MD5: fe1a3b627859d5458a4ef4ca396f6cea
SHA1: 035a982727bd2f6dfbc4aaacd96110a9eb8c0d49
SHA256: 714db1ea8f57d535407db9112c266ff6992c872dfc5763bbb6f4046fe0af52b3
SSDeep: 49152:mqQP7UjePQSVpKubB6mQuTNTS98eTAHTBNGh6j3zeJjU6bW:mZP7Ub32HTBywyJjJW
Size: 3145080 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ACProtect141, UPolyXv05_v6, MicrosoftWindowsShortcutfile
Company: databases
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1744

Mutexes

The following mutexes were created/opened:

RasPbFile
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
_handy_client
MutexNPA_UnitVersioning_1744
ShimCacheMutex
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
AMResourceMutex2

File activity

The process %original file name%.exe:1744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\All Users\handyCafe\Client\xp8_list.dat (10422 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\All Users\handyCafe\Client\data\sets.ini (117 bytes)
%Documents and Settings%\All Users\handyCafe\Client\data\data.dat (210 bytes)
C:\Language\lng.ini (23 bytes)
%Documents and Settings%\All Users\handyCafe\Client\dump.log (58 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\handyCafe\Client\xp8_list.dat (0 bytes)

Registry activity

The process %original file name%.exe:1744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\HandyCafe\Client]
"Path" = "c:\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\HandyCafe\Client\Settings]
"_clnorm" = "0"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"WarnOnCloseAdvanced" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\HandyCafe\Client]
"Version" = "3.4.14"
"Path" = "c:\%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"OpenAllHomePages" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"WarnOnClose" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 9E FD 29 15 56 60 9F 87 C8 69 41 6E 49 03 70"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\HandyCafe\Client]
"Version" = "3.4.14"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hndclient" = "c:\%original file name%.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:handyCafe Client"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti
Product Name: HandyCafe Client
Product Version: 3.4.14
Legal Copyright: Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti
Legal Trademarks: Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti
Original Filename: hndclient.exe
Internal Name: HandyClient
File Version: 3.4.1.4
File Description: HandyCafe Client
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://ad.handycafe.com/se/adx.php	37.58.77.224

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Http Client Body contains pass= in cleartext

Traffic

POST /se/adx.php HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

Content-Type: application/x-www-form-urlencoded

User-Agent: AtWebPost

Host: ad.handycafe.com

Content-Length: 403

Connection: Keep-Alive

lang=EN&op=get_banner&RndID=545359&Mac=00-0C-29-5C-94-64&Version=3.4.14&LocalIp=192.168.11.129&ProductKey=&ClientID=33645-86709-55665-47610-90587&Serial=&Clients=0&ServerMac=&Screen=1276x846&LngID=1033&LngName=&LngCountry=United States&LngLang=ENU&Lng1=&Lng2=&MenuHeight=0&DefBrowser="C:Program FilesInternet Exploreriexplore.exe" -nohome&iType=0&Adtry=1&hpass=hcafe&rand_id=100456-545359
HTTP/1.1 200 OK

Date: Thu, 31 Jul 2014 19:23:06 GMT

Server: Apache/2.4.6 (Unix) OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.4.21

X-Powered-By: PHP/5.4.21

Vary: Accept-Encoding,User-Agent

Content-Length: 1348

Connection: close

Content-Type: text/html
HND_START.PAKET_ID%ENTT5359.AD_LANG%ENT%UA.CHROME_START_PAGE%ENT%1%E
NT%1%ENT%hXXp://search.handycafe.com/start?ua%ENT%4%ENT%.START_PAGE%EN
T%1%ENT%1%ENT%hXXp://search.handycafe.com/start?ua.POP_UP%ENT%2%ENT%2%
ENT%hXXp://search.handycafe.com/?ua%ENT%search.handycafe.com%ENTF8%E
NT"0%ENT%0%ENTÎNTER%ENT%0%ENT%0%ENT%handycafe.com%ENT%handycafe.co
m.COOKIE_START%ENT%1%ENT%0%ENT%0%ENT%1%ENT%0%ENT%0%ENT%1.MENU_AD%ENT%3
000%ENT%hXXp://ads.handycafe.com/ads.php?l=ua%ENT0000%ENT 00%ENT%
0%ENT%handycafe.com%ENT%handycafe.com%ENT%0.LOGO_AD%ENT 10%ENT%http:
//ads.handycafe.com/sr.php?l=ua%ENT%0%ENT%0%ENT%0%ENT%search.php%ENT%s
earch.handycafe.com%ENT%0.URL_1%ENT10%ENT%hXXp://search.handycafe.c
om/?ua%ENT%Search%ENT%0%ENT%0%ENT903B09%ENTD0835C%ENTÿFFFF%ENT
%Search%ENT%Search%ENT%handycafe.com.URL_2%ENT12%ENT%hXXp://search.
handycafe.com/?ua%ENT%Search%ENT%0%ENT%0%ENT5555FF%ENT00FF%ENT%F
FFFFF%ENT%Search%ENT%handycafe.com%ENT%handycafe.com.BUTTON%ENT00%E
NT%hXXp://search.handycafe.com/?ua%ENT%Internet%ENT%Search.BUTTON2%ENT
00%ENT%hXXp://search.handycafe.com/?ua%ENT%Internet%ENT%Search%ENT%
0%ENTW0%ENTP0.SILENT_START%ENT%1%ENT%.BG_COLOR_START%ENT%$00F0F0F0
%ENT%$00DDDDDD%ENT%1.WEB_SIZE%ENT0.TRUSTED_SITES%ENT%handycafe.com%
ENT%handycafe.net%ENT%handycafe.com.tr%ENT%qulpi.com%ENT%tr.qulpi.com.
TIMER_STOP.HND_END..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.idata

.edata

P.tls

.rdata

P.reloc

.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

Try to replaced the Memory Manager used with the last FastMM4 Memory Manager (http://fastmm.sourceforge.net).

DELPHI32.EXE

ELeaks.pas unit Error

_com.eurekalog.eleaks.dataclass

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

.Owner

EMsgsRec

Support message

Login message

Operating System Header

Invalid login

An error has occurred during program execution.

Go to the Support Page

We have created an error report that you can send to us. We will treat this report as confidential and anonymous.

To see what data the error report contains,

&Send Error Report

Operating System

Login...

Contact the program support to obtain an update.

Invalid login request.

Operating System|Type

Operating System|Build #

Operating System|Update

Operating System|Language

Operating System|Charset

_BugReport | Full EurekaLog bug report

_ExceptMsg | Last exception message

SystemDrive | The drive containing the Windows root directory

SystemRoot | The Windows root directory

WinDir | Windows directory

.vshost

shfolder.dll

1111111

eurekalog@email.com

%s (Address: %s)

Critical error at: "%s"

Error: "%s".

ECore.Done

ECore.Init

TELVftPathSymbolInfo

.jdbg

%Program Files% (x86)\EurekaLab\EurekaLog 6\Delphi7\EDebug.pas

wsock32.dll

ws2_32.dll

mswsock.dll

Cannot hook a null procedure ("%s").

Cannot hook the module "%s" located into the shared-area.

Cannot hook the procedure "%s".

EHook.Done

EHook.Init

TEurekaClientSMTP

Cannot close the socket: "%s"

Invalid socket: "%s".

Connection error: "%s"

Connected to %d.%d.%d.%d port %d

Error into "send": "%s"

Error into "recv": "%s"

0.0.0.0

IPHLPAPI.DLL

193.121.171.135

Cannot resolve the "%s" MX record.

ESockets.Done

ESockets.Init

MSVCRT.DLL

MSVCRT20.DLL

1.2.3

THTTPResponse

THTTPConnectionBase

THTTPSendReport

THTTPMantisSendReport

THTTPBugzillaSendReport

THTTPFogBugzSendReport

wininet.dll

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestExA

HttpEndRequestA

HttpQueryInfoA

FtpOpenFileA

InternetOpenUrlA

https

Cannot create an HTTP connection with the host: %s

Cannot close the HTTP connection with the host: %s

Content-Type: application/x-www-form-urlencoded

[v%s - 1]: %s (%s)

%s (%s)

login.php

login_select_proj_page.php

password

bug_report_page.php">

my_view_page.php

set_project.php

view_all_set.php?f=3

view_all_bug_page.php

bug_update_page.php?bug_id=

bug_update_advanced_page.php?bug_id=

bug_report_advanced_page.php

bug_report.php

report_stay

bug_report_token

href="view.php?id=

bug_update_page.php

bug_update.php

reporter_id

view.php

enter_bug.cgi

Bugzilla_login

Bugzilla_password

relogin.cgi

index.cgi?logout=1

buglist.cgi

href="query.cgi?

show_bug.cgi?id=

action="post_bug.cgi"

post_bug.cgi

keywords

attachment.cgi

show_bug.cgi

%d %s,
%d %s
{\rtf1\ansi\ansicpg1252\deff0\deflang1040{\fonttbl{\f0\fmodern\fprq1\fcharset%d %s;}}
Microsoft Windows
\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION
%s, %d %s %d %0.2d:%0.2d:%0.2d %s
- %s - %s - %s - %s[%s]
%s $%8.8x - [%8.8x] %s %s
$%8.8x - [%8.8x] %s - %s - %s - %s - %s[%s]
[ERROR] - Section: %s - Address: %s - Message: "%s"
6.1.04
Version : %s
Date : %s
OS : %s
RAD : %s
Dump : %s
Section : %s
LastExcept: %s
Address : %s
Exception : %s
Message : %s
Call Stack: %s
Error: '%s'
EurekaLog 6.1.04 critical bug.
support@eurekalog.com
Send manually the "%s" file to the support@eurekalog.com email address, after click on OK button to close this box.
[WARNING] - Code: %s - Address: %s - Message: "%s"
[%s] %s
General '%s' error.
PSAPI.DLL
PSAPI.dll
Kernel32.dll
%Program Files% (x86)\EurekaLab\EurekaLog 6\Delphi7\ExceptionLog.pas
HttpExtensionProc
Content-Length: %d

EurekaLog_IWShowMessage.html
IntraWeb: Cannot show the error page.
IntraWeb: Cannot create the "%s" template.
IntraWeb
IntraWeb: IntraWebApplication e/o IntraWebServerController are set to nil.
Screenshot.png
BugReport.zip
LastHTMLPage.html
EurekaLog_CustomWebFieldsRequestEvent
EurekaLog_PasswordRequestEventEx
EurekaLog_PasswordRequestEvent
%s=%d; %s=%s
; %s=%s
%s: %s=%s; %s=%d; %s=%d
user32.dll
EurekaLog.ini
WindowsState
\\.\mailslot\
RICHED20.DLL
mapi32.dll
SMTP:
%s %d/%d:
AUTH LOGIN
@localhost.com>
SMTP
\*.zip
- Cannot find the "%s" library.
%s error code: %d%s
HTTPS
Error Code: %d
Error Message: "%s"
%d x %d, %d bit
000.000.000.000
iphlpapi.dll
HardwareInformation.MemorySize
HardwareInformation.AdapterString
windows
winspool.drv
EurekaLog 6.1.04
EAX: %s EDI: %s
EBX: %s ESI: %s
ECX: %s ESP: %s
EDX: %s EIP: %s
%s%s:
|%s|%s|%s|%s|%s|%s|
|%s|%s|%s|%s|%s|%s|%s|
|%s|%s|%s|%s|%s|%s|%s|%s|
_ExceptMsg
_BugReport
Cannot use 'CurrentEurekaLogOptions' function in module "%s" without activate EurekaLog.
5.0.0
7.2.32
%s: %s=%d - %s=%d
Intraweb_
VCL70.BPL
VISUALCLX70.BPL
INDY70.BPL
INDYCORE70.BPL
57E8411D-873A-4B87-921F-B8A95569244B6.1.04 Professional
ExceptionLog.Done
ExceptionLog.Init
EInvalidGraphicOperation
%s%s (*.%s)|*.%2:s
%s*.%s
%s (%s)|%1:s|%s
comctl32.dll
USER32.DLL
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
PasswordChar
OnKeyDown
OnKeyPress
OnKeyUp
MAPI32.DLL
vsReport
Uh.VJ
TComboBoxExEnumerator
ole32.dll
ssHorizontal
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
tagMSG
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
TKeyEvent
TKeyPressEvent
HelpKeyword`
crSQLWait
imm32.dll
AutoHotkeys
EInvalidGridOperation
Software\Microsoft\Windows\CurrentVersion\Internet Settings\
cmLoginRequest
cmLogin
cmUrl
cmWeb
cmChangePass
cmClearVisitedWeb
cmRequestForLogin
cmWebCamReq
TCafeKey
#,##0.00
#,##0.00
#,##0.00
acc.bat
TOnUDPDataEvent
FromPort
TAtUdp
untudp
LocalPortT
RemotePort0
1.0.5
127.0.0.1
%d.%d.%d.%d
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
WindowsDirectory0
Windows 3.1
Windows 95/98
Windows XP
Windows NT
_list.dat
EXPLORER.EXE
HNDSERVER.EXE
_GUARD.EXE
IPCLN.EXE
CLNFW.EXE
IPLSRV.EXE
IPSRV.EXE
IPLCLN.EXE
IEXPLORE.EXE
ccpxysvc.exe
Invalid ZStream operation!
Port0
Certificates
CertifPers
CertifSite
CertPub
FormSuggest Passwords
ResetWebSettings
NoBrowserSaveWebComplete
NoChangeKeyboardNavigationIndicators
NoWindowsSetupPage
NoSupportInfo
{20D04FE0-3AEA-1069-A2D8-08002B30309D}
{645FF040-5081-101B-9F08-00AA002F954E}
{450D8FBA-AD25-11D0-98A8-0800361B1103}
NoWindowsUpdate
NoFileUrl
Disable the Full Screen view option and F11 key
Disable Certificates & Publishers buttons
Prevent changing Certificate options
Remove the Personal tab from Certificate manager
Prevent Prompt me to save password from being displayed
Disable the Reset web Setting button
Disable Save As Web Page Complete from File>Save As
Remove Windows update from Start Menu|Settings. and IEs Tools menu
Disable the "Windows and buttons" style control (Windows XP)
Disable the "Color scheme" control (Windows XP)
Disable the "Font size" control (Windows XP)
Hide the Themes tag which prevents the user from selecting an alternate theme (Windows XP)
Disable the "Hide keyboard navigation indicators until I use the ALT key" option in the Display Control Panel (Windows 2000/XP)
Prevent users from selecting the option to animate the movement of windows and menus (Windows 2000/XP)
Prevent users from accessing the Change Passwords page (Windows 95/98/Me)
Disable access to the Passwords icon on the control panel (Windows 95/98/Me)
Disable The user profile page controls (Windows 95/98/Me)
Stop users from being able to change the remote administration settings for the computer (Windows 95/98/Me)
Hide the Virtual Memory button from the System icon on the Control Panel (Windows 95/98/Me)
Hide the File System button from the System icon on the Control Panel (Windows 95/98/Me)
Hide the Hardware Profiles page from the System icon on the Control Panel (Windows 95/98/Me)
Disable Device Manager under Control Panel (Windows 95/98/Me)
Disable Task Manager (Windows XP)
Remove access to the Access Control Page (Windows 95/98/Me)
Disable access to the Network ID page (Windows 95/98/Me)
Hide the file and printer sharing controls, stopping users from disabling or creating new file or printer shares (Windows 95/98/Me)
Disable access to the Network Control Panel icon (Windows 95/98/Me)
Hide the printer details and general printer information pages (Windows 95/98/Me)
Remove the Security tab from Windows explorer (Windows XP)
Remove the hardware tab from applicable items in the Control Panel and from the local drive properties (Windows 2000/XP)
Hide the Search Button on the Explorer Toolbar (Windows 2000/XP)
Remove Properties from My Computer (Windows XP)
Remove My Documents from the Start Menu (Windows 2000/Me/XP)
Disable Add/Remove Programs (Windows 2000/XP)
Disable Change and Remove Programs (Windows 2000/XP)
Disable Add Programs (Windows 2000/XP)
Disable Windows Components Wizard (Windows 2000/XP)
Hide "Add a program from CD-ROM or disk" option (Windows 2000/XP)
Hide "Add programs from Microsoft" option (Windows 2000/XP)
Hide "Add programs from your network" option (Windows 2000/XP)
Go directly to Windows Components Wizard (Windows 2000/XP)
Disable Support Information (Windows 2000/XP)
TCPRestrictions@
TCPRestrictions
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\
Software\Microsoft\Windows\CurrentVersion\Policies\System\
Software\Microsoft\Windows\CurrentVersion\Policies\Network\
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\
Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum\
Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
hndclient.exe
_hndguard.exe
FtPj
SetPort
00-00-00-00-00-00
tmpdownload_update.tmp
updatecln.exe
tmpdownload_file.tmp
tmpdownload_cafe.tmp
tmpdownload_rules.tmp
tmpdownload_rest.tmp
TClientWeb
Port
RemotePort0zP
AdminPass0
OnUrl
OnAdminLogin
OnLogin
OnWeb FR
PASSWORD
3.4.14
http://www.handycafe.com
data\data.dat
data\fw.dat
data\fwx.dat
_hcfon.dat
Create:UDPCreate
UDPSocketCreateEvent
Error:UDPSocketCreateEvent
230.4.4.46
hremoteserver.dll
brserver.dll
UDPData:Stream
UDPData:Stream2
UDPData:SafeData
UDPData:Exit
%d-%d-%d-%d-%d
LocalPort
RemotePort
RFBPort
BRPort
AdminPass
NoMsg
OnLastMsg
OnLoginFile
OnLoginSound
handyCafe - http://www.handycafe.com
PingServer::GetExeName
%d bits, %d x %d - %d
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
Software\Microsoft\Internet Explorer\TypedURLs
iphcln.exe
%s %d %s %s true
%s %d %s %s false
Software\Microsoft\Windows\CurrentVersion\Run
_hndguard.exe -runguard
Software\Microsoft\Windows\CurrentVersion\RunServices
dump.log
\Mozilla\Firefox\
profiles.ini
\user.js
"browser.startup.homepage"
"browser.startup.page"
"general.useragent.extra.handycafe.client"
http://
\Google\Chrome\User Data\Default\
-%SS%-
"startup_urls":
"urls_to_restore_on_startup":
user_pref("browser.startup.homepage", "
user_pref("browser.startup.page", 1);
user_pref("general.useragent.extra.handycafe.client", "handyCafeCln/
\prefs.js
Uhn%S
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
Uh%4S
_mr.dt
c:\program files (x86)\borland\delphi7\Source\vcl\OleServer.pas
olepro32.dll
TSQLTimeStampVariantType
TSQLTimeStampData
SqlTimSt
c:\program files (x86)\borland\delphi7\Source\vcl\SqlTimSt.pas
SQLTimeStamp
%s: %s
Password
TLoginDialog
TPasswordDialog
TPasswordDialogH
lng.ini
OnActionExecute
IWebBrowser(
IWebBrowserApp
IWebBrowser2
TWebBrowserStatusTextChange
TWebBrowserProgressChange
TWebBrowserCommandStateChange
TWebBrowserTitleChange
TWebBrowserPropertyChange
TWebBrowserBeforeNavigate2
TWebBrowserNewWindow2
TWebBrowserNavigateComplete2
TWebBrowserDocumentComplete
TWebBrowserOnVisible
TWebBrowserOnToolBar
TWebBrowserOnMenuBar
TWebBrowserOnStatusBar
TWebBrowserOnFullScreen
TWebBrowserOnTheaterMode
TWebBrowser
http/1.
AtTCPComp
TAtTCPClient
PortT
Content-Length: %SIZE%
ÚTATYPE% ¬TION% HTTP/1.0
ÚTATYPE%
AtWebPost
%SIZE%
Host, Action and Port must set!
hc%d%d.tmp
atwebpost
TWebpostEvent
TAtWebPost
HTTPS ^T
OnThreadExecute
TAtWebpostThread
https://
%s?%s
HTTP/1.1
Range: bytes=-%d
FilterGraph %p pid %x
($%x).
vpDoNotRenderColorKeyAndBorder
Operation
TOnDVDCMD
CmdID
OnDVDCMDStart$
OnDVDCMDEnd
OnDVDWarningFormatNotSupported
Portable Network Graphics
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
JclBase$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
JCL\source\windows
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
windows-1256
windows-1257
windows-1250
windows-1251
windows-1253
windows-1255
csShiftJIS
csWindows31J
windows-874
windows-1254
ISO_646.irv:1991
windows-1258
Windows-1252
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
ccIDSBinaryOperator
ccIDSTrinaryOperator
ccJoinControl
Mathematical Operators
Supplemental Mathematical Operators
Transport And Map Symbols
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
TRootKey
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
EJclMutexError
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
TUnitVersioning$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
TJclIntfCriticalSection$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
$URL: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/s... $
Edit1KeyPress
Edit2KeyPress
TfrmLogin
Login
default.swf
C:\handyCafe\lvcomp\AtComps\UNulContainer.pas
Browser's Default interface does not support IOleObject
Version: 3.4.14
Admin Password
%s "%s"
*.ini
Passwords do not match.
TfrmChangePass
Change Password
WebBrowser1
ChangePassword1
UrlTimer2$
UrlTimer1(
webRefreshTimer<
WebWBD
ChangePassword1Click
UrlTimer1Timer
UrlTimer2Timer
FormKeyPress
webRefreshTimerTimer
WebWBBeforeNavigate2
WebBrowser1NewWindow2
WebBrowser1BeforeNavigate2$
WebBrowser1CommandStateChange"
WebBrowser1DocumentComplete
WebBrowser1DownloadBegin"
WebBrowser1DownloadComplete#
WebBrowser1NavigateComplete2
http://search.handycafe.com/?
%SERVER%
InternetExplorer.Application
%s;-%s
SpinEdit1KeyUp
WebBrowser1DocumentComplete
Uh}%X
AtWebPost12$
AtWebPost1&
ClientLogin
ClientUrl
ClientAdminLogin
ClientWeb
AtWebPost2ThreadExecute
AtWebPost12DownloadCompleted
AtWebPost1ThreadExecute
ClientLogout::Keyex
ClientLogout::Key
ClientLogout::MSGClose
ClientLogout::ChangePassClose
SYSKeys
Software\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
handycafe.com
_wreq.exe
lgn.ini
lgo.ini
Banners\shbanner.htm
CmdGet =
CmdSent =
Error.log
.mpeg
ClientLogoutRequest::HookKeys
/index.htm?RndID=
_hndguard.exe -rungrd
%s - %sVersion: %sHost: %sError Type: %sError Message: %sOS: %sCmdGet: %sCmdSent: %sProc: %s----%s
http\shell\open\command
%dx%d
&ProductKey=
&hpass=hcafe
/se/adx.php
ad.handycafe.com
URL_2
CHROME_START_PAGE
WEB_SIZE
&webY=
Content-type: application/x-www-form-urlencoded
HNetCfg.FwMgr
HNetCfg.FwAuthorizedApplication
data\sets.ini
zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
?456789:;<=
!"#$%&'()* ,-./0123
12005 The URL is invalid.
A12006 The URL scheme could not be recognized or is not supported.
I12012 The Win32 Internet function support is being shut down or unloaded.
12014 Password is incorrect.
)12016 The requested operation is invalid.
!12017 The operation was canceled.
B12018 The type of handle supplied is incorrect for this operation.
l12019 The requested operation cannot be carried out because the handle supplied is not in the correct state.
]12026 The required operation could not be completed because one or more requests are pending.
>12037 SSL certificate date is bad. The certificate is expired.
A12038 SSL certificate common name (host name field) is incorrect.
h12045 The function is unfamiliar with the Certificate Authority that generated the server's certificate.
*12055 The SSL certificate contains errors.
s12110 The requested operation cannot be made on the FTP session handle because an operation is already in progress.
12111 FTP session aborted.
212112 Passive mode is not available on the server.
@12135 The type of the locator is not correct for this operation.
~12136 The requested operation can be made only against a Gopher  server, or with a locator that specifies a Gopher  operation.
312154 The request made to HttpQueryInfo is invalid.
12156 The redirection failed because either the scheme changed (for example, HTTP to FTP) or all attempts made to redirect failed (default is five attempts).
*12160 The HTTP request was not redirected.
,12161 The HTTP cookie requires confirmation.
112162 The HTTP cookie was declined by the server.
612164 The Web site or server indicated is unreachable.
!12169 SSL certificate is invalid.
"12170 SSL certificate was revoked.
EAbout.pas
EBase64.pas
EBaseModule.pas
EBorlandDebug.pas
ECheck.pas
ECmdLine.pas
ECommon.pas
EConsts.pas
ECore.pas
ECrc32.pas
EDebug.pas
EDesign.pas
EDisAsm.pas
EEncrypt.pas
EHash.pas
EHook.pas
EIDEOptions.pas
ELang.pas
ELeaks.pas
EListView.pas
ELogManager.pas
EMain.pas
EMessages.pas
ENagScreen.pas
EOption.pas
EParser.pas
EResource.pas
ESockets.pas
EToolsAPI.pas
EToolServices.pas
ETypes.pas
EVariables.pas
EWait.pas
EWebTools.pas
EWinSock.pas
ExceptionLog.pas
EXMLBuilder.pas
EZip.pas
EZlib.pas
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegQueryInfoKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
GetWindowsDirectoryA
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
keybd_event
UnhookWindowsHookEx
SetWindowsHookExA
SetKeyboardState
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
ExitWindowsEx
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
shell32.dll
ShellExecuteA
SHFileOperationA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntry
comdlg32.dll
ADVAPI32.DLL
GetUdpStatistics
GetTcpStatistics
GetUdpTable
GetTcpTable
winmm.dll
quartz.dll
urlmon.dll
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
33333333330
3333338
3333333330
3333833330
3333330
333333330
3333333333
33333333333333
337373?3
333373?33
33333337
3733333
3337333
3333373
3737333
373333?3
333333333
333?33?333
333373?3
338333?330
33383?3330
3833830
<<9876$8
>=<9887$8
hg<1)ú
E(.Fcn
!'''{~~~
   {'''{...
&U%cg^
%/%S$^gN
.yOax
yuRlX
U.xSF
%So_^-.rN
2.DJY
..JM4
"n.YQ;
.ba&J
K.BQR
7.QLx
8 .zs
.rtL!
'%D#QO
`ML%D@=a*
.fNl'R
%S/uo
?Q*FI
%sQ!i)9_
%u1}pZ
%c@dO!L
.VZH2
.qF9V
|õ^b
,.IsWM
7g`%s
!(.sU
}}.If
h.IN'
E.kS_
h.bLP8
.YnOH
(w$.sv
-owi}
.hxNf
=%U^I
.IRhz
J.Ft`
UHd.JU,
-.TnhX
U'-v}W
:>}%s
_mr%F
bv5%XI
XS.VKX
.QBE8
.Fl3v
.FB{hu
xl.BX
;.kSs
T%d 7!^y
.PNfHZt%A
0.JEf
Cmd,y B
.WMeR
%SP!}8\t
N.ZT rU
0u=%s
%x"]#
F.sxz$
)Ac%fy
|W6%X*-
p!l_:%C
WfC
.dL5)t
*ôQ!
1t%X j
.EZ`(
.tyEYM
GjRO8#:/%d
.Pgso
?üIU
%dT*@k
.pT!m
SQlt
T.tZq
D.dfY
}.fz>
s%uE*
Ø/H
%fh3y
.nUXZ
f<%UrL
n ,y
[0.mK
e6>%s
!-
.NBF{
0.IKc[
.pX;ro
KWindows
UrlMon
JvExExtCtrls
?HTTPApp
>WebConst
rSqlTimSt
.ScktComp
fJwaIpExport
IdUDPClient
IdUDPBase
EWebTools
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Glyph.Data
IconOptions.AutoArrange
frmChangePass
New Password
Re-type Password
frmLogin
Icon.Data
Login Request
3.4.11
OnWeb
AtWebPost12
AtWebPost1
/Content-Type: application/x-www-form-urlencoded
Picture.Data
WebWB
UrlTimer2
UrlTimer2Timer
UrlTimer1
webRefreshTimer
webpop
webpopTitleChange
EditLabel.Width
EditLabel.Height
EditLabel.Caption
Admin Password (Re-type)
Disable "Login Request"
On Login
Items.Strings
Client UDP Port
Server UDP Port
IMPORTANT: Please do not change these settings. If you are having troubles please kindly contact us. Our support team will assist to solve your problems. Server / Client Password is not your admin password.
Server / Client Password
#Bitmap Files|*.bmp|Jpeg Files|*.jpg
All files|*.*
%%%c,,,
4###`###
VMROptions.Mode
LoginDialog
Database Login
&Password:
PasswordDialog
Enter password
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
TFRMCHANGEPASS
TFRMLOGIN
TLOGINDIALOG
TPASSWORDDIALOG
To see what data this error report contains,
Send Error Report
No GIF Data to writeÊnnot change the Size of a GIF image
Could not load '%s' libraryLFile specified is not an executable file, dynamic-link library, or icon file
All files (*.*)|*.*
Win32 error: %s (%u)%s%s
128-Byte PrefetchingeCPUID leaf 2 does not report cache descriptor information, use CPUID leaf 4 to query cache parameters
Invalid MMF name "%s"*The MMF named "%s" cannot be created empty
-The chunks must be compatible to be assigned.jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.7The png image could not be loaded from the resource ID.oSome operation could not be performed because the system is out of resources. Close some windows and try again.OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.
CompuServe GIF ImageÊnnot change the Size of a GIF image
Remote LoginjThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corruptedUThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.
Description: BThe "Portable Network Graphics" image contains an invalid palette.
The file being readed is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corruped, try obtaining it again.nThis "Portable Network Graphics" image is not supported or it might be invalid.
This "Portable Network Graphics" image is not supported because either it's width or height exceeds the maximum size, which is 65535 pixels length.
There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.
*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Field '%s' not found
%s is not a valid BCD value$Could not parse SQL TimeStamp string
Invalid SQL date/time values
RCode NO Error%DNS Server Reports Query Format Error%DNS Server Reports Query Server Error#DNS Server Reports Query Name Error.DNS Server Reports Query Not Implemented Error&DNS Server Reports Query Refused Error
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Socket is not connected..Cannot send or receive after socket is closed.
%s is not a valid service.
Socket Error # %d
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
JPEG error #%d
Set Size Exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d
Invalid ownerE%d is an invalid PageIndex value. PageIndex must be between 0 and %d=This control requires version 4.70 or greater of COMCTL32.DLL
No help keyword specified.
OLE error %.8x.Method '%s' not supported by automation object
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Invalid clipboard format Clipboard does not support Icons
Text exceeds memo capacity/Menu '%s' is already being used by another form
(%dx%d)
Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count#No OnGetItem event handler assigned
Value must be between %d and %d
Invalid input value7Invalid input value. Use escape key to abandon changes
%s property out of range
Invalid operation on TOleGraphic$Unknown picture file extension (.%s)
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'
*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Unable to write to %s
Invalid stream format$''%s'' is not a valid component name
Invalid property element: %s
Invalid property type: %s
Invalid data type for '%s'&Cannot insert or delete rows from grid List capacity out of bounds (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists
System Error. Code: %d.
*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
3.4.1.4

%original file name%.exe_1744_rwx_00C2B000_00001000:


g@email.com
EAbout.pas
ECmdLine.pas
EBase64.pas
EBaseModule.pas
EBorlandDebug.pas
ECheck.pas
ECrc32.pas
EDebug.pas
ECommon.pas
EConsts.pas
ECore.pas
EEncrypt.pas
EHash.pas
EHook.pas
ELang.pas
EDesign.pas
EDisAsm.pas
EToolServices.pas
ETypes.pas
EVariables.pas
EWait.pas
EWebTools.pas
EWinSock.pas
ExceptionLog.pas
EXMLBuilder.pas
EIDEOptions.pas
ELeaks.pas
EListView.pas
ELogManager.pas
EMain.pas
EMessages.pas
ENagScreen.pas
EOption.pas
EParser.pas
EResource.pas
ESockets.pas
EToolsAPI.pas
EZip.pas
EZlib.pas
DNS Server Reports Query Server Error
kernel32.dll
DNS Server Reports Query Refused Error

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\All Users\handyCafe\Client\xp8_list.dat (10422 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Documents and Settings%\All Users\handyCafe\Client\data\sets.ini (117 bytes)
   %Documents and Settings%\All Users\handyCafe\Client\data\data.dat (210 bytes)
   C:\Language\lng.ini (23 bytes)
   %Documents and Settings%\All Users\handyCafe\Client\dump.log (58 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "hndclient" = "c:\%original file name%.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.