Trojan.Generic.10489367_9282a87453

by malwarelabrobot on September 21st, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.10489367 (B) (Emsisoft), Trojan.Generic.10489367 (AdAware), Trojan.Win32.Swrort.3.FD, Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Trojan, Worm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 9282a87453d4f9dda09ef8c4dc499830
SHA1: 19edb08ad96b4299da9aeea6f0cabfa2983b283c
SHA256: e849976c79a0e8cc6b879c5aabaaca96c10d2ce5037929786edae54a34025b68
SSDeep: 24576:PFQeYLbKKEPS1bvKE2JCanW0RBeZcXhI6CAJvvRKNvWFjHfB8MC:PFQzKKEP2biE2JCanp/ccXylAJHUNvyU
Size: 1342840 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: CHIP Digital GmbH
Created at: 2012-04-10 03:11:21
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

WerFault.exe:3896
%original file name%.exe:1976
RegSvcs.exe:3828

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\j94O16yK.HR7 (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autF48B.tmp (5697 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autF48B.tmp (0 bytes)

Registry activity

The process WerFault.exe:3896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "05 00 00 C0 08 00 00 00 00 00 00 00 23 77 40 00"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

The process %original file name%.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"b71F68lB" = "C:\Users\"%CurrentUserName%"\i90V74cK\hostprozessor.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 548215 548352 4.65119 d3f554afb4f86e6713c00d0703510f32
.rdata 552960 105518 105984 4.10871 6ae99e41cb24f4735ece3ea891baf7f0
.data 659456 108632 26624 1.49446 25a928efff72ddeccbf2e0cc0d7fad03
.rsrc 770048 11856 12288 2.52381 1ae73df6009ab1a08578e51a68f2e2d2

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3
ee3264df77562e13d3b1e1fba8e664f6
5123db3727596da99b927723b0d5a176
e768ed074bd6529bcd3c24362f5c15da

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1976:

.text
`.rdata
@.data
.rsrc
s%j.Zf
8crtsu
:crts
PSSSSSSh
crts
?#%X.y
GetProcessWindowStation
operator
This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.
uxtheme.dll
kernel32.dll
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with PCRE_UCP support
ICMP.DLL
advapi32.dll
RegDeleteKeyExW
Error text not found (please report)
WSOCK32.dll
VERSION.dll
WINMM.dll
COMCTL32.dll
MPR.dll
InternetCrackUrlW
HttpQueryInfoW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
WININET.dll
PSAPI.DLL
USERENV.dll
GetProcessHeap
CreatePipe
GetWindowsDirectoryW
KERNEL32.dll
OpenWindowStationW
SetProcessWindowStation
CloseWindowStation
MapVirtualKeyW
EnumChildWindows
EnumWindows
VkKeyScanW
GetKeyState
GetKeyboardState
SetKeyboardState
GetAsyncKeyState
keybd_event
EnumThreadWindows
ExitWindowsEx
UnregisterHotKey
RegisterHotKey
GetKeyboardLayoutNameW
USER32.dll
SetViewportOrgEx
GDI32.dll
COMDLG32.dll
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
RegEnumKeyExW
RegDeleteKeyW
ADVAPI32.dll
ShellExecuteW
SHFileOperationW
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
GetCPInfo
zcÁ
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
>>>AUTOIT NO CMDEXECUTE<<<
CMDLINERAW
CMDLINE
/AutoIt3ExecuteLine
/AutoIt3ExecuteScript
%s (%d) : ==> %s.:
Line %d:
Line %d (File "%s"):
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
All files (*.*)
#NoAutoIt3Execute
APPSKEY
04090000
%u.%u.%u.%u
0.0.0.0
Mddddd
"%s" (%d) : ==> %s:
UDPSTARTUP
UDPSHUTDOWN
UDPSEND
UDPRECV
UDPOPEN
UDPCLOSESOCKET
UDPBIND
TRAYGETMSG
TCPSTARTUP
TCPSHUTDOWN
TCPSEND
TCPRECV
TCPNAMETOIP
TCPLISTEN
TCPCONNECT
TCPCLOSESOCKET
TCPACCEPT
SHELLEXECUTEWAIT
SHELLEXECUTE
REGENUMKEY
MSGBOX
ISKEYWORD
HTTPSETUSERAGENT
HTTPSETPROXY
HOTKEYSET
GUIREGISTERMSG
GUIGETMSG
GUICTRLSENDMSG
GUICTRLRECVMSG
FTPSETPROXY
\??\%s
GUI_RUNDEFMSG
SendKeyDelay
SendKeyDownDelay
TCPTimeout
AUTOITCALLVARIABLE%d
255.255.255.255
Keyword
AutoIt.Error
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
HOTKEYPRESSED
AUTOITEXE
WINDOWSDIR
3, 3, 9, 4
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_USERS
%d/d/d
c:\%original file name%.exe
C:\%original file name%.exe
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.)Array variable subscript badly formatted.'Subscript used with non-Array variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.
>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

%original file name%.exe_1976_rwx_003C0000_00001000:

.rsrc

RegSvcs.exe_3828:

.text
`.rdata
@.data
.rsrc
DEBUG: Passed emulation checks.
dCoPakh_I__CszxF_EFoQV9_GX_jA_iN7i_E__s_EohyC_ivhk6NI_ts3aly_VO_tY2E6mE_xGna62v1_TUqyrJ3_r5__O3qUV_UNC_Y3hSG__q57nKFvXjGWv4z_lO4QcPJ_oVsAS5xdBvoqE6HVj_bYTEXNur_ot4jdvy__6__lLdz_MRTondU4fPo_h_UeHgAlL_zFhsl1NG_7cR9P3j_o_zLNO_6U___ohMXGP9tR_c5r_a_Z3o39__QYxF__cPG2aDe_H_qObKNsa3zGDjFotz___o91Nu_z9s_b2JhAFowJof_xRQs_tvbaCxeul____fkDRa_fl2I81RthGDAUqs_UjH4_IFTp_kBKTB_QI__X9J5Y1UTV37DmMAz_Yz_J3s_OGoF_K5ZFIeihjgcMKVDGoWnAYoy__V_92_5_F_1gF6R2S1u__gvr_SF__2yXdj_d_4wK6MEE2DI7XUWFPzbL_GyAv_KhktCCSO65mhKaQ_IBf_Pf1OAGvRU_C_fuREF_v8UduvrpaeJi_qmO_iAbWZ7FF_G_cSSdny_sjLXNbRveHE_K___yu_Bt7KMYjOT1yDhmq_NRBDtiK_Dr_1_jI_r__RUA1BJ_g__4nJ3c5KVuNoS__x__AEjueyxShERd___9QRN3KKkDtp89q
DEBUG: Adding run key?
DEBUG: Adding Active-X key?
_ne9__XVv___Tj_83U7CQR2PDhMi_IFZ_cW1ESU2_TZ1WbYrcsC_r__NW_Oq9jc_Hb_QVC7x6zISatTeZw4SxL4_IsSHtH8njQpBWzMcD_R4g4Z1tWmrF_j_2cC_XozPunIf6_R2u6S_ergs8NOG__KKA9_6u_F8_BP7RR38jNveI_5_yBoqL9R_Hhp3k3gddV1aa65YST_G1__J3m_3ZXf__Z8Qf___MQ__Cp_ahm6hiJq__Xcepjd9_am_VFrcFjXW_3MokLeOfH_H_MytefWKK_fbmwbPiXk6IAZZ_EiMI41i5H8vVGNqvo_nsyNvvp15l_A_4_1mNz5dyr7z__KDLw_iIg_e572m5_G__6pirCa7qBmW5853Cz_akAAWtxIJhEOci_i_3b7u_V_9FDNhWnm_ikvomARjnt_vvKQ67gpHI_N_R_gepvP91_xzRxjGDl1A57___bZ5QB_JmY_bSxfea_y3PUGyqrCLo_MU_VN3L8_vAxvS_Z_uYz_poE6lBF4UsY_e1qn1X5a_nhr4Iv4leaL7N_j1uHIfZ_v1vye_q_f7_hZPrGXDR18PH_V_kavKZwQQ7_zy5_8WLYGvZDs7pZ_AW7CU21Ix_B_jeIO_hLjktd5wbA41I_5zIYje_BK_P__oMuiERTiKF_q_R__kOIbEw9v2gy_D__ULO_rGsWFNHwK_r_uH_4hVv_18W_gf_d_lS_ohV5bIlYNkTI7_T_d3Pypj6c_BF5__9_xkQW_bE79_8SZ8oKJS_TDcrE6jzC3_Gjxc_5cRje5ofKEg_yguVojy1HL4_M43r24LpSswI7APFGNUHpMzN_ouMy_2ZMMrb7A9_DSN5foZq_UCCiAZh_V_Kd_IyXUmyah_TmT_BV__aJ_ORECMht6J9MDuCX_ZWl_GnpQ_6TX_kObT_M4JV4S_so3PkA2Z6iGdmU9_u_pfxcW1_zcjtX_B_NM_ZTaVPM_x_nqXSp_gLKuRIqofKC1VmNNinYU_Qucy_K_4vewrkXSzdISbKu3HnXm6oo__Y
RegCreateKeyEx called successfully.
RegCloseKey called successfully.
DEBUG: Adding Active-X key to HKLM.
DEBUG: Adding Active-X key to HKCU.
DEBUG: ** FOUND POLICIES REGISTRY KEY **
DEBUG: ** CANNOT ACCESS POLICIES REGISTRY KEY **
DEBUG: ** COULDN'T FIND POLICIES REGISTRY KEY **
DEBUG: Checking for correct execution path...
V_ifot__OfN_Q9dB_yjFPQEKwl3i1UzNJZKzygWOYR_hHXj5aflfOVgVVKv1XpBZtdYhf6U_NY_k_KKKZYe8UK1XM_Vk_LrvMfpqsy_jOOu5k5UO8R_jZOHA2IGwXsol6_UvQ_dlHbPatsE3LcQ_CV9hHvhyg8lssNAPTT4U_8_r_YQ_lkq_HP9FwFECu_J_mku53rd3P6qz1Qy3__Ppbh_KXSwQ2H__zDb_T4_oP_ZTw164lj9_KbC_OHe9C_IDtE__uIh5_K6K_pOVIx_Fhg_6Esbc_asp_DQU2sjt_jDep1o4hUVVi9axY4CI4G_VYc_ewFKqDJbtBng__DNmpXZBK_5_igrcfe_Mnoxhtxk3bImi6m_CBW__n9__rtm_I1_Ng6xmvy4B_D7RpPvw_NAY_4sm9NEg__gW4UH5K5BIjLlCQlmfPCuf2___H_s_Be__Gz5t78nThl_39_epW_jYlD_HS7_f8TW___2t___p_ed_6XVx_ap9k6ojdhT_6_hTtXtGZFQ_RLIUrA_c__pMN_gSr___V___PVB_qJYT9tHYmrT_HUYOfqF_k_XsnqR__nM__haj_ndje_4wqKT_lsoM_QjFp7X1_tKYbW3bg_gqtufTMwtCbk_vhhUKG__Tu_Ms_pf_rbVBYe_lSb6lQmoM5__pa__Y_B_8__c6FeiLnWA_sg7__6_de2X_EHI_jci6BnRLOx8_fwWkLvqQep8i_E_1w_gMZVMc_m2L_SFVL_IuXC12yz5g__rghf___qkStDAFdOPINbsnj_F2pZ_SXZlLrv5NXvn_f9hA1A_X_5F_zn_Ay_1DGMt5fn_sLBx_R_cX4U2C84_cpzgRrc_Lmp9TX_BRPHrYB_y8iM_sLwomJ495T7P8CY1_i2SfZFfMgpA5xcRik6_F_FD5_iZ3e1n_yht6_DdhwiPo5fRo9UOVERL_P_L53N2ishIiMI_Emmamh5EPlT__yMTNoiPv3_bYIltgc__ImE_hsQlaDu_Tp__zG_ug16
f:\dd\vctools\crt_bld\self_x86\crt\src\onexit.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbctype.c
f:\dd\vctools\crt_bld\self_x86\crt\src\tidtable.c
Client hook allocation failure at file %hs line %d.
Memory allocated at %hs(%d).
Client hook re-allocation failure at file %hs line %d.
HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.
CRT detected that the application wrote to memory after end of heap buffer.
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.
CRT detected that the application wrote to memory before start of heap buffer.
CRT detected that the application wrote to a heap buffer that was freed.
crt block at 0x%p, subtype %x, %Iu bytes long.
client block at 0x%p, subtype %x, %Iu bytes long.
%hs(%d) :
#File Error#(%d) :
Data: <%s> %s
f:\dd\vctools\crt_bld\self_x86\crt\src\mlock.c
f:\dd\vctools\crt_bld\self_x86\crt\src\winsig.c
f:\dd\vctools\crt_bld\self_x86\crt\src\inithelp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrpt.c
Run-Time Check Failure #%d - %s
%s%s%s%s
%s%s%p%s%ld%s%d%s
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\misc\i386\chkesp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wtombenv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stdenvp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stdargv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\a_env.c
f:\dd\vctools\crt_bld\self_x86\crt\src\ioinit.c
GetProcessWindowStation
_CrtDbgReport: String too long or IO Error
Debug %s!
Program: %s%s%s%s%s%s%s%s%s%s%s%s
%s(%d) : %s
_CrtDbgReport: String too long or Invalid characters in String
RegCloseKey
RegOpenKeyExW
f:\dd\vctools\crt_bld\self_x86\crt\src\setenv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\setlocal.c
f:\dd\vctools\crt_bld\self_x86\crt\src\inittime.c
f:\dd\vctools\crt_bld\self_x86\crt\src\initnum.c
f:\dd\vctools\crt_bld\self_x86\crt\src\initmon.c
f:\dd\vctools\crt_bld\self_x86\crt\src\output.c
operator
f:\dd\vctools\crt_bld\self_x86\crt\src\initctyp.c
portuguese-brazilian
f:\dd\vctools\crt_bld\self_x86\crt\src\_getbuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_file.c
f:\dd\vctools\crt_bld\self_x86\crt\src\osfinfo.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_sftbuf.c
C:\incognito\stub\Debug\Stub.pdb
KERNEL32.dll
USER32.dll
SHELL32.dll
ole32.dll
GetCPInfo
GetProcessHeap
ntdll.dll
kernel32.dll
advapi32.dll
wininet.dll
Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
dbghelp.dll
SbieDll.dll
api_log.dll
dir_watch.dll
pstorec.dll
InternetOpenUrlA
user32.dll
shell32.dll
RegOpenKeyExA
RegCreateKeyA
ShellExecuteA
http\shell\open\command
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
cmd.exe /c del "
Software\Microsoft\Windows\CurrentVersion\Policies\System
%Program Files%\Google\Chrome\Application\chrome.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
&.Ed}M
j.gBF
-:.oA
B.jV#
W3piPe
%XPfT
LJI%DY
&0eg.YB
%F>8C
O=H
%S6fR
!#.cZ
.aFGz8V1_P_79Dmz_HWYneX_11_I_m_7YtB4KMf_srSBZzvujq_WnVlBk8EmVPTOV__GYToUwjR6bPb_YM_hrpe_OpP_QjoMoxIrX_JspAvqu4GkXO_dCZl62VZ_J_qz_yNI_9ckkkcTN_Di_HaAb_1nkZl8o33VkY_1NuBuwXwiV_VWPP__dg_w_qLg1AxsvuhojS94__xhL_wbItphvHC_nf8q_v_ZgOKy_Rx9_JdbEm2j_C_A_f_rCUG__Qjc__VWCKknsjQWoTUmHiA_CA5_k7_RgrN2R9jkrbHIQymI_jr_PJG_rMCqOoEfk7rvylWoYBnVO4Oa61Q_IdIK87F_IQ1cQNjxaMk_s_UBT_WTnWhIfQ_er4ovAMF1__f4_Q_5nJbm8Cm_8__Pg7_RoFY_iJv_Eatd8_fhfwRUxCQUX_Uu__UhDxfUEAeYjV7l1PO5temuoA__Bd_hh_wu_5bZXAc3R4Ur_WuCaq_v8_jHsDYZ___dq5_HJArBxBi___ztxj_N__IQUsEq_GDxxw7I_1GhytnNfEXojRn5_hJa3dLs_tUbvl_oMC2Znn__nAzb_kZkQNd4K_lr_HT32LoP28bTbn3Z2AfgMl4fSBy8vx3f___xG7Wc__R4d_Jh9gRAK_t_Y4Y_UT9__mOfWdKwbD4_hvzm__l6iVhgfdrL_2_et_aXNN_P9_hJqKQW_1N_bmrI_ilTKexbAk4C_Xa__FI_N__STHvC_ShlYrqO6KrSE26U6aArKfdmbPUQaTdzsdZBklkM_7tTCR_pZC_XyXgYRSp_ijaN_Q2Zv9kMB8j_xXt_Y87FDqCFMmeFmN_wo7_5_K_O8pHgSzk_k5un_1Lft_Z
v_4NF2x3mtTTAp_p4f__d_AnsCE7_Ez_K8_aRhyGfr2_qeShy1QU_4gMy_D_CcT7Pk8fcu21uw_HT2dlX_J_81_AIkB2C_PV_szDEZJLP_3y3_aKHinqUkzAFjXWn__Mhp_koN5THiqg_eDuBaat2_sCU2k2Qxz3__9B_9OnLvDQ_R_5Fg__khs_BEBcV_n7hM___u5Mn5_Lro4__Qd22KRhIn89FvLumUHERj3dS2acnOzuP_wVmS__cG_KKCc_843_C__28_6fq_K_Wtp_H_N_C5_djQBFn_xSa_oNaTtTsqkc1DGNmD_VfN1SDlcbo69NMCII_Nq_uwYZeCM7q8lx2Ma_ovTH_JRr__ZK4wmkz_4_gl_KgrmW1Zsep325RVJJ__HCLq1eDnvSe3qYV__lAET3Fx_v2_Y2_GylkReZNP1_f__12DV_RJxnm_G_I_kybiUE4VgVe_DgYUZXzrr___Dz3_OdIA__rClw_kfi_2s_qK_x_VDLtgfsOzESjJeFfKP_L2r2DPTw__cMdlLw_m_Vs_cKPM1_sBb_l_AyO_h4EXQrtZHhbSaRe___2a_6_8Q__9VKwBUugH3A5g_NwleM_yCCEBX_zzQQH7_fST1E_j4Ns_ov_fa_xLd5XJscm5_8GIQvllQ_cF__B8N5QQi_HWOJoevS_w_C8q1_VTGxDLiwm_cG_coC4_HWJQFgv8nQK_ho_rbd6Tw6A9v__Z_R_VE_D_lFqp_5CK__PMRRaNsKxeAmTV89PAi1Hl5_CuGf__6vj3eedFKhm2WX9TUccCEGesrxV_jUe_aiwb8NHkM6BWTp_xushBClGF6diNXS2Barhl7b_9TjzoDFbm_V5BuS89jwOU_j_xfL__dWhleuHjD__2l9VzXIxHMZXP__R7IJuKvLFJ_6ZA3_pS_wsy
IDjblPu_lW6__Sx_AksbLV_zt_kB1fsZ_C6eTq9BXWUQb_718_JXHpjNoOr1Yk_gf_ofFa8S1Mh5MK_7czT6P5LXg3_I_sSHv_gv4TW_jmm72Jo_IoYLC_Yni__BpX5_D_JCShmBBcBhNihqX_grn_RK_WDY4H_fPjqfV_awf__H2Bc_d_3Xq__4vwj_am2_E_Hu4___k_HTbp_2bY3GNbjnS__k_HPErDQ__u_Pg9__o83B_J7kX_1vd_xl9C_Uq4kD_WOYX7PnT___Xu__oj_L_NbNEyd_9nJdBf1qA_i_a3DDN_ySMOO1_X_z9QfKM____MWK_6KZFgJ318FR_YZIhJ7DdaAjW_fTtD7RLxpmnrjaCI1XMXaHjI_J1Awu7p_Y_Uoz_AIDNDLVIDB73BxW_U5YdQRqgaG1S8_cyU_dyg__fiSXFtU_x_orH_oY_Yyciuh6p_Xebg___CKgFTcHfGJ_8T___14bGSGuOO_vaoDv____oSURe5_BZkIPoTkSQz9CG71bjgI_o_QD2ei8b48_f4Oo_FbaleFGrX__262rkCuskM_3ZKhPEBwEVgsPJLF__UuW_3EmK5bVn_FEsn8R_GAnGBU_mRxYxdgj6dCO_uV_8_T__oF7zIST3hdn
.LhuIooR1KHsmojWzdLe__mBbbuTc51ew_T6O_kWP81fEuJrE_CP_pq__AAEbJ2_LLYX_d3V_25894_BVUS42__nkd6P_88__CFRJ___X_8c7Lao1Y4_I3_N_Ry7_y_Jvl__TvvrdCXKO6hNZA_7SGv_g5CqeAyWEDnmQh3_L3JBSCE3b_RHikKiqJjzzvcCECl8y1bQ_IfbSd6_VO5e_1r_5_PjyDp_oeNZ_sC1nfnbsZkXXzYaTLTcsQR6nNxEzttfsgvT_uAC_imD9_F_KdW_5D_sg7k3A6hhBwrcy_a9pX_ypN2PHF_aH_6_FEJkd_iQ3w_RwGog3_oReu5CFN86U_9NT_1_sq_1HQwvU1Wq_IOmECHmXm8A_TSkBi_1yP__h7dabJie8_CFSgVg_S6_qo_oIYJSMkl_Gdn_a98RM_dFo_9__AGe_ocvaku9o6ll_LnhFTNkZBGWHzAgPcGceysOjq_AzHKqV_K_uVuzr_mb2Bd2_zf4tEZdi
mscoree.dll
f:\dd\vctools\crt_bld\self_x86\crt\src\crt0dat.c
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgdel.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\getenv.c
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), error_text)
wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"\n\n")
wcscpy_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"Runtime Error!\n\nProgram: ")
_NMSG_WRITE
f:\dd\vctools\crt_bld\self_x86\crt\src\crt0msg.c
KERNEL32.DLL
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c
_CrtCheckMemory()
_CrtIsValidHeapPointer(pUserData)
_CrtSetDbgFlag
(fNewBits==_CRTDBG_REPORT_FLAG) || ((fNewBits & 0x0ffff & ~(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_DELAY_FREE_MEM_DF | _CRTDBG_CHECK_ALWAYS_DF | _CRTDBG_CHECK_CRT_DF | _CRTDBG_LEAK_CHECK_DF) ) == 0)
_CrtDoForAllClientObjects
_CrtMemCheckpoint
_CrtMemDifference
_CrtMemDumpStatistics
ADVAPI32.DLL
f:\dd\vctools\crt_bld\self_x86\crt\src\rand_s.c
f:\dd\vctools\crt_bld\self_x86\crt\src\handler.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\dosmap.c
_CrtSetReportHookW2
mode == _CRT_RPTHOOK_INSTALL || mode == _CRT_RPTHOOK_REMOVE
wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")
memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)), dotdotdot, sizeof(TCHAR) * 3)
wcscpy_s(szExeName, 260, L"<program name unknown>")
__crtMessageWindowW
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsnbico.c
f:\dd\vctools\crt_bld\self_x86\crt\src\tcscpy_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\strtol.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strtoq.c
f:\dd\vctools\crt_bld\self_x86\crt\src\heapinit.c
_crtheap
f:\dd\vctools\crt_bld\self_x86\crt\src\errmode.c
WUSER32.DLL
f:\dd\vctools\crt_bld\self_x86\crt\src\tcscat_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\tcsncpy_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\localref.c
((ptloci->lc_category[category].wlocale != NULL) && (ptloci->lc_category[category].wrefcount != NULL)) || ((ptloci->lc_category[category].wlocale == NULL) && (ptloci->lc_category[category].wrefcount == NULL))
f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.h
("Corrupted pointer passed to _freea", 0)
E_CrtSetReportHook2
strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")
strcpy_s(szExeName, 260, "<program name unknown>")
__crtMessageWindowA
f:\dd\vctools\crt_bld\self_x86\crt\src\expand.c
f:\dd\vctools\crt_bld\self_x86\crt\src\sprintf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\isctype.c
fMode == _CRTDBG_REPORT_MODE || (fMode & ~(_CRTDBG_MODE_FILE | _CRTDBG_MODE_DEBUG | _CRTDBG_MODE_WNDW)) == 0
_CrtSetReportMode
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrptt.c
nRptType >= 0 && nRptType < _CRT_ERRCNT
_CrtSetReportFile
wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String")
strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error")
_VCrtDbgReportA
strcpy_s(szOutMessage2, 4096, "_CrtDbgReport: String too long or Invalid characters in String")
wcscpy_s(szUserMessage, 4096, L"_CrtDbgReport: String too long or IO Error")
_VCrtDbgReportW
f:\dd\vctools\crt_bld\self_x86\crt\src\swprintf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\memcpy_s.c
MSPDB100.DLL
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\eh\typname.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\a_cmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strnicol.c
("CRT Logic error during setenv",0)
__crtsetenv
Af:\dd\vctools\crt_bld\self_x86\crt\src\inittime.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_flsbuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\vsprintf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbstowcs.c
f:\dd\vctools\crt_bld\self_x86\crt\src\xtoa.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c
f:\dd\vctools\crt_bld\self_x86\crt\src\vswprint.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strnicmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbschr.c
f:\dd\vctools\crt_bld\self_x86\crt\src\getqloc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\lseeki64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\write.c
f:\dd\vctools\crt_bld\self_x86\crt\src\isatty.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fileno.c
f:\dd\vctools\crt_bld\self_x86\crt\src\printf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wctomb.c
pass == FORMAT_OUTPUT_PASS
f:\dd\vctools\crt_bld\self_x86\crt\src\mbtowc.c
_loc_update.GetLocaleT()->locinfo->mb_cur_max == 1 || _loc_update.GetLocaleT()->locinfo->mb_cur_max == 2
f:\dd\vctools\crt_bld\self_x86\crt\src\fputwc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stricmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\vprintf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wcstol.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fclose.c
f:\dd\vctools\crt_bld\self_x86\crt\src\commit.c
f:\dd\vctools\crt_bld\self_x86\crt\src\close.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_freebuf.c
Host Process for Windows Services
6.0.6001.18000 (longhorn_rtm.080118-1840)
svchost.exe
Windows
Operating System
6.0.6001.18000

RegSvcs.exe_3828_rwx_00400000_00092000:

.text
`.rdata
@.data
.rsrc
DEBUG: Passed emulation checks.
dCoPakh_I__CszxF_EFoQV9_GX_jA_iN7i_E__s_EohyC_ivhk6NI_ts3aly_VO_tY2E6mE_xGna62v1_TUqyrJ3_r5__O3qUV_UNC_Y3hSG__q57nKFvXjGWv4z_lO4QcPJ_oVsAS5xdBvoqE6HVj_bYTEXNur_ot4jdvy__6__lLdz_MRTondU4fPo_h_UeHgAlL_zFhsl1NG_7cR9P3j_o_zLNO_6U___ohMXGP9tR_c5r_a_Z3o39__QYxF__cPG2aDe_H_qObKNsa3zGDjFotz___o91Nu_z9s_b2JhAFowJof_xRQs_tvbaCxeul____fkDRa_fl2I81RthGDAUqs_UjH4_IFTp_kBKTB_QI__X9J5Y1UTV37DmMAz_Yz_J3s_OGoF_K5ZFIeihjgcMKVDGoWnAYoy__V_92_5_F_1gF6R2S1u__gvr_SF__2yXdj_d_4wK6MEE2DI7XUWFPzbL_GyAv_KhktCCSO65mhKaQ_IBf_Pf1OAGvRU_C_fuREF_v8UduvrpaeJi_qmO_iAbWZ7FF_G_cSSdny_sjLXNbRveHE_K___yu_Bt7KMYjOT1yDhmq_NRBDtiK_Dr_1_jI_r__RUA1BJ_g__4nJ3c5KVuNoS__x__AEjueyxShERd___9QRN3KKkDtp89q
DEBUG: Adding run key?
DEBUG: Adding Active-X key?
_ne9__XVv___Tj_83U7CQR2PDhMi_IFZ_cW1ESU2_TZ1WbYrcsC_r__NW_Oq9jc_Hb_QVC7x6zISatTeZw4SxL4_IsSHtH8njQpBWzMcD_R4g4Z1tWmrF_j_2cC_XozPunIf6_R2u6S_ergs8NOG__KKA9_6u_F8_BP7RR38jNveI_5_yBoqL9R_Hhp3k3gddV1aa65YST_G1__J3m_3ZXf__Z8Qf___MQ__Cp_ahm6hiJq__Xcepjd9_am_VFrcFjXW_3MokLeOfH_H_MytefWKK_fbmwbPiXk6IAZZ_EiMI41i5H8vVGNqvo_nsyNvvp15l_A_4_1mNz5dyr7z__KDLw_iIg_e572m5_G__6pirCa7qBmW5853Cz_akAAWtxIJhEOci_i_3b7u_V_9FDNhWnm_ikvomARjnt_vvKQ67gpHI_N_R_gepvP91_xzRxjGDl1A57___bZ5QB_JmY_bSxfea_y3PUGyqrCLo_MU_VN3L8_vAxvS_Z_uYz_poE6lBF4UsY_e1qn1X5a_nhr4Iv4leaL7N_j1uHIfZ_v1vye_q_f7_hZPrGXDR18PH_V_kavKZwQQ7_zy5_8WLYGvZDs7pZ_AW7CU21Ix_B_jeIO_hLjktd5wbA41I_5zIYje_BK_P__oMuiERTiKF_q_R__kOIbEw9v2gy_D__ULO_rGsWFNHwK_r_uH_4hVv_18W_gf_d_lS_ohV5bIlYNkTI7_T_d3Pypj6c_BF5__9_xkQW_bE79_8SZ8oKJS_TDcrE6jzC3_Gjxc_5cRje5ofKEg_yguVojy1HL4_M43r24LpSswI7APFGNUHpMzN_ouMy_2ZMMrb7A9_DSN5foZq_UCCiAZh_V_Kd_IyXUmyah_TmT_BV__aJ_ORECMht6J9MDuCX_ZWl_GnpQ_6TX_kObT_M4JV4S_so3PkA2Z6iGdmU9_u_pfxcW1_zcjtX_B_NM_ZTaVPM_x_nqXSp_gLKuRIqofKC1VmNNinYU_Qucy_K_4vewrkXSzdISbKu3HnXm6oo__Y
RegCreateKeyEx called successfully.
RegCloseKey called successfully.
DEBUG: Adding Active-X key to HKLM.
DEBUG: Adding Active-X key to HKCU.
DEBUG: ** FOUND POLICIES REGISTRY KEY **
DEBUG: ** CANNOT ACCESS POLICIES REGISTRY KEY **
DEBUG: ** COULDN'T FIND POLICIES REGISTRY KEY **
DEBUG: Checking for correct execution path...
V_ifot__OfN_Q9dB_yjFPQEKwl3i1UzNJZKzygWOYR_hHXj5aflfOVgVVKv1XpBZtdYhf6U_NY_k_KKKZYe8UK1XM_Vk_LrvMfpqsy_jOOu5k5UO8R_jZOHA2IGwXsol6_UvQ_dlHbPatsE3LcQ_CV9hHvhyg8lssNAPTT4U_8_r_YQ_lkq_HP9FwFECu_J_mku53rd3P6qz1Qy3__Ppbh_KXSwQ2H__zDb_T4_oP_ZTw164lj9_KbC_OHe9C_IDtE__uIh5_K6K_pOVIx_Fhg_6Esbc_asp_DQU2sjt_jDep1o4hUVVi9axY4CI4G_VYc_ewFKqDJbtBng__DNmpXZBK_5_igrcfe_Mnoxhtxk3bImi6m_CBW__n9__rtm_I1_Ng6xmvy4B_D7RpPvw_NAY_4sm9NEg__gW4UH5K5BIjLlCQlmfPCuf2___H_s_Be__Gz5t78nThl_39_epW_jYlD_HS7_f8TW___2t___p_ed_6XVx_ap9k6ojdhT_6_hTtXtGZFQ_RLIUrA_c__pMN_gSr___V___PVB_qJYT9tHYmrT_HUYOfqF_k_XsnqR__nM__haj_ndje_4wqKT_lsoM_QjFp7X1_tKYbW3bg_gqtufTMwtCbk_vhhUKG__Tu_Ms_pf_rbVBYe_lSb6lQmoM5__pa__Y_B_8__c6FeiLnWA_sg7__6_de2X_EHI_jci6BnRLOx8_fwWkLvqQep8i_E_1w_gMZVMc_m2L_SFVL_IuXC12yz5g__rghf___qkStDAFdOPINbsnj_F2pZ_SXZlLrv5NXvn_f9hA1A_X_5F_zn_Ay_1DGMt5fn_sLBx_R_cX4U2C84_cpzgRrc_Lmp9TX_BRPHrYB_y8iM_sLwomJ495T7P8CY1_i2SfZFfMgpA5xcRik6_F_FD5_iZ3e1n_yht6_DdhwiPo5fRo9UOVERL_P_L53N2ishIiMI_Emmamh5EPlT__yMTNoiPv3_bYIltgc__ImE_hsQlaDu_Tp__zG_ug16
f:\dd\vctools\crt_bld\self_x86\crt\src\onexit.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbctype.c
f:\dd\vctools\crt_bld\self_x86\crt\src\tidtable.c
Client hook allocation failure at file %hs line %d.
Memory allocated at %hs(%d).
Client hook re-allocation failure at file %hs line %d.
HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.
CRT detected that the application wrote to memory after end of heap buffer.
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.
CRT detected that the application wrote to memory before start of heap buffer.
CRT detected that the application wrote to a heap buffer that was freed.
crt block at 0x%p, subtype %x, %Iu bytes long.
client block at 0x%p, subtype %x, %Iu bytes long.
%hs(%d) :
#File Error#(%d) :
Data: <%s> %s
f:\dd\vctools\crt_bld\self_x86\crt\src\mlock.c
f:\dd\vctools\crt_bld\self_x86\crt\src\winsig.c
f:\dd\vctools\crt_bld\self_x86\crt\src\inithelp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrpt.c
Run-Time Check Failure #%d - %s
%s%s%s%s
%s%s%p%s%ld%s%d%s
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\misc\i386\chkesp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wtombenv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stdenvp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stdargv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\a_env.c
f:\dd\vctools\crt_bld\self_x86\crt\src\ioinit.c
GetProcessWindowStation
_CrtDbgReport: String too long or IO Error
Debug %s!
Program: %s%s%s%s%s%s%s%s%s%s%s%s
%s(%d) : %s
_CrtDbgReport: String too long or Invalid characters in String
RegCloseKey
RegOpenKeyExW
f:\dd\vctools\crt_bld\self_x86\crt\src\setenv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\setlocal.c
f:\dd\vctools\crt_bld\self_x86\crt\src\inittime.c
f:\dd\vctools\crt_bld\self_x86\crt\src\initnum.c
f:\dd\vctools\crt_bld\self_x86\crt\src\initmon.c
f:\dd\vctools\crt_bld\self_x86\crt\src\output.c
operator
f:\dd\vctools\crt_bld\self_x86\crt\src\initctyp.c
portuguese-brazilian
f:\dd\vctools\crt_bld\self_x86\crt\src\_getbuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_file.c
f:\dd\vctools\crt_bld\self_x86\crt\src\osfinfo.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_sftbuf.c
C:\incognito\stub\Debug\Stub.pdb
KERNEL32.dll
USER32.dll
SHELL32.dll
ole32.dll
GetCPInfo
GetProcessHeap
ntdll.dll
kernel32.dll
advapi32.dll
wininet.dll
Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
dbghelp.dll
SbieDll.dll
api_log.dll
dir_watch.dll
pstorec.dll
InternetOpenUrlA
user32.dll
shell32.dll
RegOpenKeyExA
RegCreateKeyA
ShellExecuteA
http\shell\open\command
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
cmd.exe /c del "
Software\Microsoft\Windows\CurrentVersion\Policies\System
%Program Files%\Google\Chrome\Application\chrome.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
&.Ed}M
j.gBF
-:.oA
B.jV#
W3piPe
%XPfT
LJI%DY
&0eg.YB
%F>8C
O=H
%S6fR
!#.cZ
.aFGz8V1_P_79Dmz_HWYneX_11_I_m_7YtB4KMf_srSBZzvujq_WnVlBk8EmVPTOV__GYToUwjR6bPb_YM_hrpe_OpP_QjoMoxIrX_JspAvqu4GkXO_dCZl62VZ_J_qz_yNI_9ckkkcTN_Di_HaAb_1nkZl8o33VkY_1NuBuwXwiV_VWPP__dg_w_qLg1AxsvuhojS94__xhL_wbItphvHC_nf8q_v_ZgOKy_Rx9_JdbEm2j_C_A_f_rCUG__Qjc__VWCKknsjQWoTUmHiA_CA5_k7_RgrN2R9jkrbHIQymI_jr_PJG_rMCqOoEfk7rvylWoYBnVO4Oa61Q_IdIK87F_IQ1cQNjxaMk_s_UBT_WTnWhIfQ_er4ovAMF1__f4_Q_5nJbm8Cm_8__Pg7_RoFY_iJv_Eatd8_fhfwRUxCQUX_Uu__UhDxfUEAeYjV7l1PO5temuoA__Bd_hh_wu_5bZXAc3R4Ur_WuCaq_v8_jHsDYZ___dq5_HJArBxBi___ztxj_N__IQUsEq_GDxxw7I_1GhytnNfEXojRn5_hJa3dLs_tUbvl_oMC2Znn__nAzb_kZkQNd4K_lr_HT32LoP28bTbn3Z2AfgMl4fSBy8vx3f___xG7Wc__R4d_Jh9gRAK_t_Y4Y_UT9__mOfWdKwbD4_hvzm__l6iVhgfdrL_2_et_aXNN_P9_hJqKQW_1N_bmrI_ilTKexbAk4C_Xa__FI_N__STHvC_ShlYrqO6KrSE26U6aArKfdmbPUQaTdzsdZBklkM_7tTCR_pZC_XyXgYRSp_ijaN_Q2Zv9kMB8j_xXt_Y87FDqCFMmeFmN_wo7_5_K_O8pHgSzk_k5un_1Lft_Z
v_4NF2x3mtTTAp_p4f__d_AnsCE7_Ez_K8_aRhyGfr2_qeShy1QU_4gMy_D_CcT7Pk8fcu21uw_HT2dlX_J_81_AIkB2C_PV_szDEZJLP_3y3_aKHinqUkzAFjXWn__Mhp_koN5THiqg_eDuBaat2_sCU2k2Qxz3__9B_9OnLvDQ_R_5Fg__khs_BEBcV_n7hM___u5Mn5_Lro4__Qd22KRhIn89FvLumUHERj3dS2acnOzuP_wVmS__cG_KKCc_843_C__28_6fq_K_Wtp_H_N_C5_djQBFn_xSa_oNaTtTsqkc1DGNmD_VfN1SDlcbo69NMCII_Nq_uwYZeCM7q8lx2Ma_ovTH_JRr__ZK4wmkz_4_gl_KgrmW1Zsep325RVJJ__HCLq1eDnvSe3qYV__lAET3Fx_v2_Y2_GylkReZNP1_f__12DV_RJxnm_G_I_kybiUE4VgVe_DgYUZXzrr___Dz3_OdIA__rClw_kfi_2s_qK_x_VDLtgfsOzESjJeFfKP_L2r2DPTw__cMdlLw_m_Vs_cKPM1_sBb_l_AyO_h4EXQrtZHhbSaRe___2a_6_8Q__9VKwBUugH3A5g_NwleM_yCCEBX_zzQQH7_fST1E_j4Ns_ov_fa_xLd5XJscm5_8GIQvllQ_cF__B8N5QQi_HWOJoevS_w_C8q1_VTGxDLiwm_cG_coC4_HWJQFgv8nQK_ho_rbd6Tw6A9v__Z_R_VE_D_lFqp_5CK__PMRRaNsKxeAmTV89PAi1Hl5_CuGf__6vj3eedFKhm2WX9TUccCEGesrxV_jUe_aiwb8NHkM6BWTp_xushBClGF6diNXS2Barhl7b_9TjzoDFbm_V5BuS89jwOU_j_xfL__dWhleuHjD__2l9VzXIxHMZXP__R7IJuKvLFJ_6ZA3_pS_wsy
IDjblPu_lW6__Sx_AksbLV_zt_kB1fsZ_C6eTq9BXWUQb_718_JXHpjNoOr1Yk_gf_ofFa8S1Mh5MK_7czT6P5LXg3_I_sSHv_gv4TW_jmm72Jo_IoYLC_Yni__BpX5_D_JCShmBBcBhNihqX_grn_RK_WDY4H_fPjqfV_awf__H2Bc_d_3Xq__4vwj_am2_E_Hu4___k_HTbp_2bY3GNbjnS__k_HPErDQ__u_Pg9__o83B_J7kX_1vd_xl9C_Uq4kD_WOYX7PnT___Xu__oj_L_NbNEyd_9nJdBf1qA_i_a3DDN_ySMOO1_X_z9QfKM____MWK_6KZFgJ318FR_YZIhJ7DdaAjW_fTtD7RLxpmnrjaCI1XMXaHjI_J1Awu7p_Y_Uoz_AIDNDLVIDB73BxW_U5YdQRqgaG1S8_cyU_dyg__fiSXFtU_x_orH_oY_Yyciuh6p_Xebg___CKgFTcHfGJ_8T___14bGSGuOO_vaoDv____oSURe5_BZkIPoTkSQz9CG71bjgI_o_QD2ei8b48_f4Oo_FbaleFGrX__262rkCuskM_3ZKhPEBwEVgsPJLF__UuW_3EmK5bVn_FEsn8R_GAnGBU_mRxYxdgj6dCO_uV_8_T__oF7zIST3hdn
.LhuIooR1KHsmojWzdLe__mBbbuTc51ew_T6O_kWP81fEuJrE_CP_pq__AAEbJ2_LLYX_d3V_25894_BVUS42__nkd6P_88__CFRJ___X_8c7Lao1Y4_I3_N_Ry7_y_Jvl__TvvrdCXKO6hNZA_7SGv_g5CqeAyWEDnmQh3_L3JBSCE3b_RHikKiqJjzzvcCECl8y1bQ_IfbSd6_VO5e_1r_5_PjyDp_oeNZ_sC1nfnbsZkXXzYaTLTcsQR6nNxEzttfsgvT_uAC_imD9_F_KdW_5D_sg7k3A6hhBwrcy_a9pX_ypN2PHF_aH_6_FEJkd_iQ3w_RwGog3_oReu5CFN86U_9NT_1_sq_1HQwvU1Wq_IOmECHmXm8A_TSkBi_1yP__h7dabJie8_CFSgVg_S6_qo_oIYJSMkl_Gdn_a98RM_dFo_9__AGe_ocvaku9o6ll_LnhFTNkZBGWHzAgPcGceysOjq_AzHKqV_K_uVuzr_mb2Bd2_zf4tEZdi
mscoree.dll
f:\dd\vctools\crt_bld\self_x86\crt\src\crt0dat.c
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgdel.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\getenv.c
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), error_text)
wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"\n\n")
wcscpy_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"Runtime Error!\n\nProgram: ")
_NMSG_WRITE
f:\dd\vctools\crt_bld\self_x86\crt\src\crt0msg.c
KERNEL32.DLL
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c
_CrtCheckMemory()
_CrtIsValidHeapPointer(pUserData)
_CrtSetDbgFlag
(fNewBits==_CRTDBG_REPORT_FLAG) || ((fNewBits & 0x0ffff & ~(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_DELAY_FREE_MEM_DF | _CRTDBG_CHECK_ALWAYS_DF | _CRTDBG_CHECK_CRT_DF | _CRTDBG_LEAK_CHECK_DF) ) == 0)
_CrtDoForAllClientObjects
_CrtMemCheckpoint
_CrtMemDifference
_CrtMemDumpStatistics
ADVAPI32.DLL
f:\dd\vctools\crt_bld\self_x86\crt\src\rand_s.c
f:\dd\vctools\crt_bld\self_x86\crt\src\handler.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\dosmap.c
_CrtSetReportHookW2
mode == _CRT_RPTHOOK_INSTALL || mode == _CRT_RPTHOOK_REMOVE
wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")
memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)), dotdotdot, sizeof(TCHAR) * 3)
wcscpy_s(szExeName, 260, L"<program name unknown>")
__crtMessageWindowW
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsnbico.c
f:\dd\vctools\crt_bld\self_x86\crt\src\tcscpy_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\strtol.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strtoq.c
f:\dd\vctools\crt_bld\self_x86\crt\src\heapinit.c
_crtheap
f:\dd\vctools\crt_bld\self_x86\crt\src\errmode.c
WUSER32.DLL
f:\dd\vctools\crt_bld\self_x86\crt\src\tcscat_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\tcsncpy_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\localref.c
((ptloci->lc_category[category].wlocale != NULL) && (ptloci->lc_category[category].wrefcount != NULL)) || ((ptloci->lc_category[category].wlocale == NULL) && (ptloci->lc_category[category].wrefcount == NULL))
f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.h
("Corrupted pointer passed to _freea", 0)
E_CrtSetReportHook2
strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")
strcpy_s(szExeName, 260, "<program name unknown>")
__crtMessageWindowA
f:\dd\vctools\crt_bld\self_x86\crt\src\expand.c
f:\dd\vctools\crt_bld\self_x86\crt\src\sprintf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\isctype.c
fMode == _CRTDBG_REPORT_MODE || (fMode & ~(_CRTDBG_MODE_FILE | _CRTDBG_MODE_DEBUG | _CRTDBG_MODE_WNDW)) == 0
_CrtSetReportMode
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrptt.c
nRptType >= 0 && nRptType < _CRT_ERRCNT
_CrtSetReportFile
wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String")
strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error")
_VCrtDbgReportA
strcpy_s(szOutMessage2, 4096, "_CrtDbgReport: String too long or Invalid characters in String")
wcscpy_s(szUserMessage, 4096, L"_CrtDbgReport: String too long or IO Error")
_VCrtDbgReportW
f:\dd\vctools\crt_bld\self_x86\crt\src\swprintf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\memcpy_s.c
MSPDB100.DLL
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\eh\typname.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\a_cmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strnicol.c
("CRT Logic error during setenv",0)
__crtsetenv
Af:\dd\vctools\crt_bld\self_x86\crt\src\inittime.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_flsbuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\vsprintf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbstowcs.c
f:\dd\vctools\crt_bld\self_x86\crt\src\xtoa.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c
f:\dd\vctools\crt_bld\self_x86\crt\src\vswprint.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strnicmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbschr.c
f:\dd\vctools\crt_bld\self_x86\crt\src\getqloc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\lseeki64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\write.c
f:\dd\vctools\crt_bld\self_x86\crt\src\isatty.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fileno.c
f:\dd\vctools\crt_bld\self_x86\crt\src\printf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wctomb.c
pass == FORMAT_OUTPUT_PASS
f:\dd\vctools\crt_bld\self_x86\crt\src\mbtowc.c
_loc_update.GetLocaleT()->locinfo->mb_cur_max == 1 || _loc_update.GetLocaleT()->locinfo->mb_cur_max == 2
f:\dd\vctools\crt_bld\self_x86\crt\src\fputwc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stricmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\vprintf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wcstol.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fclose.c
f:\dd\vctools\crt_bld\self_x86\crt\src\commit.c
f:\dd\vctools\crt_bld\self_x86\crt\src\close.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_freebuf.c
Host Process for Windows Services
6.0.6001.18000 (longhorn_rtm.080118-1840)
svchost.exe
Windows
Operating System
6.0.6001.18000

svchost.exe_3584:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

WerFault.exe_3896:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
USER32.dll
msvcrt.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
IMM32.dll
wer.dll
COMCTL32.dll
faultrep.dll
Starting kernel vertical - %S
rundll32.exe
NtQueryInformationProcess failed with status: 0x%x
Reporting never started for process id %u
StringCchPrintf failed with 0x%x
NtWow64QueryInformationProcess64 failed with 0x%x
NtWow64ReadVirtualMemory64 failed with 0x%x
NtQueryInformationProcess failed with status 0x%x
WerpNtWow64QueryInformationProcess64 failed with status 0x%x
StringCchCopy failed with 0x%x
Invalid arg in %s
wdi.dll
dbgeng.dll
dbghelp.dll
SETUPAPI.dll
SHELL32.dll
VERSION.dll
WTSAPI32.dll
WerFault.pdb
PSShD
tSSh,<
t.PSj6
t5SSh
SShx`
tsShxc
t.Ph0j
_amsg_exit
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
GetProcessHeap
GetWindowsDirectoryW
RegDeleteKeyW
ReportEventW
RegOpenKeyW
RegSetKeyValueW
GetProcessWindowStation
EnumWindows
NtAlpcSendWaitReceivePort
NtAlpcConnectPort
ShipAssert
ntdll.dll
RegisterErrorReportingDialog
WerReportSubmit
WerReportAddFile
WerReportCreate
WerReportCloseHandle
WerReportSetUIOption
WerpGetReportConsent
WerpSetIntegratorReportId
WerpReportCancel
WerpAddRegisteredDataToReport
WerReportAddDump
WerpCreateIntegratorReportId
WerpSetReportFlags
WerpGetReportFlags
WerpIsTransportAvailable
WerReportSetParameter
WerpInitiateCrashReporting
version="1.0.0.0"
name="Microsoft.Windows.Feedback.Watson"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
<requestedExecutionLevel
ÝCD0
#$$$3355<
##$$$335566
% "#$$$3355666=
"#$$33555666
!.DQ$
.Py>o
Kÿg
.ib:?
T3%X_
a,M.cbd
KEYW8
KEYWH
? ?$?(?,?0?4?8?
1 2$2(2,20242
>,?0?4?8?<?@?
?%?5?:?|?
5'565^5{5
3#3(353_3
=#='= =/=3=7=;=?=
=#=(=>=]=
>!>&>3>}>
1!1&131[1
Microsoft\Windows\WindowsErrorReporting\WerFault
%s %s
Global\WerKernelVerticalReporting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
CrashDumpEnabled.Old
CrashDumpEnabled.New
%SystemRoot%\MEMORY.DMP
LiveKernelReports
Software\Microsoft\Windows\Windows Error Reporting\LiveKernelReports
LiveKernelReportsPath
BCCode=%x&BCP1=%p&BCP2=%p&BCP3=%p&BCP4=%p&OS Version=%u_%u_%u&Service Pack=%u_%u&Product=%u_%u
*WerKernelReporting
%SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\Windows Error Reporting\KernelFaults\Queue
sysdata.xml
%s -k -q
SOFTWARE\Microsoft\Windows NT\CurrentVersion
<OSVER>%u.%u.%u %u.%u</OSVER>
<OSLANGUAGE>%u</OSLANGUAGE>
<ARCHITECTURE>%u</ARCHITECTURE>
<PRODUCTTYPE>%u</PRODUCTTYPE>
<FILESIZE>%u</FILESIZE>
<CREATIONDATE>d-d-d d:d:d</CREATIONDATE>
<NAME>%s</NAME>
<DATA>%s</DATA>
<ERROR>Failed at Step: %s with error 0x%x</ERROR>
%sDrivers\%s.sys
</%s>
<%s>%s</%s>
%u.%u.%u.%u
*.mrk
WER-%u-%u.sysdata.xml
Software\Microsoft\Windows\CurrentVersion\CEIPRole\RolesInWER
SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\MemoryDiagnostic
Web Server
Software\Microsoft\Windows\Windows Error Reporting\Debug
%SystemRoot%\Minidump
0xx (0xx, 0xx, 0xx, 0xx)
%s\%2.2d%2.2d%2.2d-%u-%2.2d.dmp
*.dmp
Software\Microsoft\Windows\Windows Error Reporting
Software\Policies\Microsoft\Windows\Windows Error Reporting
\KernelObjects\SystemErrorPortReady
%s\%s
Microsoft.Windows.Setup
\WindowsErrorReportingServicePort
(0x%x): %s
%u %s
WindowsNTVersion
%u.%u
ErrorPort
\StringFileInfo\xx\%s
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
%s="%s"
%s.%s
%s %d
Software\Microsoft\Windows\Windows Error Reporting\Hangs
_NT_EXECUTABLE_IMAGE_PATH
wxmu.dmp
wxhu.dmp
axmu.dmp
axhu.dmp
hu.kdmp
mu.kdmp
hu.dmp
mu.dmp
Software\Microsoft\.NETFramework
NOT_TCPIP
sos.dll
version.xml
.version.xml
%s.xml
memory.hdmp
minidump.mdmp
Local\WERReportingForProcess%d
atk.kdmp
Software\Microsoft\Windows\Windows Error Reporting\Hangs\NHRTimes
%i|%d|%d
xxxxxxxxxxxxxxxx
xx
%d.%d.%d.%d
D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)
D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)S:(ML;;NR;;;HI)
dc.noreflect
dc.xpmemdump
dc.xpdata
dc.CustomDump
dc.expmodmem
dc.expmoddata
dc.OnDemandKdmp
dc.xpmodmem
dc.xpmoddata
default=%s
memory=%s
module=%s
.dbgcfg.ini
ElevatedDataCollectionStatus.txt
Open process failed unexpectedly: 0X%X
Attempting to cross-proc reporting process!
Elevation:Administrator!new:%s
Reflection attempt failed: 0X%X
Attempting to reflect reporting process!
Could not collect dump for reflection cross process: 0x%x
Could not collect xproc for reflection: 0x%x
CollectFile for reflection failed: 0x%x
Could not collect dump for cross process: 0x%x
CollectReflectionDump failed with: 0x%x
0 processes found for xproc module: %s
Could not collect cross dump from module: 0x%x
CollectCrossProcessModuleDumps failed: 0x%x
CollectCrossProcessDumps failed: 0x%x
KernelDump failed: 0x%x
ProcessHandle
%s|%s
rpcrt4
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
sntdll.dll
WerDiagController.dll
Software\Microsoft\Windows\Windows Error Reporting\Plugins
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Software\Microsoft\Windows\Windows Error Reporting\Plugins\FDR\CurrentSession
%s\%s\%u-%u.etl
%s\%s\%u-%u.etl_%d
Microsoft\Windows\FDR
%s-%d
Software\Microsoft\Windows\Windows Error Reporting\Plugins\DriverVerifier
Software\Microsoft\Windows\Windows Error Reporting\Plugins\AppRecorder
%d-AppRecorderEnabled
%s /stop
psr.exe
Software\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules
verifier.dll
nVerifier.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
lsvchost.exe
"%s" "%s" "%s"
%s\system32\cofire.exe
psapi.dll
sfc_os.dll
werfault.exe
%s\%s-(PID-%u)-%u
%s\%s-(PID-%u).dmp
%s\*-(PID-*)-*
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\%s
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit
kernel32.dll
kernelbase.dll
ReportingMode
WinShipAssert
WindowsMessageReportingB1
Windows
ws2_32.dll
Software\Microsoft\SQMClient\%s\AdaptiveSqm\ManifestInfo
%s\Sqm%d.bin
CorporateWerPortNumber
BypassDataThrottling
Software\Microsoft\Windows\Windows Error Reporting\Consent
Windows Problem Reporting
6.1.7600.16385 (win7_rtm.090713-1255)
WerFault.exe
Windows
Operating System
6.1.7600.16385
Microsoft-Windows-WER-Diag/Operational


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\j94O16yK.HR7 (3361 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autF48B.tmp (5697 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "b71F68lB" = "C:\Users\"%CurrentUserName%"\i90V74cK\hostprozessor.exe"

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now