MD5: 4ccdfa9566d5f345437241a3a7cd9b45
SHA1: 90a6ab72ccb46a06f238ddd37a55bb84c9e94bc5
SHA256: bad6e19c55322aa4ff1e6cab64de006e05e2678f541e4150a3b1bbcc6c079480
SSDeep: 49152:u f4sUHViRXDldgw3i272sRcv34T403ohz2eIDEmU4dEBaIhHhwybUDRe87uo6:u f4sn6wS272ZoTVodnj4dEB7lVUg5o6
Size: 3257149 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2007-03-31 18:09:55
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

teracopy.exe:1776
%original file name%.exe:684
WScript.exe:1772
gmail.exe:2600
gmail.exe:1592
ilasm.exe:1856

The Trojan injects its code into the following process(es):

gmail.exe:2080
teracopy.tmp:440

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process teracopy.exe:1776 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-JM6G1.tmp\teracopy.tmp (1422 bytes)

The process %original file name%.exe:684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\gmail.exe (12203 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\teracopy.exe (95362 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnAF13.tmp (0 bytes)

The process WScript.exe:1772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\gmail.exe (2321 bytes)

The process gmail.exe:2080 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\gmail.exe (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\gmail.il (713 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\temp_MF.vbs (758 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\gmail.il (0 bytes)

The process gmail.exe:2600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Java.exe (2321 bytes)

The process gmail.exe:1592 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gmail.exe (2321 bytes)

The process teracopy.tmp:440 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-18URE.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-18URE.tmp\_isetup\_RegDLL.tmp (4 bytes)

The process ilasm.exe:1856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\gmail.exe (4208 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\gmail.il (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\gmail.pdb (18238 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\gmail.pdb (0 bytes)

Registry activity

The process %original file name%.exe:684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process gmail.exe:2080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"wshext.dll,-4511" = "Open &with Command Prompt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids]
"VBSFile" = "Type: REG_NONE, Length: 0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Java" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\java.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process gmail.exe:2600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Java" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Java.exe"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 19
f7bb0011d6c6968ceb868c1c4ef67767
555f51b7953b666ca6299179970de7b8
acb49d98ea3a8b876c0acb74275466aa
f6dc697d87b600c309ef98c940f01213
f55c0ae7bb1daea0844ec11a0a178147
bc070e1207536c01495738b0a870b779
58c064a2ef964a2c30c7b6d67115391a
b50291ce6a5ce0ae380c9cd6b0b75ac0
9fe401227e3111c3de05e30978435767
61f33eb536a8bf675ef34e788ad5698c
f9a84b61697b68fd36d875861e20abda
b3622067a6f804b58e369f6fc4807150
76b899bf728fdeb8f24981e9840b4075
9d1fe23351ce6c9c13ed71dd3e654c7b
fe8a1d76ad80de655675fdece4bda161
0834efddb9435dded5c3da54ff228b20
0ad22f45c4054fa3a657e5a8d0d6135b
dad86a262b469626e3441f028279313f
1f3ee9ca0e8c7deb963d040aeae64bd1

URLs

URL	IP
smtp.gmail.com	64.233.165.108

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

.DEFAULT\Control Panel\International

File I/O error %d

lzmadecompsmall: Compressed data is corrupted (%d)

lzmadecompsmall: %s

LzmaDecode failed (%d)

shell32.dll

/SL5="$%x,%d,%d,

Inno Setup Setup Data (5.4.2)

Inno Setup Messages (5.1.11)

user32.dll

oleaut32.dll

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetWindowsDirectoryA

MsgWaitForMultipleObjects

ExitWindowsEx

comctl32.dll

name="JR.Inno.Setup"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

External exception %x

teracopy.tmp_440:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

%s_%d

EInvalidOperation

TKeyEvent

TKeyPressEvent

crSQLWait

t.HtR

EInvalidGraphicOperation

TWindowState

poProportional

KeyPreview

WindowState

OnKeyDown

OnKeyPress

OnKeyUp

CTL3D32.DLL

PasswordChar

ssHorizontal

OnKeyUpheB

RegDeleteKeyExA

advapi32.dll

.DEFAULT\Control Panel\International

user32.dll

shlwapi.dll

TPSExec

TPSRuntimeClassImporter

TPSExportedVar

Cannot Import

Interface not supported

Uh.oD

TPSCustomDebugExec

TPSDebugExec

uxtheme.dll

oleacc.dll

RICHED20.DLL

RICHED32.DLL

File I/O error %d

Messages file "%s" is missing. Please correct the problem or obtain a new copy of the program.

shell32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

WININIT.INI

t.Htb

Software\Microsoft\Windows\CurrentVersion\SharedDLLs

RegCreateKeyEx

RegOpenKeyEx

sfc.dll

cmd.exe" /C "

COMMAND.COM" /C

PendingFileRenameOperations

PendingFileRenameOperations2

Software\Microsoft\Windows\CurrentVersion\Fonts

Software\Microsoft\Windows NT\CurrentVersion\Fonts

IPropertyStore::SetValue(PKEY_AppUserModel_ID)

IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)

OLEAUT32.DLL

Uh.gE

Log opened. (Time zone: UTC%s%.2u:%.2u)

%s Log %s #%.3u.txt

MsgWaitForMultipleObjects

regsvr32.exe"

Spawning _RegDLL.tmp

_isetup\_RegDLL.tmp

_RegDLL.tmp %u %u

REGDLL failed with exit code 0x%x

REGDLL mutex wait failed (%d, %d)

REGDLL returned unknown result code %d

Cannot register 64-bit DLLs on this version of Windows

HELPER_EXE_AMD64

Cannot utilize 64-bit features on this version of Windows

64-bit helper EXE wasn't extracted

\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x

CreateNamedPipe

SetNamedPipeHandleState

helper %d 0x%x

Helper process PID: %u

Stopping 64-bit helper process. (PID: %u)

Helper process exited with failure code: 0x%x

TransactNamedPipe

TransactNamedPipe/GetOverlappedResult

Helper: Command did not execute

SOFTWARE\Microsoft\.NETFramework

.NET Framework not found

SOFTWARE\Microsoft\.NETFramework\Policy\v4.0

v4.0.30319

SOFTWARE\Microsoft\.NETFramework\Policy\v2.0

v2.0.50727

SOFTWARE\Microsoft\.NETFramework\Policy\v1.1

v1.1.4322

.NET Framework version %s not found

Fusion.dll

Failed to load .NET Framework DLL "%s"

Failed to get address of .NET Framework CreateAssemblyCache function

.NET Framework CreateAssemblyCache function failed

MoveFileEx failed (%d).

Deleting directory: %s

Failed to delete directory (%d). Will retry later.

Failed to delete directory (%d). Will delete on restart (if empty).

Failed to delete directory (%d).

Deleting file: %s

Failed to delete the file; it may be in use (%d).

ExtractRecData: Unicode data unsupported by this build

The file appears to be in use (%d). Will delete on restart.

Decrementing shared count (%d-bit): %s

Unregistering 64-bit DLL/OCX: %s

Unregistering 32-bit DLL/OCX: %s

Not unregistering DLL/OCX again: %s

Unregistering 64-bit type library: %s

Unregistering 32-bit type library: %s

Uninstalling from GAC: %s

Running Exec filename:

Running Exec parameters:

CreateProcess failed (%d).

Process exit code: %u

Running ShellExec filename:

Running ShellExec parameters:

ShellExecuteEx failed (%d).

Skipping RunOnceId "%s" filename: %s

Unregistering font: %s

zlib: Internal error. Code %d

1.2.1

bzlib: Internal error. Code %d

lzmadecomp: %s

lzmadecomp: Compressed data is corrupted (%d)

DecodeToBuf failed (%d)

TPasswordEdit

PasswordEdit(

Password

c:\directory

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

PasswordPage

PasswordLabel

PasswordEdit

PasswordEditLabel$

Could not find page with ID %d

Software\Microsoft\Windows\CurrentVersion\Uninstall

%s\%s_is1

CheckPassword

PrepareToInstall failed: %s

Need to restart Windows? %s

/:*?"<>|

\/:*?"<>|

%s-%d.bin

%s-%d%s.bin

..\DISK%d\

Asking user for new disk containing "%s".

Cannot read an encrypted file before the key has been set

LoggedMsgBox returned an unexpected value. Assuming Abort.

Software\Microsoft\Windows\CurrentVersion\Uninstall\

5.4.2 (a)

URLInfoAbout

URLUpdateInfo

Creating directory: %s

Setting permissions on directory: %s

Failed to set permissions on directory (%d).

Setting NTFS compression on directory: %s

Unsetting NTFS compression on directory: %s

Failed to set NTFS compression state (%d).

IMsg

Failed to set value in Fonts registry key.

Failed to open Fonts registry key.

Setting permissions on file: %s

Failed to set permissions on file (%d).

Setting NTFS compression on file: %s

Unsetting NTFS compression on file: %s

Dest filename: %s

Dest file is protected by Windows File Protection.

Time stamp of our file: %s

Time stamp of existing file: %s

Version of our file: %u.%u.%u.%u

Version of existing file: %u.%u.%u.%u

Existing file is protected by Windows File Protection. Skipping.

Uninstaller requires administrator: %s

The existing file appears to be in use (%d). Will replace on restart.

The existing file appears to be in use (%d). Retrying.

Registering file as a font ("%s")

Cannot install files to 64-bit locations on this version of Windows

desktop.ini

.ShellClassInfo

{0AFACED1-E828-11D1-9187-B532F1E9575D}

target.lnk

Filename: %s

Desktop.ini

Software\Microsoft\Windows\CurrentVersion\App Paths\

Setting permissions on registry key: %s\%s

Could not set permissions on the registry key because it currently does not exist.

Failed to set permissions on registry key (%d).

Cannot access 64-bit registry keys on this version of Windows

Registration executable created: %s

Software\Microsoft\Windows\CurrentVersion\RunOnce

Registering 64-bit DLL/OCX: %s

Registering 32-bit DLL/OCX: %s

Registering 64-bit type library: %s

Registering 32-bit type library: %s

Directory for uninstall files: %s

Will append to existing uninstall log: %s

Will overwrite existing uninstall log: %s

Creating new uninstall log: %s

LoggedMsgBox returned an unexpected value. Assuming Cancel.

Fatal exception during installation process (%s):

ExtractTemporaryFile: The file "%s" was not found

Invalid symbol '%s' found

Invalid token '%s' found

QuerySpawnServer: Unexpected response: $%x

CallSpawnServer: Unexpected response: $%x

CallSpawnServer: Unexpected status: %d

ShellExecuteEx

ShellExecuteEx returned hProcess=0

Wnd=$%x

FormKeyDown

PasswordCheckHash

Expression error '%s'

Cannot evaluate "%s" constant during Uninstall

Cannot access a 64-bit key in a "reg" constant on this version of Windows

Unknown custom message name "%s" in "cm" constant

srcexe

Cannot expand "pf64" constant on this version of Windows

Cannot expand "cf64" constant on this version of Windows

uninstallexe

Cannot expand "dotnet2064" constant on this version of Windows

Cannot expand "dotnet4064" constant on this version of Windows

Failed to expand shell folder constant "%s"

Unknown constant "%s"

Software\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion

cmd.exe

COMMAND.COM

\_RegDLL.tmp

REGDLL_EXE

\_setup64.tmp

_isetup\_shfoldr.dll

Failed to get version numbers of _shfoldr.dll

shfolder.dll

Failed to load DLL "%s"

Found pending rename or delete that matches one of our files: %s

Windows version: %u.%u.%u%s (NT platform: %s)

64-bit Windows: %s

Processor architecture: %s

Defaulting to %s for suppressed message box (%s):

Message box (%s):

User chose %s.

MsgBox failed.

/SPAWNWND=$%x /NOTIFYWND=$%x

64-bit install mode: %s

%d.%d

_isetup\_isdecmp.dll

_isetup\_iscrypt.dll

/Password=

/SuppressMsgBoxes

/DETACHEDMSG

-0.bin

Setup version: Inno Setup version 5.4.2 (a)

Original Setup EXE:

Windows NT

Windows

Not restarting Windows because Setup is being run from the debugger.

Restarting Windows.

Inno Setup version 5.4.2 (a)

Portions Copyright (C) 2000-2011 Martijn Laan

hXXp://VVV.innosetup.com/

hXXp://VVV.remobjects.com/ps

Cannot run files in 64-bit locations on this version of Windows

Type: Exec

Type: ShellExec

Will not restart Windows automatically.

System\CurrentControlSet\Control\Windows

TOutputMsgWizardPage

TOutputMsgWizardPagep(H

TOutputMsgMemoWizardPage

TOutputMsgMemoWizardPage$)H

PasswordEdit

PasswordEditLabel

MsgLabel

Msg1Label

Msg2Label

function CreateOutputMsgPage(const AfterID: Integer; const ACaption, ADescription, AMsg: String): TOutputMsgWizardPage;

function CreateOutputMsgMemoPage(const AfterID: Integer; const ACaption, ADescription, ASubCaption: String; const AMsg: AnsiString): TOutputMsgMemoWizardPage;

function MsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons: Integer): Integer;

function GetIniString(const Section, Key, Default, Filename: String): String;

function GetIniInt(const Section, Key: String; const Default, Min, Max: Longint; const Filename: String): Longint;

function GetIniBool(const Section, Key: String; const Default: Boolean; const Filename: String): Boolean;

function IniKeyExists(const Section, Key, Filename: String): Boolean;

function SetIniString(const Section, Key, Value, Filename: String): Boolean;

function SetIniInt(const Section, Key: String; const Value: Longint; const Filename: String): Boolean;

function SetIniBool(const Section, Key: String; const Value: Boolean; const Filename: String): Boolean;

procedure DeleteIniEntry(const Section, Key, Filename: String);

function GetCmdTail: String;

function StringChangeEx(var S: String; const FromStr, ToStr: String; const SupportDBCS: Boolean): Integer;

function RegValueExists(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;

function RegQueryStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;

function RegQueryMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;

function RegDeleteKeyIncludingSubkeys(const RootKey: Integer; const SubkeyName: String): Boolean;

function RegDeleteKeyIfEmpty(const RootKey: Integer; const SubkeyName: String): Boolean;

function RegKeyExists(const RootKey: Integer; const SubKeyName: String): Boolean;

function RegDeleteValue(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;

function RegGetSubkeyNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;

function RegGetValueNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;

function RegQueryDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultDWord: Cardinal): Boolean;

function RegQueryBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: AnsiString): Boolean;

function RegWriteStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;

function RegWriteExpandStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;

function RegWriteMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;

function RegWriteDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: Cardinal): Boolean;

function RegWriteBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: AnsiString): Boolean;

function CheckForMutexes(Mutexes: String): Boolean;

function Exec(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;

function ExecAsOriginalUser(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;

function ShellExec(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;

function ShellExecAsOriginalUser(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;

function MakePendingFileRenameOperationsChecksum: String;

function CreateShellLink(const Filename, Description, ShortcutTo, Parameters, WorkingDir, IconFilename: String; const IconIndex, ShowCmd: Integer): String;

function ExitSetupMsgBox: Boolean;

function GetWindowsVersion: Cardinal;

procedure GetWindowsVersionEx(var Version: TWindowsVersion);

function GetWindowsVersionString: String;

function SuppressibleMsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons, Default: Integer): Integer;

function CustomMessage(const MsgName: String): String;

function SendMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Longint;

function PostMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;

function SendNotifyMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;

function SendBroadcastMessage(const Msg, WParam, LParam: Longint): Longint;

function PostBroadcastMessage(const Msg, WParam, LParam: Longint): Boolean;

function SendBroadcastNotifyMessage(const Msg, WParam, LParam: Longint): Boolean;

procedure RaiseException(const Msg: String);

function SetPreviousData(const PreviousDataKey: Integer; const ValueName, ValueData: String): Boolean;

Cannot call "%s" function during Setup

Cannot call "%s" function during Uninstall

Cannot call "%s" function during non Unicode Setup or Uninstall

CREATEOUTPUTMSGPAGE

CREATEOUTPUTMSGMEMOPAGE

MSGBOX

Invalid RootKey value

INIKEYEXISTS

GETCMDTAIL

REGKEYEXISTS

REGDELETEKEYINCLUDINGSUBKEYS

REGDELETEKEYIFEMPTY

REGGETSUBKEYNAMES

CHECKFORMUTEXES

SHELLEXEC

SHELLEXECASORIGINALUSER

MAKEPENDINGFILERENAMEOPERATIONSCHECKSUM

Unknown custom message name "%s"

EXITSETUPMSGBOX

GETWINDOWSVERSION

GETWINDOWSVERSIONSTRING

%u.%.2u.%u

SUPPRESSIBLEMSGBOX

%u.%u.%u.%u

Cannot disable FS redirection on this version of Windows

GetWindowsVersionEx

Runtime Error (at %d:%d):

Exception "%s" at address %p

TScriptRunner.SetPSExecParameters: Invalid type

TScriptRunner.LoadScript failed

Remove shared file %s? User chose %s%s

/INITPROCWND=$%x

/SECONDPHASE="%s" /FIRSTPHASEWND=$%x

Original Uninstall EXE:

Install was done in 64-bit mode but not running 64-bit Windows now

Removed all? %s

Not restarting Windows because Uninstall is being run from the debugger.

IMsgt

isRS-???.tmp

isRS-%.3u.tmp

DisableProcessWindowsGhosting

FTPF0P

0123456789abcdefInno Setup Setup Data (5.4.2)

Inno Setup Messages (5.1.11)

CEw.AEw

oleaut32.dll

RegQueryInfoKeyA

RegOpenKeyExA

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCloseKey

GetWindowsDirectoryA

CreateNamedPipeA

mpr.dll

version.dll

gdi32.dll

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MapVirtualKeyA

GetKeyState

GetKeyNameTextA

ExitWindowsEx

EnumWindows

EnumThreadWindows

comctl32.dll

ole32.dll

ShellExecuteExA

ShellExecuteA

comdlg32.dll

.text

`.rdata

@.data

.pdata

@.rsrc

COMCTL32.dll

SHLWAPI.dll

SetProcessShutdownParameters

KERNEL32.dll

ADVAPI32.dll

SHELL32.dll

OLEAUT32.dll

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

`.data

.rsrc

@.reloc

Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

SOFTWARE\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion\ProfileReconciliation

RegKey

GetWindowsDirectoryW

RegOpenKeyA

SHFOLDER.dll

dll\shfolder.dbg

Font.Color

Font.Height

Font.Name

Font.Style

name="JR.Inno.Setup"

version="1.0.0.0"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

Stream write error Out of memory while expanding memory stream*Can't write to a read-only resource stream.WriteObject called twice for the same instance

Class %s not found

Resource %s not found!Resource %s is of incorrect class

List index out of bounds Operation not allowed on sorted string list%String list does not allow duplicates

Tab index out of bounds#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists#''%s'' is not a valid integer value

Error reading %s.%s: %s

Ancestor for '%s' not found

Bitmap is empty!Cannot change the size of an icon$Unknown picture file extension (.%s)

Unsupported clipboard format

Error creating window Cannot focus a disabled or invisible window!Control '%s' has no parent window

%s property out of range

%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex2Cannot have more than one MDI form per application

Could not load CARDS.DLL

Duplicate CardId found"An error returned from DDE ($0%x)/DDE Error - conversation not established ($0%x)0Error occurred when DDE ran out of memory ($0%x)"Unable to connect DDE conversation

Grid too large for operation Too many rows or columns deleted

%s on line %d

''%s'' expected

%s expected

Invalid input value7Invalid input value. Use escape key to abandon changes

Value must be between %d and %d<Cannot create a default method name for an unnamed component

''%s'' is not a valid date

''%s'' is not a valid time#''%s'' is not a valid date and time

Invalid file name - %s

All files (*.*)|*.*

&Files: (*.*)

Invalid clipboard format Clipboard does not support Icons

Custom Colors Operation not supported on selected printer.There is no default printer currently selected

Unable to write to %s

Invalid data type for '%s'

Failed to create key %s

Failed to set data for '%s'

Failed to get data for '%s'9Synchronize called when main VCL thread in a WaitFor call0Unknown RichEdit conversion file extension (.%s)

/Menu '%s' is already being used by another form

Failed to Save Stream)StatusBar cannot have more than 64 panels!Error assigning Hot-Key to %s. %s

Hot-Key is invalid#Window is invalid or a child window%Hot-Key is assigned to another window %s is already associated with %s!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

External exception %x

n%USERPROFILE%

r%SYSTEMROOT%

5.50.4807.2300

Microsoft(R) Windows (R) 2000 Operating System

Datos de programa%Configuraci

51.52.0.0

gmail.exe_2080:

.text

`.rsrc

@.reloc

`.sdata

.rsrc

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

v2.0.50727

Microsoft.VisualBasic

ClassLibrary1.My

MyWebServices

FirefoxRecoveryClass

SQLiteBase

SQLiteDataTypes

ClassLibrary1.Functions.Spreading

ClassLibrary1.Functions.FileRecovery

ClassLibrary1.Functions.PasswordRecovery

ClassLibrary1.Functions.Other

CoreFTP

SmartFTP

GoogleChrome

SQLiteHandler

GetFirefoxOld

Opera

SafeKeyHandle

CMSNMessengerPasswords

CMSNMessengerPassword

sqlite_master_entry

StringIndexEntry

MSNPass

ClassLibrary1.My.Resources

Microsoft.VisualBasic.ApplicationServices

.ctor

Microsoft.VisualBasic.Devices

.cctor

get_WebServices

m_MyWebServicesObjectProvider

WebServices

Microsoft.VisualBasic.MyServices.Internal

PK11_GetInternalKeySlot

loadCerts

System.Text

DecryptPassword

GetProcessHeap

sqlite3_open

sqlite3_close

sqlite3_exec

sqlite3_errmsg

sqlite3_prepare_v2

sqlite3_step

sqlite3_column_count

sqlite3_column_name

sqlite3_column_type

sqlite3_column_int

sqlite3_column_double

sqlite3_column_text

sqlite3_column_blob

sqlite3_column_table_name

sqlite3_finalize

SQL_OK

SQL_ROW

SQL_DONE

System.Collections

System.Data

GetFirefox

MozillaFirefox

VisitWebsite

ForceSteamLogin

DownloadAndExecute

System.Security.AccessControl

GetCoreFTP

hKey

Microsoft.Win32

RegistryKey

GetSmartFTP

GetChrome

SQLDataTypeSize

FindFirstUrlCacheEntry

lpszUrlSearchPattern

wininet.dll

FindFirstUrlCacheEntryA

FindNextUrlCacheEntry

FindNextUrlCacheEntryA

FindCloseUrlCache

kernel32.dll

advapi32.dll

dwKeySpec

KEY_QUERY_VALUE

KEY_ENUMERATE_SUB_KEYS

KEY_NOTIFY

KEY_SET_VALUE

KEY_CREATE_SUB_KEY

KEY_READ

KEY_WRITE

HKEY_CURRENT_USER

RegOpenKeyEx

lpSubKey

RegOpenKeyExA

RegCloseKey

crypt32.dll

oleaut32.dll

ProcessIEPass

strURL

AddPasswdInfo

System.Runtime.InteropServices

subKey

System.Collections.Generic

RegEnumKeyEx

RegEnumKeyExA

shell32.dll

msidcrl.dll

PassportFreeMemory

m_MSNPass

getMSN75Passwords

m_szLogin

m_szPassword

szLogin

szPassword

get_Password

get_Login

Password

Login

sql_statement

URLName

DOMAIN_PASSWORD

DOMAIN_CERTIFICATE

DOMAIN_VISIBLE_PASSWORD

lpstrKeyword

strLogin

strPass

System.Resources

System.Globalization

System.Configuration

System.ComponentModel

System.CodeDom.Compiler

System.Diagnostics

Microsoft.VisualBasic.CompilerServices

System.ComponentModel.Design

HelpKeywordAttribute

System.Runtime.CompilerServices

System.IO

Operators

OpenSubKey

GetSubKeyNames

System.Security

DllImportAttribute

System.Runtime.ConstrainedExecution

System.Text.RegularExpressions

Crypt32.dll

System.Security.Cryptography

set_Key

System.Windows.Forms

get_ExecutablePath

System.Threading

Microsoft.VisualBasic.MyServices

System.Management

System.Net

WebResponse

HttpWebRequest

WebRequest

System.Security.Principal

mozsqlite3

System.Reflection

ClassLibrary1.Resources.resources

ClassLibrary1.dll

8.0.0.0

My.Application

My.WebServices

My.Computer

My.User

4System.Web.Services.Protocols.SoapHttpClientProtocol

3System.Resources.Tools.StronglyTypedResourceBuilder

4.0.0.0

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

10.0.0.0

My.Settings

1.0.0.0

$34198341-5fcc-4526-9f10-72d13de4dbd4

mscoree.dll

C:\Users\Zach\Limitless Logger\DesktopMephLogger\Extras\Sources\Keyloggers\v8 DLL\dll\ClassLibrary1\ClassLibrary1\obj\Debug\ClassLibrary1.pdb

KeyHook

WebPanelPostClass

Chrome

Firefox

GoogleChromeClear

FirefoxClear

DelayExecution

System.Timers

TempKeys

AllKeys

Keys

user32.dll

LastWindowStr

Smtp

Port

runWithWindows

observeKeys

SetWindowsHookEx

SetWindowsHookExA

UnhookWindowsHookEx

KeyboardProc

MozillaFireFox

System.Net.Mail

SmtpClient

System.Drawing

System.Collections.ObjectModel

System.Drawing.Imaging

CopyPixelOperation

set_Port

WebClient

get_KeyboardLayoutId

GetExecutingAssembly

IsKeyLocked

get_ModifierKeys

RCDATA_BINARY.resources

gmail2.exe

_CorExeMain

skype4COM.skype

\Bitcoin\wallet.dat

\Microsoft\Backups\wallet.dat

\FileZilla\sitemanager.xml

\Microsoft\Backups\sitemanager.xml

\.minecraft\lastlogin

\Microsoft\Backups\lastlogin

\RareBot_Accounts.ini

\Microsoft\Backups\RareBot_Accounts.ini

\RSBot.db

\Microsoft\Backups\RSBot.db

\CoreFTP\sites.idx

HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites\

\Port

[::-- CoreFTP Recovery Information --::]

Port:

Password:

CoreFTP Not Found on System

Could Not Recover CoreFTP Info

WScript.Shell

\Dyn\Updater\config.dyndns

Password=

Reporting Mask:

ReportingMask=

Software\DownloadManager\Passwords\

EncPassword

Software\IMVU\password

\MSN Messenger\msidcrl.dll

ps:password

<wsse:Password>

</wsse:Password>

PasswordMSN Messenger Service

Password.NET Messenger Service

User.NET Messenger Service

Passport.Net\*

82BD0E67-9FEA-4748-8672-D5EFE5B779B0

[::-- NoIP v1.XX - v2.XX Recovery Information --::]

Proxy Password:

ProxyPassword

Proxy Port:

ProxyPort

[::-- NoIP v3.XX Recovery Information --::]

CKey:

CKey

\.purple\accounts.xml

password

\SmartFTP\Client 2.0\Favorites\Quick Connect\

\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml

<Port>

</Port>

<Password>

</Password>

[::-- SmartFTP Recovery Information --::]

Could Not Recover SmartFTP Info

SmartFTP Not Found on System

[::-- Firefox Recovery v19  Information --::]

\Mozilla Firefox\

\Mozilla\Firefox\Profiles

signons.sqlite

SELECT * FROM moz_logins;

formSubmitURL

encryptedPassword

Mozilla Firefox Not Found on System

Could Not Recovery Mozilla Firefox Info

\Google\Chrome\User Data\Default\Login Data

logins

origin_url

password_value

[::-- Google Chrome Recovery Information --::]

Google Chrome Not Found on System

Could Not Recovery Google Chrome Info

SQLite format 3

Not a valid SQLite 3 Database File

Auto-vacuum capable database is not supported

No supported Schema layer file-format

\Mozilla Firefox\firefox.exe

No Old Mozilla Firefox Versions Found

[::-- Firefox Recovery v1-v5 Information --::]

Could Not Recover Mozilla Firefox v1-v5 Info

abe2869f-9b47-4cd9-a358-c22904dba7f7

Software\Microsoft\FTP\Accounts

PTF://{0}@{1}/

[::-- Opera Recovery Information --::]

\Opera\Opera\wand.dat

\Opera\Opera\profile\wand.dat

Opera Not Found on System

Could Not Recovery Opera Information

\Google\Chrome\User Data\Default\

login data

\Mozilla\Firefox\Profiles\

\Temp.exe

:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe

.assembly extern mscorlib {}

.assembly extern System {

.ver 2:0:0:0

.publickeytoken = (B7 7A 5C 56 19 34 E0 89)

.assembly

{ .ver 1:0:1:0 }

.module

.method public static void Main() cil managed {

.maxstack 2

.entrypoint

.locals init ([0] class [mscorlib]System.Exception ex)

L_0c: call void [mscorlib]System.IO.File::Copy(string, string)

.try L_02 to L_14 catch [mscorlib]System.Exception handler L_14 to L_23

:Zone.Identifier

Software\Microsoft\Windows\CurrentVersion\Run

Set fso = CreateObject("Scripting.FileSystemObject")

If fso.FileExists(DestinationFile) Then

If Not fso.GetFile(DestinationFile).Attributes And 1 Then

fso.CopyFile SourceFile, "

fso.GetFile(DestinationFile).Attributes = fso.GetFile(DestinationFile).Attributes - 1

fso.GetFile(DestinationFile).Attributes = fso.GetFile(DestinationFile).Attributes   1

temp_MF.vbs

\Steam\config\SteamAppData.vdf

Running Operating System:

Operating System Platform:

Operating System Version:

Operating System Culture:

application/x-www-form-urlencoded

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System

DisableCMD

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore

C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

mozutils.dll

mozglue.dll

mozcrt19.dll

nspr4.dll

plc4.dll

plds4.dll

ssutil3.dll

mozsqlite3.dll

nssutil3.dll

softokn3.dll

nss3.dll

\Apple Computer\Preferences\keychain.plist

\Common Files\Apple\Apple Application Support\plutil.exe

\Safari\Apple Application Support\plutil.exe

\keychain.xml

SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%'UNION ALL SELECT name FROM sqlite_temp_master WHERE type IN ('table','view') ORDER BY 1

Error with executing non-query: "

System.Int32

System.Single

System.String

sqlite3.dll

ClassLibrary1.Resources

hXXp://VVV.limitlessproducts.org/Limitless/Login/submit_log.php

hXXp://codeinject.co.uk/ip.php

Limitless Logger :: Keystroke Log ::

poppy6701@gmail.com

13924212102

smtp.gmail.com

ClassLibrary1.Functions.Other.SelfProtection

ClassLibrary1.Functions.Other.Extras

java.exe

ClassLibrary1.Functions.Other.ClearCookies

ClassLibrary1.Functions.Spreading.Skype

ClassLibrary1.Functions.FileRecovery.Programs

ClassLibrary1.Functions.PasswordRecovery.Browsers GoogleChrome

ClassLibrary1.Functions.PasswordRecovery.Browsers

ClassLibrary1.Functions.PasswordRecovery.Browsers GetFirefoxOld

ClassLibrary1.Functions.PasswordRecovery.Browsers InternetExplorer

ClassLibrary1.Functions.PasswordRecovery.Browsers Opera

ClassLibrary1.Functions.PasswordRecovery.Programs InternetDownloadManager

ClassLibrary1.Functions.PasswordRecovery.Programs CoreFTP

ClassLibrary1.Functions.PasswordRecovery.Programs NimBuzz

ClassLibrary1.Functions.PasswordRecovery.Programs Pigdin

ClassLibrary1.Functions.PasswordRecovery.Programs SmartFTP

ClassLibrary1.Functions.PasswordRecovery.Programs MSN

ClassLibrary1.Functions.PasswordRecovery.Programs DynDNS

ClassLibrary1.Functions.PasswordRecovery.Programs Imvu

ClassLibrary1.Functions.PasswordRecovery.Programs NoIP

Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   teracopy.exe:1776
   %original file name%.exe:684
   WScript.exe:1772
   gmail.exe:2600
   gmail.exe:1592
   ilasm.exe:1856

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-JM6G1.tmp\teracopy.tmp (1422 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\gmail.exe (12203 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\teracopy.exe (95362 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\gmail.exe (2321 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\gmail.exe (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\gmail.il (713 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\temp_MF.vbs (758 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Java.exe (2321 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gmail.exe (2321 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-18URE.tmp\_isetup\_shfoldr.dll (47 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-18URE.tmp\_isetup\_RegDLL.tmp (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\gmail.pdb (18238 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Java" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\java.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Java" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Java.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.