowac?pProgram DirectX nie zostal calkowicie zainstalowany na tym komputerze. Czy na pewno chcesz zakonczyc instalacje?;Ten pakiet nie jest obslugiwany w tym systemie operacyjnym.
zniej lub sprawdz polaczenie sieciowe.NInstalator nie moze pobrac pliku, poniewaz pobierany plik nie jest prawidlowy.
o do DirectXWEste programa instala os componentes de tempo de execu
completamente instalado neste computador. Tem certeza de que deseja sair da instala
suporte a este pacote neste Sistema Operacional.
o foi cancelada.mA instala
o de rede.QA instala
o do DirectX4Instalar componentes de tempo de execu
Instalando componentesqFazendo o download de componentes de tempo de execu
Procurando por componentes de tempo de execu
r operativsystemet.
ts.YDet gick inte att h
gra minuter...hS
%s ...
: %d.%d MB
: %d KB
: d:d:d
http://www.microsoft.com/directx
http://Microsoft.com/DirectX
http://www.betaplace.com
http://www.BetaPlace.com
Windows(R)!
%s...
: %d kB2Odhadovan
DirectX z webov
nky http://www.microsoft.com/directx. Instalaci ukonc
te na webov
m serveru http://Microsoft.com/DirectX. Aktualizovanou predprodejn
m serveru http://www.betaplace.com.DInstalacn
DirectX: %s
stup k webov
mu serveru http://www.BetaPlace.com, budete muset syst
m Windows(R) znovu nainstalovat.GChcete pokracovat v instalaci t
Downloaden von %s...
e: %d.%d MB
e: %d KB4Gesch
tzte verbleibende Downloadzeit: d:d:d
Das DirectX-Laufzeitpaket ist nicht mit der installierten Version von Internet Explorer kompatibel. Downloaden und installieren Sie das wiederverteilbare DirectX-Paket von http://www.microsoft.com/directx. Klicken Sie auf OK, um den Vorgang zu beenden.
Diese Vorabversion von DirectX ist bereits abgelaufen. Besuchen Sie http://Microsoft.com/DirectX, um die neueste ver
ffentlichte DirectX-Version zu downloaden, oder besuchen Sie http://www.betaplace.com, um die aktuelle Vorabversion zu downloaden.&DirectX-Setup - VORABVERSIONWARNUNG!!!.Diese Vorabversion von DirectX L
UFT am %s AB!
ssen Windows(R) erneut installieren, wenn Sie
gen, und auf die Website http://www.BetaPlace.com zugreifen, wenn die Kennung abl
Downloading %s ...
Download size: %d.%d MB
Download size: %d KB/Estimated downloading time left: d:d:d
This DirectX runtime package is not compatible with the version of Internet Explorer currently installed. Please download and install DirectX Redistributable package from http://www.microsoft.com/directx. Press OK to exit.
This pre-release version of DirectX has already expired. Please goto http://Microsoft.com/DirectX to get the latest released version DirectX., or to http://www.betaplace.com to get an updated pre-release version.&DirectX setup - pre-release WARNING!!!2This pre-release version of DirectX EXPIRES on %s!
You will need to re-install Windows(R) if you do not have a valid DirectX BetaID and access to http://www.BetaPlace.com website when it expires!XWould you like to continue with the installation of this pre-release version of DirectX?
Descargando %s ...
o de descarga: %d.%d MB
o de descarga: %d KB4Tiempo de descarga restante estimado: d:d:d
n de Internet Explorer instalada actualmente. Descargue e instale el paquete redistribuible de DirectX desde http://www.microsoft.com/directx. Presione Aceptar para salir.
n preliminar ya ha caducado. Vaya a http://Microsoft.com/DirectX para obtener la versi
s reciente disponible de DirectX o a http://www.betaplace.com para obtener una versi
n preliminar de DirectX CADUCA el %s.
que volver a instalar Windows(R) si no tiene un Id. v
n beta de DirectX y accede al sitio web http://www.BetaPlace.com cuando el Id. haya caducadoJ
chargement de %s en cours...#Taille de t
: %d.%d Mo Taille de t
: %d Ko7Temps restant estim
chargez et installez le package DirectX redistribuable depuis le site http://www.microsoft.com/directx. Appuyez sur OK pour quitter.
. Visitez le site http://Microsoft.com/DirectX (site en anglais) pour obtenir la derni
e de DirectX, ou le site http://www.betaplace.com (site en anglais) pour obtenir une version pr
jour.JAvertissement - Programme d'installation de DirectX version pr
commerciale de DirectX expirera le %s.
installer Windows(R) si vous ne disposez pas d'un identificateur valide de B
http://www.BetaPlace.com [site en anglais] lorsque l'identificateur expirera.RVoulez-vous poursuivre l'installation de cette version pr
Download di %s in corso...
Dimensione download: %d.%d MB
Dimensione download: %d KB2Tempo restante di download stimato: d.d.d
compatibile con la versione di Internet Explorer attualmente installata. Scaricare e installare il pacchetto DirectX Redistributable da http://www.microsoft.com/directx (informazioni in lingua inglese). Premere OK per uscire.
scaduta. Visitare il sito Web http://Microsoft.com/DirectX per ottenere l'ultima versione completa di DirectX o la pagina http://www.betaplace.com per ottenere una versione preliminare aggiornata.6Installazione di DirectX - Avviso versione preliminare3Questa versione preliminare di DirectX SCADE il %s.
necessario reinstallare Windows(R) se alla scadenza non si dispone di un BetaID valido per DirectX e di accesso al sito Web http://www.BetaPlace.comEContinuare l'installazione di questa versione preliminare di DirectX?
http://Microsoft.com/DirectX
http://www.betaplace.com
http://www.BetaPlace.com Web
Windows
. http://www.microsoft.com/directx
. http://Microsoft.com/DirectX
, http://www.betaplace.com
Windows(R)
Dialoogvenster van MS Shell#Bezig met het downloaden van %s ...
Downloadgrootte: %d.%d MB
Downloadgrootte: %d kB1Geschatte resterende downloadtijd: d:d:d
nstalleerd. Download en installeer het DirectX Redistributable-pakket van http://www.microsoft.com/directx. Klik op OK om de wizard af te sluiten.
Deze evaluatieversie is reeds verlopen. Ga naar http://Microsoft.com/DirectX voor de meest recente releaseversie van DirectX of ga naar http://www.betaplace.com voor een bijgewerkte evaluatieversie.-DirectX Setup. Waarschuwing: evaluatieversie.0Deze evaluatieversie van DirectX verloopt op %s!
U dient Windows(r) opnieuw te installeren als u geen geldige b
ta-id voor DirectX en toegang tot de website http://www.betaplace.com hebt wanneer DirectX verloopt.HWilt u doorgaan met de installatie van deze evaluatieversie van DirectX?
Trwa pobieranie %s ...#Rozmiar pobieranego pliku: %d.%d MB Rozmiar pobieranego pliku: %d KB3Szacowany pozostaly czas pobierania: d:d:d
w wykonawczych programu DirectX nie jest zgodny z zainstalowana obecnie wersja programu Internet Explorer. Pobierz i zainstaluj pakiet redystrybucyjny programu DirectX z witryny http://www.microsoft.com/directx. Nacisnij przycisk OK, aby zakonczyc.
Waznosc tej wersji wstepnej juz wygasla. Przejdz do witryny http://Microsoft.com/DirectX, aby uzyskac najnowsza z wydanych wersji programu DirectX, lub do witryny http://www.betaplace.com, aby uzyskac zaktualizowana wersje wstepna.
Po wygasnieciu waznosci tej wersji trzeba bedzie ponownie zainstalowac system Windows(R) w wypadku braku prawidlowego identyfikatora Beta programu DirectX i dostepu do witryny http://www.BetaPlace.com w sieci web!ICzy chcesz kontynuowac instalowanie tej wersji wstepnej programu DirectX?
Fazendo o download de %s ...
Tamanho do download: %d.%d MB
Tamanho do download: %d KB3Tempo de download estimado restante: d:d:d
Este pacote de Tempo de Execu
vel em http://www.microsoft.com/directx. Pressione OK para sair.
expirou. Visite http://Microsoft.com/DirectX para obter a vers
o mais recente do DirectX, ou http://www.betaplace.com para obter uma vers
amento do DirectX EXPIRA em %s!
de reinstalar o Windows(R) se n
lida e acessar http://www.BetaPlace.com quando ela expirar!HDeseja continuar a instala
%s ...&
: %d.%d
http://www.microsoft.com/directx.
http://Microsoft.com/DirectX,
http://www.betaplace.com,
Windows(R)
http://www.BetaPlace.com.?
mtar %s...
mtningsstorlek: %d.%d MB
mtningsstorlek: %d kB,
mtning: d:d:d
n http://www.microsoft.com/directx. Klicka p
till webbplatsen http://Microsoft.com/DirectX f
mta den senaste officiella versionen av DirectX eller till http://www.betaplace.com om du vill h
lla den %s.
ste installera om Windows(R) om du inte har ett giltigt DirectX BetaID och
tkomst till webbplatsen http://www.BetaPlace.com n
%Optionale DirectX-LaufzeitkomponentennDie optionalen DirectX-Laufzeitkomponenten werden gesucht und gedownloadet. Dies kann einige Minuten dauern...rEine neuere oder gleichwertige Version von DirectX ist bereits installiert. Eine Installation ist nicht notwendig.
in corso la ricerca e il download dei componenti facoltativi DirectX Runtime. L'operazione potrebbe richiedere alcuni minuti...
...WDirectX
(Optionele onderdelen van DirectX Runtime^Optionele onderdelen van DirectX Runtime zoeken en downloaden. Dit kan enkele minuten duren...dEr is al een nieuwere of gelijkwaardige versie van DirectX ge
5Componentes Opcionais de Tempo de Execu
o do DirectXyProcurando e fazendo download de Componentes Opcionais de Tempo de Execu
Windows
mu WIndows.
pro instalaci..Zdrojov
..Zdrojov
ne %d MB. M
ch souboru.GInstalacn
r die Installation von DirectX neu starten. Klicken Sie auf "OK", um den Computer jetzt neu zu starten..DirectX-Setup wurde erfolgreich abgeschlossen.YDiese DirectX-Version ist mit der zurzeit installierten Windows-Version nicht kompatibel.GEine f
hr %d MB ben
EDirectX setup needs to restart your machine, press OK to restart now.)DirectX setup has completed successfully.ZThis version of DirectX is not compatible with the version of Windows currently installed.9DirectX could not find a file necessary for installation.!DirectX source file is incorrect.!DirectX source file is incorrect.%DirectX did not copy a required file.
DirectX needs approximately %dMB. You can increase available disk space by uninstalling applications or by deleting unneeded files.1DirectX setup could not find a required inf file.
correctamente.YEsta versi
n de Windows instalada actualmente.CDirectX no pudo encontrar un archivo necesario para la instalaci
DirectX necesita aproximadamente %dMB. Puede aumentar el espacio disponible en disco desinstalando aplicaciones o eliminando archivos innecesarios.@La instalaci
un archivo .inf necesario.
e.`Cette version de DirectX n'est pas compatible avec la version de Windows actuellement install
e.BDirectX n'a pas pu trouver un fichier n
%d Mo environ sont n
sinstallant des applications ou en supprimant des fichiers inutiles.ULe programme d'installation de DirectX n'a pas pu trouver un fichier .inf n
compatibile con la versione di Windows attualmente installata.;Impossibile trovare un file necessario per l'installazione.%File origine di DirectX non corretto.%File origine di DirectX non corretto.'Impossibile copiare un file necessario.
DirectX richiede circa %d MB. Per liberare spazio su disco, disinstallare alcune applicazioni o eliminare i file non necessari.'Impossibile trovare un file necessario.
nstalleerd nadat het systeem opnieuw is opgestart. Klik op OK om opnieuw op te starten.'De installatie van DirectX is voltooid.VDe huidige DirectX-versie is niet compatibel met de ge
nstalleerde versie van Windows.>DirectX kan een voor installatie benodigd bestand niet vinden."DirectX-bronbestand is niet juist."DirectX-bronbestand is niet juist.2DirectX heeft een vereist bestand niet gekopieerd.
DirectX vereist ongeveer %dMB vrije schijfruimte. U kunt schijfruimte vrijmaken door toepassingen of overbodige bestanden te verwijderen.6DirectX Setup kan een vereist INF-bestand niet vinden.
hInstalator programu DirectX musi zrestartowac komputer. Aby zrestartowac go teraz, nacisnij przycisk OK.8Instalacja programu DirectX zostala ukonczona pomyslnie.^Ta wersja programu DirectX nie jest zgodna z wersja aktualnie zainstalowanego systemu Windows.AProgram DirectX nie moze znalezc pliku potrzebnego do instalacji.'Plik zr
Interfejs DirectX wymaga okolo %d MB. Mozesz zwiekszyc dostepne miejsce na dysku odinstalowujac aplikacje lub usuwajac niepotrzebne pliki.BInstalator programu DirectX nie moze znalezc wymaganego pliku inf.
xito.aEsta vers
o do sistema operacional atualmente instalado.EO DirectX n
O DirectX precisa de aproximadamente %dMB. Voc
rios.QO Programa de Instala
Windows.8DirectX:
rdig.XDen h
r inte kompatibel med den Windows-version som
r installerad.DDet gick inte att hitta en n
r %d MB. Du kan
vs.JInstallationsprogrammet f
DXError.log
DirectX.log
(ManagedDX.CAB)
.NET Framework RC2
.NET Framework
to chybe naleznete v souborech DXError.log a DirectX.log ve slo
ce Windows.DRozhran
mu Windows NT podporov
operacn
tko Storno.HRozhran
mu Windows NT predinstalov
treba znovu instalovat.wAktu
mu.qTyp procesoru nen
DirectX (ManagedDX.CAB) v distribucn
.NET Framework verze RC2 nebo novej
.NET Framework a spustte instalaci rozhran
DirectX znovu.ZStahov
ba, a zda je certifik
Weitere Informationen zum Ermitteln des Problem finden Sie in den Dateien "dxerror.log" und "directx.log" im Ordner "Windows".7DirectX3D wird von dieser NT-Version nicht unterst
her.yDie Kabinettdatei f
r die Managed DirectX-Komponente (ManagedDX.CAB) ist im DirectX-Verzeichnis "redist" nicht vorhanden.
r die Managed DirectX-Komponente muss .NET Framework RC2 oder h
her installiert werden, bevor DirectX installiert wird. Installieren Sie das aktuelle .NET Framework, und f
hren Sie dann DirectX-Setup erneut aus.dFehler beim Downloaden einer f
Please refer to DXError.log and DirectX.log in your Windows folder to determine problem..This version on NT does not support DirectX3D.&An unknown operating system was found.
User hit the cancel key.3DirectX was not preinstalled on this version on NT.rDirectX setup has determined that a newer version of DirectX is already installed.
Please logon again as an Administrator or contact your PC Administrator.qProcessor type is unsupported by DirectX.
DirectX supports Pentium-compatible and K6 class processors or higher.dThe Managed DirectX component cab file (ManagedDX.CAB) is missing from the DirectX redist directory.
The Managed DirectX component requires the .NET Framework RC2 or newer version to be installed before DirectX. Please install the latest .NET Framework and then run DirectX setup again.MDownloading a file necessary for installation failed. Please run setup again.
A cabinet file necessary for installation cannot be trusted. Please verify the Cryptographic Services are enabled and the cabinet file certificate is valid.
n de DirectX no pudo encontrar un directorio necesario.fError interno.
Consulte DXError.log y DirectX.log en la carpeta Windows para identificar el problema.'Esta versi
un sistema operativo desconocido.&El usuario presion
DirectX es compatible con procesadores compatibles con Pentium y con procesadores de clase K6 o superior.|No se encuentra el archivo CAB de componentes Managed DirectX (ManagedDX.CAB) en el directorio de redistribuci
El componente Managed DirectX necesita .NET Framework RC2 o una versi
s reciente de .NET Framework y vuelva a ejecutar el programa de instalaci
n de DirectX.jError al descargar un archivo necesario para la instalaci
Un archivo .CAB necesario para la instalaci
lido el certificado del archivo .CAB.
Consultez les fichiers DXError.log et DirectX.log situ
s dans le dossier Windows pour d
DirectX prend en charge les processeurs compatibles Pentium et K6 ou plus.sLe fichier CAB des composants Managed DirectX (ManagedDX.CAB) est introuvable dans le r
cessite l'installation de .NET Framework RC2 ou une version plus r
re version de .NET Framework, puis r
cutez le programme d'installation de DirectX.jUn fichier n
s, et que le certificat du fichier CAB est valide.
Per individuare il problema, vedere i file DXError.log e DirectX.log nella cartella di Windows.1La versione su Windows NT non supporta DirectX3D.*Rilevato un sistema operativo sconosciuto.!Operazione annullata dall'utente.CDirectX non
stato preinstallato su questa versione di Windows NT.
Per individuare il problema, vedere i file DXError.log e DirectX.log nella cartella di Windows.cFile cab del componente DirectX gestito (ManagedDX.CAB) mancante dalla directory redist di DirectX.
Il componente gestito DirectX richiede .NET Framework RC2 o una versione pi
recente disponibile di .NET Framework e ripetere l'installazione di DirectX.pImpossibile scaricare un file necessario per l'installazione. Eseguire nuovamente il programma di installazione.
Un file CAB necessario per l'installazione risulta non attendibile. Verificare che i servizi di crittografia siano abilitati e che il certificato relativo al file CAB sia valido.
(ManagedDX.CAB)
DirectX.log
Windows NT
.GManaged DirectX
(ManagedDX.CAB)
.NET Framework
Raadpleeg DXError.log en DirectX.log in de map Windows om vast te stellen wat het probleem is..Deze versie van NT ondersteunt DirectX3D niet.2Er is een onbekend besturingssysteem aangetroffen.
nstalleerd op deze versie van NT.sDirectX Setup heeft ontdekt dat er al een nieuwere versie van DirectX is ge
DirectX ondersteunt Pentium-compatibele en klasse K6-processors of hoger.dHet cab-bestand voor het DirectX-beheeronderdeel (ManagedDX.CAB) ontbreekt in de DirectX redist-map.
.NET Framework RC2 of een latere versie moet zijn ge
nstalleerd voordat u het onderdeel Managed DirectX kunt installeren. Installeer de nieuwste versie van .NET Framework en voer vervolgens Setup voor DirectX opnieuw uit.fHet downloaden van een bestand dat voor de installatie vereist is, is mislukt. Voer Setup opnieuw uit.
n of meerdere bestanden door een toepassing zijn geopend. Sluit alle toepassingen af voordat u de installatie van DirectX opnieuw uitvoert.
Een CAB-bestand dat nodig is voor de installatie wordt niet vertrouwd. Controleer of de service Cryptographic Services ingeschakeld is en of het certificaat van het CAB-bestand geldig is.
FInstalator programu DirectX nie moze zlokalizowac wymaganego katalogu.tWystapil wewnetrzny blad systemu.
Sprawdz plik DXError.log i DirectX.log w folderze Windows, aby rozpoznac problem.-Ta wersja systemu NT nie obsluguje DirectX3D.&Znaleziono nieznany system operacyjny.$Uzytkownik nacisnal przycisk Anuluj.JProgram DirectX nie zostal wstepnie zainstalowany w tej wersji systemu NT.|Instalator programu DirectX wykryl, ze jest juz zainstalowana nowsza wersja programu DirectX.
Program DirectX obsluguje procesory zgodne z Pentium oraz procesory klasy K6 lub nowsze.\Brak pliku cab skladnika Managed DirectX (ManagedDX.CAB) w katalogu redist programu DirectX.
Skladnik Managed DirectX wymaga zainstalowania struktury .NET Framework RC2 lub nowszej przed programem DirectX. Zainstaluj najnowsza architekture .NET Framework, a nastepnie uruchom ponownie Instalatora programu DirectX.YPobieranie pliku wymaganego do instalacji nie powiodlo sie. Uruchom ponownie instalatora.
Nie mozna zaufac plikowi cabinet wymaganemu dla instalacji. Sprawdz, czy uslugi kryptograficzne sa wlaczone i czy certyfikat pliku cabinet jest prawidlowy.
ria.xErro interno de sistema.
Consulte os arquivos DXError.log e DirectX.log na pasta do Windows para determinar o problema..Esta vers
suporte ao DirectX3D.,Sistema operacional desconhecido encontrado.(Usu
o oferece suporte a este tipo de processador. O
DirectX oferece suporte a processadores compat
veis com Pentium ou da classe K6 ou superiores.nO arquivo de instala
o do componente Managed DirectX (ManagedDX.CAB) est
Para ser instalado antes do DirectX, o componente Managed DirectX requer o.NET Framework RC2 ou vers
o mais recente do .NET Framework e execute a instala
o do DirectX novamente.lFalha ao fazer o download de um arquivo necess
o. Execute o programa de instala
o em uso por um aplicativo. Feche todos os aplicativos antes de executar a instala
o habilitados e que o certificado do arquivo de gabinete
Windows. 
.BDirectX:
ndig katalog.kEtt internt fel uppstod.
Information om felet finns i filen DXError.log och DirectX.log i Windows-mappen..Den h
nt operativsystem hittades.&Anv
r.jProcessortypen st
gre.ZCAB-filen med DirectX-komponenten f
r hanterad kod (ManagedDX.CAB) saknas i redist-mappen.
ver .NET Framework RC2 eller senare innan du installerar DirectX. Installera den senaste versionen av .NET Framework och f
r aktiverad och att kabinettfilens certifikat
Directx.log
4.9.0.0904
dxwsetup.exe
Microsoft(R) DirectX for Windows(R)
DirectX for Windows
r Windows
DirectX para Windows
DirectX pour Windows
DirectX per Windows
Microsoft(R) DirectX voor Windows(R)
DirectX dla systemu Windows
Windows

iexplore.exe_1712:




%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    wmic.exe:1244
    dxwsetup.exe:1552
    6_Offer_11.exe:504
    mscorsvw.exe:172

  2. Delete the original Trojan-Dropper file.
  3. Delete or disinfect the following files created/modified by the Trojan-Dropper:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D0AD9OBH\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PreExe_ID_13667.exe (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7Y1WUEK2\button[1].png (458 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D0AD9OBH\DynamicOfferScreen[1].htm (948 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZQVU5YJ\button_over[1].png (921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YAYYR8I4\Setup_product_6416[1].exe (37311 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7Y1WUEK2\bodyImg[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YAYYR8I4\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YAYYR8I4\BuzzIT2Checker11-6[1].exe (9673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZQVU5YJ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7Y1WUEK2\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6_Offer_11.exe (12515 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (238 bytes)
    %System%\DirectX\websetup\SETB9.tmp (10815 bytes)
    %WinDir%\DirectX.log (1635 bytes)
    %System%\DirectX\websetup\SETB8.tmp (601 bytes)
    %WinDir%\setupapi.log (1296 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dxwsetup.inf (477 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dsetup32.dll (25519 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dxwsetup.exe (8906 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dxwsetup.cif (1111 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dsetup.dll (2104 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\instructionsMad.dat (23779 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\f.exe (7972 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsbB5.tmp\System.dll (11 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now