Trojan.GenericKD.2781107_a12b063dee

by malwarelabrobot on November 30th, 2015 in Malware Descriptions.

Susp_Dropper (Kaspersky), Trojan.GenericKD.2781107 (AdAware), Backdoor.Win32.Farfli.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.IEDummy.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a12b063dee95d77e53618c86168e9486
SHA1: fca875a33d25b51649152c30969456f36d5c46ce
SHA256: f9c8e0a92b3a555e40259d8e5f46276c6fb41267c22790e3d1b521c78c5049d2
SSDeep: 393216:QT5jJo2 X HeKg0Ou2mTrD0eswywv3cIn7Ky6KlUU:Ia Hq0OPmTrZswy2dL6KlUU
Size: 15493120 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-07-12 07:33:22
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

autorun.exe:2016
write.exe:544
%original file name%.exe:276
Media.exe:1632
Programme.exe:1996
bis.exe:1748
bis.exe:1232
cefal.exe:504
cefal.exe:644

The Trojan injects its code into the following process(es):

write.exe:496
svchost.exe:716
svchost.exe:268
iexplore.exe:1860

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process autorun.exe:2016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_tmpfnt_1\Arial_1.TFT (3824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_tmpfnt_1\Edwardian Script ITC.TFT (64 bytes)

The process write.exe:496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H5JCKLMWAV.dat (290 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

The process %original file name%.exe:276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Programme.exe (96836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Media.exe (9606 bytes)

The process Media.exe:1632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bis.exe (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cefal.exe (5442 bytes)

The process Programme.exe:1996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\Disc 01.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Docs\1 AM.rar (9241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\19.btn (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\autorun.exe (19594 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\6.btn (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\2010_1.bmp (8737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\5.btn (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Audio\Click1.ogg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\17.8.btn (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\11.btn (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Audio\High1.ogg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Icons\Disc 01.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Plugins\SLIDER\SLIDER.APO (1209 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Docs\3 AM.rar (11034 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Docs\2 AM.rar (11034 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd (13454 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\Diamond-3.btn (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\open_face_book_blank_T.png (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\button.btn (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\20120.bmp (8737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\open_face_book_blank_T_1.png (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\17.9.btn (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\1.btn (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Audio\01.mp3 (40935 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\9.btn (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\2010.bmp (8737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\machine2.btn (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\012.bmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\Perspective Diamond 1.btn (1209 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\Sans titre.bmp (20 bytes)

The process bis.exe:1748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\MCMP\mncxd.exe (1281 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H7R4X9Y.cfg (2 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)

The process cefal.exe:644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\MXPMX\mcigm.exe (7385 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H5JCKLMWAV.cfg (2 bytes)

Registry activity

The process autorun.exe:2016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 D6 7C B4 54 DB B1 90 23 AC FB 9D B6 FC 24 F8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process write.exe:496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 69 E6 40 23 A6 6E FD C7 B6 89 E5 4C 33 F0 CB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process write.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 64 24 3E 7C A6 CB E0 11 79 CC 4C 62 30 DF 9D"

The process %original file name%.exe:276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 68 38 42 FA 0B BE F4 D6 45 C0 B1 08 D9 FA 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"programme.exe" = "AutoPlay Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process Media.exe:1632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 8F 04 41 85 FA CE CD AC 07 58 24 82 02 CF 5F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"cefal.exe" = "cefal"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process Programme.exe:1996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 B3 EB 09 D9 E7 7F E5 9A CF 33 92 B7 C6 FA BE"

The process bis.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 0A B5 EF 0C 8A 71 5D 5F 3B 25 CE 7B F0 B5 A7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{7EVAL775-6E0K-4C23-21G5-M0Q18MWC7472}]
"StubPath" = "%System%\MCMP\mncxd.exe restart"

[HKCU\Software\H7R4X9Y]
"ServerStarted" = "11/29/2015 3:48:14 AM"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\H7R4X9Y]
"InstalledServer" = "%System%\MCMP\mncxd.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"MNCXD" = "%System%\MCMP\mncxd.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%System%\MCMP\mncxd.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"MNCXD" = "%System%\MCMP\mncxd.exe"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%System%\MCMP\mncxd.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MNCXD" = "%System%\MCMP\mncxd.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JKML" = "%System%\MCMP\mncxd.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %System%\MCMP\mncxd.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"JKLL" = "%System%\MCMP\mncxd.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %System%\MCMP\mncxd.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"MNCXD" = "%System%\MCMP\mncxd.exe"

The process bis.exe:1232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 1E 5B 82 4F E7 BB 83 F8 F4 67 F0 D0 C1 3B 44"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process cefal.exe:504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 7D 03 6B 80 99 76 0B 07 BA 34 5D 6C 45 45 00"

The process cefal.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 2E 33 C2 85 78 FE BB 6D EA 1A 30 F0 C0 3F C9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\H5JCKLMWAV]
"InstalledServer" = "%System%\MXPMX\mcigm.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%System%\MXPMX\mcigm.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{J5D61A3M-KFBD-7F2K-GLU1-K7S5MBIBK0T8}]
"StubPath" = "%System%\MXPMX\mcigm.exe restart"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\H5JCKLMWAV]
"ServerStarted" = "11/29/2015 3:48:12 AM"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"MCIGM" = "%System%\MXPMX\mcigm.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"MCIGM" = "%System%\MXPMX\mcigm.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%System%\MXPMX\mcigm.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %System%\MXPMX\mcigm.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"MCIGM" = "%System%\MXPMX\mcigm.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MCIGM" = "%System%\MXPMX\mcigm.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMPM" = "%System%\MXPMX\mcigm.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SPMMX" = "%System%\MXPMX\mcigm.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %System%\MXPMX\mcigm.exe"

Dropped PE files

MD5 File path
d24d14a9f5a94ce5fb541ee1d2f4399d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Media.exe
b57bbc44ced38af7634508a1f925b7c9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Programme.exe
9c3f7e5ac6dd57b8cc4bff253f5729e5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Plugins\SLIDER\SLIDER.APO
62ec194cb53963811bdeb7102e7622a3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ir_ext_temp_0\autorun.exe
e828f8f685317b451192dd2d34b304cd c:\WINDOWS\system32\MCMP\mncxd.exe
179b4693099c3db426e6c5aee38fba3f c:\WINDOWS\system32\MXPMX\mcigm.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.1.22.03
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.22.03
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 609521 609792 4.60546 c396d323876086049d868cf5a433f8ed
.rdata 614400 58862 58880 3.76537 675c39c4d49c6af57c9bb434b89fc8c4
.data 675840 37336 11264 2.5949 ba878620fda1aef1e8809380dfebbff6
.rsrc 716800 14812024 14812160 5.53295 744711110ac1a2a111a5f8e783b42871

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Programme.exe_1996:

)!Krz!Krz!Krz!Krz3KrzCTaz.Krz!Ksz
.text
`.rdata
@.data
.rsrc
u.hD3C
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
CNotSupportedException
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
user32.dll
GetCPInfo
KERNEL32.dll
MsgWaitForMultipleObjects
UnhookWindowsHookEx
SetWindowsHookExA
GetKeyState
CreateDialogIndirectParamA
USER32.dll
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
comdlg32.dll
WINSPOOL.DRV
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
ADVAPI32.dll
SHFileOperationA
SHELL32.dll
COMCTL32.dll
End tag not completed for element %s
End tag does not correspond to %s
Expecting end tag of element %s
End tag of %s element not found
.PAVCException@@
"SFXSOURCE:%s"
%s\ir_ext_temp_%d
"%s" %s
.PAVCObject@@
.PAVCZipException@@
1.1.3
.PAVCFileException@@
%s (%s)
Incorrect password set for the file being decrypted
\\?\unc\
.PAVCArchiveException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
zcÁ
windows
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Programme.exe
.bXXXA
|.%rW{{{{{{{{{{{~/%se
{.vv.
W.öd
version="7.1.1000.0"
name="autorun.exe"/>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
#Unable to load mail system support.
Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
7.1.1000.0
2007 Indigo Rose Corporation (VVV.indigorose.com)
ams70_launch.exe

autorun.exe_2016:

.text
`.rdata
@.data
.rsrc
t.Ht&
<.uEF
<.uOCA;
u.WWWWSW
u SSSSh?
u)SSSSh?
uUSSh
.FG;}
Ht.Ht! 
t.It"
INIt.It
u.Jt$Jt
t.Ht Ht
QhX%d
F<%u3
t,SSh
t'SSSSSSSSh
uASSh
It.It#Iuy
%UUUU3
n%dGj
Pj.VQ
Qj.WP
.tTPV
FTPjK
FtPj;
F.PjRWj
u.hhea
u.WWj
u.VVj
u$SShe
On Key
>1.2.8
LIBTIFF, Version 3.7.0
deflate 1.2.3 Copyright 1995-2003 Jean-loup Gailly
1.2.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
%u BitsPerSample not allowed for JPEG
PhotometricInterpretation %u not allowed for JPEG
$Lua: Lua 5.0.2 Copyright (C) 1994-2004 Tecgraf, PUC-Rio $
$URL: VVV.lua.org $
#<wnaspi32.dll
GetASPI32SupportInfo
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
CNotSupportedException
{X-X-X-XX-XXXXXX}
%*.*f
CHttpConnection
CHttpFile
hXXp://
MSWHEEL_ROLLMSG
ddeexec
%s\ShellNew
%s\DefaultIcon
%s\shell\printto\%s
%s\shell\print\%s
%s\shell\open\%s
ole32.dll
cmd.exe
command.com
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
user32.dll
FWININET.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetOpenUrlA
FtpDeleteFileA
FtpRenameFileA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpOpenFileA
FtpPutFileA
FtpGetFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpEndRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpFindFirstFileA
WINMM.dll
WSOCK32.dll
VERSION.dll
MSACM32.dll
GetWindowsDirectoryA
GetProcessHeap
GetCPInfo
KERNEL32.dll
GetKeyState
MsgWaitForMultipleObjects
EnumWindows
GetAsyncKeyState
ExitWindowsEx
EnumChildWindows
UnhookWindowsHookEx
SetWindowsHookExA
CreateDialogIndirectParamA
USER32.dll
GetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
ScaleViewportExtEx
GDI32.dll
comdlg32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
RegCreateKeyExA
RegDeleteKeyA
RegQueryInfoKeyA
RegEnumKeyExA
RegEnumKeyA
RegCreateKeyA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
COMCTL32.dll
oledlg.dll
OLEPRO32.DLL
OLEAUT32.dll
URLDownloadToFileA
urlmon.dll
NETAPI32.dll
CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32
.?AVCCmdTarget@@
Error evaluating stack - operand stack is empty.
%s.%d
A value was expected at position %d.
Missing operator before open parenthesis.
There is an operator missing before the open parenthesis at position %d.
The quotation mark at position %d is missing a match.
Operator:
The backslash (\) at position %d must be followed by another backslash (\) or a quote (") to form a valid escape sequence.
The closed parenthesis at position %d does not have a matching open parenthesis.
The open parenthesis at position %d does not have a matching closed parenthesis.
The closed parenthesis at position %d needs something else to the left of it.
The open parenthesis at position %d needs something else to the left of it.
The operator at position %d needs a value to the left of it.
Values must be separated by operators.
The value at position %d needs something else to the left of it.
The operator at position %d needs a value to the right of it.
Operators must be separated by values.
There can't be two %s operators in a row.
"%s"%s
%s"%s"
"%s" %s "%s"
Error in operate(): no value on the operand stack
Error in operate(): not enough values on the operand stack
%s: %s
Error loading .btn file.
Error loading URL
Unable to display object: %s is not installed.
Web Object
Windows Media Player
Failed to load button file (#%d): %d
_manifest.xml
The file "%s" does not exist.
Could not load Down > Disabled image: "%s".
Could not load Down > Highlight image: "%s".
Could not load Down > Normal image: "%s".
Could not load Up > Disabled image: "%s".
Could not load Up > Highlight image: "%s".
Could not load Up > Normal image: "%s".
Copying "%s"
.PAVCFileException@@
kernel32.dll
"%s" %s
%d.%d.%d.%d
\StringFileInfo\xx\ProductVersion
\StringFileInfo\xx\PrivateBuild
.bak%d
SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Content-Type: application/x-www-form-urlencoded
%%x
%s %s %s %s
%s %s
%s v%d.%d
Windows ME
Windows 98
Windows 95
Windows Vista
Windows XP
Windows Server,XP x64
Windows 2000
Windows NT 4
Windows NT 3
%s\shell\open\command
\WININIT.INI
NUL=%s
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\Fonts
Software\Microsoft\Windows\CurrentVersion\Fonts
***!!!***@@
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%s\%s.lnk
%s\%s.url
%s\%s.pif
*.tns
_fonts.dat
%s_%d
/\:*?"<>|
gdi32.dll
%s\_ir_tmpfnt_%d
MSG_INITIALIZING
Incorrect HTTP status returned by server: %d
.PAVCInternetException@@
Could not create Internet session: %u
Could not create HTTP connection: %u
Could not open request: %u
Send request failed: %u
WinINet.dll
d:d
.PAVCMemoryException@@
Error downloading file: %u
Error writing the destination file: %d-%u
Could not create HTTP connection
Could not HTTP file: %u
Could not open HTTP file: %s
.PAVCException@@
PTF://
hXXps://
jsproxy.dll
DetectAutoProxyUrl
wininet.dll
.tiff
.jpeg
.wbmp
End tag not completed for element %s
End tag does not correspond to %s
Expecting end tag of element %s
End tag of %s element not found
UxTheme.dll
*.gif
*.pcd
*.psd
*.emf
*.apm
*.wmf
*.tif
*.tga
*.png
*.pcx
*.jpg
*.bmp
.PAVCObject@@
.PAVCThreadException@@
local this="%s";
%s -> %s -> %s
local this="%s";local e_Key=%d;local e_Modifiers = {};e_Modifiers.ctrl=%s;e_Modifiers.alt=%s;e_Modifiers.shift=%s
local e_NodeIndex="%s";local this="%s";
local e_Key=%d;local e_Modifiers = {};e_Modifiers.ctrl=%s;e_Modifiers.alt=%s;e_Modifiers.shift=%s;local this="%s";
local e_NodeIndex="%s";local e_Expanded=%s;local this="%s";
local e_NodeIndex="%s";local e_Checked=%s;local this="%s";
local e_NodeIndex="%s";local e_NewText="%s";local e_OldText ="%s";local this="%s";
%s%s1
number e_Key, table e_Modifiers
local this="%s";local e_Index = %d; local e_FilePath = "%s"
%s -> %s ->
CAutoPlayWebObject
.?AVCAutoPlayWebObject@@
hXXp://VVV.indigorose.com
string e_URL
.?AVCWebBrowser2@@
WebWindow
local e_Key=%d;local e_Modifiers = {};e_Modifiers.ctrl=%s;e_Modifiers.alt=%s;e_Modifiers.shift=%s;local this="%s"
local e_Selection=%d;local this="%s"
%s;local this="%s"
local e_Min=%d;local e_Max = %d;local e_Link = "%s";local this="%s"
local e_Min=%d;local e_Max = %d;local this="%s"
local e_Key=%d;local e_Modifiers = {};e_Modifiers.ctrl=%s;e_Modifiers.alt=%s;e_Modifiers.shift=%s
Proxy-Authorization: Basic %s
KERNEL32.DLL
PSAPI.DLL
WS2_32.DLL
windows
CWebBrowser2
MakeKeywordIndex
SearchKeywords
__NOREPORT__
Keywords
TRACE: LastError = %d ("%s")
PasswordInput
All Files (*.*)|*.*|
Page.Jump("
.PAVCResourceException@@
MSG_MOVING
MSG_COPYING
MSG_FROM_CAP
MSG_TO_CAP
MSG_DELETING
MSG_SEARCHING
OpenURL
\StringFileInfo\xx\SpecialBuild
\StringFileInfo\xx\OriginalFilename
\StringFileInfo\xx\Comments
\StringFileInfo\xx\LegalTrademarks
\StringFileInfo\xx\LegalCopyright
\StringFileInfo\xx\ProductName
\StringFileInfo\xx\InternalName
\StringFileInfo\xx\FileDescription
\StringFileInfo\xx\CompanyName
ErrorMsg
%Y-%m-%dT%H:%M:%S
%A, %B %d, %Y
MSG_NOTICE
MSG_INSTALL_DO_YOU_WANT_OVERWRITE
MSG_INSTALL_ALWAYS_ASK_OVERWRITE_MSG
MSG_INSTALL_FILE_OLDER_MSG
MSG_INSTALLING
RunMsiexec
\msi.dll
msi.dll
Software\Microsoft\Windows\CurrentVersion\Installer
\msiexec.exe
Page.Jump does not work during a Page Preview
Page.Navigate does not work during a Page Preview
AutoDetectURL
AlwaysShowSelection
GetKeyNames
DoesKeyExist
DeleteKey
CreateKey
keycode
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion
MSG_SIZE_GIGABYTES
MSG_SIZE_MEGABYTES
MSG_SIZE_KILOBYTES
MSG_SIZE_BYTES
IsKeyDown
%s-%s-%s
%s/%s/%s
%d:%s:%s AM
%d:%s:%s PM
%s:%s:%s
Windows Server 2003
xxxxxx
Software\Microsoft\Windows NT\CurrentVersion
MSG_ERROR
MSG_REBOOT_FAILED
LoadURL
GetURL
GetHTTPErrorInfo
PPassword
Password
%s %s %s %s (%0.2f %s)
%0.1f %s/%0.1f %s
%u %s/%u %s
MSG_KB_PER_SEC
MSG_ESTIMATED_TIME_LEFT
MSG_FROM
MSG_SAVING
MSG_DOWNLOADING
WININET.DLL
MSG_QUERYING_INTERNET
MSG_READING
%s/%s
%s (0x%2x)
Cannot play back the video stream: format 'RPZA' is not supported.
Some of the streams in this movie are in an unsupported format.
Use of this filter is restricted by a software key. The application must unlock the filter.
Frame stepping is not supported.
This operation is not permitted in the current domain.
This user operation is inhibited by DVD content at this time.
No video port hardware is available, or the hardware is not responding.
The video port connection negotiation process has failed.
Pins cannot connect because they don't support the same transport.
Cannot play back the file: the format is not supported.
Cannot play back the video stream: the video format is not supported.
Cannot play back the audio stream: the audio format is not supported.
Cannot play back the audio stream: no audio hardware is available, or the hardware is not supported.
The operation could not be performed because the filter is in the wrong state
The operation could not be performed because the filter is not running.
The operation could not be performed because the filter is not paused.
The operation could not be performed because the filter is not stopped.
No matching color key is available.
Setting a palette would conflict with the color key already set.
Setting a color key would conflict with the palette already set.
Current pin connection is not using the IMemInputPin transport.
Current pin connection is not using the IOverlay transport.
No color key has been set.
The operation cannot be performed because the pins are not connected.
One of the specified pins supports no media types.
At least one of the pins involved in the operation is already connected.
This operation cannot be performed because the filter is active.
font%d.dat
Advapi32.dll
MSG_REDIRECTING
MSG_STATUS_REQUEST_COMPLETE
MSG_STATUS_HANDLE_CLOSING
MSG_STATUS_HANDLE_CREATED
MSG_CONNECTION_CLOSED
MSG_CLOSING_CONNECTION
MSG_CONNECTED_TO_SERVER
MSG_CONNECTING_TO_SERVER
MSG_HOST_NAME_RESOLVED
MSG_RESOLVING_HOST_NAME
%s, Line %d: %s
[%d]: %s
*** LOCATION: %s
local e_WindowWidth = %d; local e_WindowHeight = %d; local e_PageWidth = %d; local e_PageHeight = %d; local e_Type = %d;local this="%s";
%s -> %s
local e_WindowWidth = %d; local e_WindowHeight = %d; local e_PageWidth = %d; local e_PageHeight = %d; local e_Type = %d;
Project -> %s
local e_ID = %d;%s;local this="%s"
local e_ID = %d;%s
local e_ItemInfo = {}; e_ItemInfo.Text="%s";e_ItemInfo.ID=%d; e_ItemInfo.Checked=%s;e_ItemInfo.Enabled=%s
0.0.0.0
%s >= %s
__IR_TEMP_DETECT_VER = %s();
RICHED32.DLL
RICHED20.DLL
comctl32.dll
Failed to initialize sound system: %s
{19813504-68A4-EFEC-925D-B3CD087B8175}
_proj.dat
Recording not supported on this device
An invalid parameter was passed to this function
The version number of this file format is not supported
Error setting cooperative level for hardware.
Soundcard does not support the features needed for this soundsystem (16bit stereo output)
and can not be run with the commercial version's runtime executable.
Detection script: %s
_detect.dat
MissingAXHelpURL
?;%s\AutoPlay\Scripts\?;%s\AutoPlay\Scripts\?.lua;%s\?.lua;%s\?;
Failed to load plugin: %s (#%d)
Debug.ShowWindow(true);
Debug.SetTraceMode(true);
%s\menu1.dah
local e_X = %d; local e_Y = %d;local this="%s";
local e_Type = %d; local e_X = %d; local e_Y = %d;local this="%s";
local e_Type = %d; local e_X = %d; local e_Y = %d; local this="%s";
local this="%s";local e_FSCommand="%s";local e_FSArgs="%s";
local this="%s";local e_URL="%s";
local this="%s";local e_Channel=%d;local e_State="%s"
local e_Type = %d; local e_X = %d; local e_Y = %d;local this="%s"
local e_Type = %d; local e_X = %d; local e_Y = %d
Created with AutoPlay Media Studio 7.0 Trial - hXXp://VVV.indigorose.com
%Program Files%
C:\Temp
_WindowsFolder
IS 3.0.58.3
DIBToHBITMAP error: GetLastError = %d
SetWinMetaFileBits failed GetLastError = %d
read %d. layersLen %d
ISLib PNG Error : %s
1.2.8
Reading PCD sub-image #%d (%d x %d)
ISLib JPG Error : %s
ISLib JPG marker # %d, len: %d
ISLib JPG comment : %s
Found bad IPTC data resource (len exceeds block end). ID=%d
NULL row buffer for row %ld, pass %d
libpng error: %s
libpng error: %s, offset=%d
libpng error no. %s: %s
libpng warning: %s
libpng warning no. %s: %s
iTXt chunk not supported.
GeoKeyDirectory
%s: Cannot modify tag "%s" while writing
%s: Unknown %stag %u
%s: Bad value %f for "%s"
%s: Invalid %stag "%s" (not supported by codec)
%s: Bad field type %d for "%s"
%s: Pass by value is not implemented.
%s: Failed to allocate space for list of custom values
%s: Bad value %ld for "%s"
%s: Bad value %d for "%s"
%s: Sorry, cannot nest SubIFDs
Nonstandard tile length %d, convert file
Nonstandard tile width %d, convert file
Bad value %ld for "%s" tag ignored
%s: Invalid InkNames value; expecting %d names, found %d
%s: Error fetching directory count
%s: Error fetching directory link
Sorry, can not handle images with %d-bit samples
Sorry, LogL data must have %s=%d
Sorry, can not handle LogLuv images with %s=%d
Sorry, LogLuv data must have %s=%d or %d
Sorry, can not handle image with %s=%d
Sorry, can not handle YCbCr images with %s=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d
Sorry, can not handle RGB image with %s=%d
Sorry, can not handle separated image with %s=%d
Missing needed %s tag
%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu
%s: Read error at scanline %lu; got %lu bytes, expected %lu
%s: Seek error at scanline %lu, strip %lu
%s: Data buffer too small to hold strip %lu
%s: Read error on strip %lu; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu
%s: Seek error at row %ld, col %ld, tile %ld
%s: Data buffer too small to hold tile %ld
%s: No space for data buffer at scanline %ld
Integer overflow in %s
"%s": Bad mode
Not a TIFF file, bad version number %d (0x%x)
This is a BigTIFF file. This format not supported
Not a TIFF file, bad magic number %d (0x%x)
%s: Out of memory (TIFF structure)
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
IDCT output block size %d not supported
Invalid component ID %d in SOS
Bogus message code %d
%s: Write error at scanline %lu
%s: Seek error at scanline %lu
"%s": Information lost writing value (%g) as (unsigned) RATIONAL
Error writing data for field "%s"
%s: Error writing SubIFD directory link
ExifInteroperabilityOffset
InteroperabilityIndex
InteroperabilityVersion
Unknown zTXt compression type %d
Incomplete compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Buffer error in compressed datastream in %s chunk
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
Internal error, unknown tag 0x%x
Tag %d
Compression scheme %u %s encoding is not implemented
%s %s encoding is not implemented
Compression scheme %u %s decoding is not implemented
%s %s decoding is not implemented
Compression algorithm does not support random access
%s: cannot handle zero strip size
%s: cannot handle zero tile size
%s: cannot handle zero scanline size
%s: Bogus "%s" field, ignoring and calculating from imagelength
%s: TIFF directory is missing required "%s" field, calculating from imagelength
%s: cannot handle zero number of %s
%s: wrong data type %d for "%s"; tag ignored
%s: unknown field with tag %d (0x%x) encountered
%s: invalid TIFF directory; tags are not sorted in ascending order
%s: Can not read TIFF directory
%s: Can not read TIFF directory count
%s: Seek error accessing TIFF directory
%s: Failed to allocate space for IFD list
No space %s
%s: Cannot determine size of unknown tag type %d
%s: TIFF directory is missing required "%s" field
incorrect count for field "%s" (%lu, expecting %lu); tag trimmed
incorrect count for field "%s" (%lu, expecting %lu); tag ignored
Error fetching data for field "%s"
%s: Rational with zero denominator (num = %lu)
Cannot handle different per-sample values for field "%s"
cannot read TIFF_ANY type %d for field "%s"
%ld%c
%s compression support is not configured
?%s: No space for LogLuv state block
Inappropriate photometric interpretation %d for SGILog compression; %s
LogL16Decode: Not enough data at row %d (short %d pixels)
LogLuvDecode24: Not enough data at row %d (short %d pixels)
LogLuvDecode32: Not enough data at row %d (short %d pixels)
%s: No space for SGILog translation buffer
No support for converting user data format to LogL
No support for converting user data format to LogLuv
SGILog compression supported only for %s, or raw data
Unknown data format %d for LogLuv compression
Unknown encoding %d for LogLuv compression
PixarLog compression can't handle bits depth/data format combination (depth: %d)
%d bit input not supported in PixarLog
PixarLogDecode: unsupported bits/sample: %d
%s: zlib error: %s
%s: Not enough data at scanline %d (short %d bytes)
%s: Decoding error at scanline %d, %s
PixarLog compression can't handle %d bit linear encodings
%s: Encoder error: %s
%s: No space for state block
%s: Bad code word at scanline %d (x %lu)
%s: %s at scanline %d (got %lu, expected %lu)
%s: Premature EOF at scanline %d (x %lu)
%s: No space for Group 3/4 reference line
%s: Uncompressed data (not supported) at scanline %d (x %lu)
Fax SubAddress: %s
(%u = 0x%x)
%suncompressed data
%sEOL padding
%s2-d encoding
%s compression not supported
Tiled Wang image not supported in libtiff
Does not support lossless Huffman coding
Decompressor will try reading with sampling %d,%d.
Improper JPEG sampling factors %d,%d
Apparently should be %d,%d.
Improper JPEG strip/tile size, expected %dx%d, got %dx%d
RowsPerStrip must be multiple of %d for JPEG
JPEG tile width must be multiple of %d
JPEG tile height must be multiple of %d
BitsPerSample %d not allowed for JPEG
PhotometricInterpretation %d not allowed for JPEG
ThunderDecode: %s data at scanline %ld (%lu != %lu)
PackBitsDecode: discarding %d bytes to avoid buffer overrun
LZWDecode: Corrupted LZW table at scanline %d
LZWDecode: Not enough data at scanline %d (short %d bytes)
LZWDecode: Wrong length of decoded string: data probably corrupted at scanline %d
LZWDecode: Strip %d not terminated with EOI code
LZWDecode: Bogus encoding, loop in the code table; scanline %d
LZWDecodeCompat: Corrupted LZW table at scanline %d
LZWDecodeCompat: Not enough data at scanline %d (short %d bytes)
LZWDecodeCompat: Wrong length of decoded string: data probably corrupted at scanline %d
DumpModeDecode: Not enough data for scanline %d
Horizontal differencing "Predictor" not supported with %d-bit samples
"Predictor" value %d not supported
%u (0x%x)
Lua 5.0.2
bad argument #%d to `%s' (%s)
calling `%s' on bad self (%s)
%s expected, got %s
%s:%d:
stack overflow (%s)
cannot read %s: %s
attempt to %s a %s value
attempt to %s %s `%s' (a %s value)
attempt to compare %s with %s
attempt to compare two %s values
%s:%d: %s
system error %d
file (%s)
`popen' not supported
field `%s' missing in date table
^$* ?.([%-
missing `[' after `%%f' in pattern
no function environment for tail call at level %d
could not load package `%s' from path `%s'
error loading package `%s' (%s)
?;?.lua
`__pow' (`^' operator) is not a function
invalid key for `next'
too many %s (limit=%d)
%s:%d: %s near `%s'
char(%d)
`%s' expected (to close `%s' at line %d)
`%s' expected
bad code in %s
unexpected end of file in %s
bad integer in %s
bad nupvalues in %s: read %d; expected %d
bad constant type (%d) in %s
unknown number format in %s
%s too old: read version %d.%d; expected at least %d.%d
%s too new: read version %d.%d; expected at most %d.%d
bad signature in %s
virtual machine mismatch in %s: size of %s is %d but read %d
C:\Dev\fmodsrc375win\src\fsound_stream.c
http:\\
C:\Dev\fmodsrc375win\src\fsound.c
C:\Dev\fmodsrc375win\src\fsound_tag.c
C:\Dev\fmodsrc375win\src\system_memory.c
C:\Dev\fmodsrc375win\src\fsound_dsp.c
C:\Dev\fmodsrc375win\src\system_thread.c
C:\Dev\fmodsrc375win\src\system_file.c
The DLLs/EXEs of ASPI don't version check
No resources available to execute cmd
ASPI for windows failed init
Unsupported Windows mode
ASPI manager doesn't support Windows
C:\Dev\fmodsrc375win\win\src\fsound_cdda.c
\\.\%c:
ERROR: %c: already open
ERROR: Couldn't access CD/DVD device at %c:
ERROR: %s
ERROR: Failed to initialise ASPI (%s)
wmvcore.dll
C:\Dev\fmodsrc375win\win\src\format_asf.cpp
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\vorbisfile.c
C:\Dev\fmodsrc375win\win\src\format_dshow.c
C:\Dev\fmodsrc375win\src\fsound_sample.c
C:\Dev\fmodsrc375win\src\format_mpeg.c
C:\Dev\fmodsrc375win\src\format_oggvorbis.c
C:\Dev\fmodsrc375win\src\format_wav.c
C:\Dev\fmodsrc375win\src\format_fsb.c
C:\Dev\fmodsrc375win\src\format_oggvorbis_net.c
C:\Dev\fmodsrc375win\src\format_mpeg_net.c
StreamUrl='
HTTP/1.1
HTTP/1.0
C:\Dev\fmodsrc375win\src\fsound_stream_net.c
ice-url
ice-url:
icy-url
icy-url:
Authorization: Basic %s
Host: %s
GET %s HTTP/1.1
C:\Dev\fmodsrc375win\src\sound_software.c
C:\Dev\fmodsrc375win\win\src\output_winmm.c
ddraw.dll
\d3d9.dll
dsound3d.dll
dsound.dll
%s: Left = ASIO CH %d Right = ASIO CH %d
C:\Dev\fmodsrc375win\win\src\output_asio.cpp
C:\Dev\fmodsrc375win\win\src\fsound_systemmixer_win32.c
Software\Microsoft\Windows\CurrentVersion\Multimedia\MIDIMap
C:\Dev\fmodsrc375win\win\src\music_formatmidi.c
C:\Dev\fmodsrc375win\src\fsound_dsp_fft.c
C:\Dev\fmodsrc375win\ogg_vorbis\ogg\src\framing.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\info.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\block.c
C:\Dev\fmodsrc375win\src\format_it.c
C:\Dev\fmodsrc375win\src\system_net.c
C:\Dev\fmodsrc375win\src\music_formatmod.c
C:\Dev\fmodsrc375win\src\music_formatit.c
C:\Dev\fmodsrc375win\src\music_formatxm.c
C:\Dev\fmodsrc375win\src\music_formats3m.c
C:\Dev\fmodsrc375win\src\music_formatfsb.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\psy.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\sharedbook.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\codebook.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\mdct.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\envelope.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\mapping0.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\res0.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\floor1.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\floor0.c
%s %s
%s %s (%s)
u/u/u u:u
%s %lx
%s %d %s
All Files|*.*||
dzprog32 /%c /u /T=%s
Version: 4.00.04 - %s %s
%s [Memory]
%s [Tested]
%s [Extracted]
--- DynaZIP UnZIP Log - %s ---
\DUNZLOG.TXT
%s exists and is Read Only, do you want to overwrite it?
Decryption key not provided, or too long
UNZIPCMDSTRUCT Size is incorrect.
\DYNAZIP.LOG
decryptFlag: %d
returnCount: %d
noDirectoryItemsFlag: %d
recurseFlag: %d
noDirectoryNamesFlag: %d
testFlag: %d
quietFlag: %d
overWriteFlag: %d
updateFlag: %d
freshenFlag: %d
index: %d
Function: %d
--- DynaZIP UnZIP Diagnostic Log - %s ---
returnCount: %d
File to Memory: %s
Testing: %s
Extracting: %s
Item %d of %d
%s is encrypted, and you have not provided the correct code. Go to next item (if any)?
%s exists, do you want to overwrite it?
User skipped this operation
User cancelled this operation
Bad or missing decryption key
Application cancelled operation
Multi-disk archive, not supported
Target Media is NON-Removable and can not be used for a Multi-Volume operation.
Please insert Disk Volume %d of %d.
Please insert Disk Volume %d.
PKBACK# d
dzprog32.exe /%c /z /T=%s
:;,= "[]<>|
-.Z:.zip:.zoo:.arc:.lzh:.arj
PKBACK# .d
%s [Deleted]
%s [Added]
--- DynaZIP ZIP Log - %s ---
\DZIPLOG.TXT
Wiping Drive %c:...
Formatting Cylinder %d
Formatting Drive %c:...
zip error: STORE not supported for pipes or devices
local extra (%d bytes) != central extra (%d bytes):
has %d bytes of extra data:
unknown internal attributes = 0xx:
starts on disk %u:
unknown compression method %u:
undefined bits used in flags = 0xx:
local flags = 0xx, central = 0xx:
needs unzip %d.%d on system type %d:
made by version %d.%d on system type %d:
Could not complete operation
Operation interrupted by application
encryptFlag: %d
dontCompressTheseSuffixesFlag: %d
includeSysHiddenFlag: %d
noDirectoryEntriesFlag: %d
excludeFollowingFlag: %d
includeOnlyFollowingFlag: %d
oldAsLatestFlag: %d
afterDateFlag: %d
addCommentFlag: %d
convertLFtoCRLFFlag: %d
growExistingFlag: %d
deleteOriginalFlag: %d
includeVolumeFlag: %d
fixHarderFlag: %d
fixFlag: %d
pathForTempFlag: %d
compFactor: %d
dosifyFlag: %d
Function: %d
--- DynaZIP ZIP Diagnostic Log - %s ---
was getting encryption password
encryption not supported
\\.\vwin32
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCArchiveException@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.PAVCOleException@@
.PAVCOleDispatchException@@
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ir_ext_temp_0\autorun.exe
333333334
.nM(aL8
(H7.www
.bXXXA
|.%rW{{{{{{{{{{{~/%se
{.vv.
W.öd
version="7.1.1000.0"
name="autorun.exe"/>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
eDRMHeader.SubscriptionContentID
DRMHeader.ContentDistributor
DRMHeader.SECURITYVERSION
DRMHeader.CID
DRMHeader.LAINFO
DRMHeader.KID
LicenseStateData.Transfer.NONSDMI
LicenseStateData.Transfer.SDMI
LicenseStateData.Print.redbook
LicenseStateData.Play
ActionAllowed.Backup
ActionAllowed.Transfer.NONSDMI
ActionAllowed.Transfer.SDMI
ActionAllowed.Print.redbook
ActionAllowed.Play
BaseLAURL
Transfer.NONSDMI
Transfer.SDMI
Print.redbook
CopyrightURL
BannerImageURL
WM/AlbumCoverURL
WM/PromotionURL
To see what data this error report contains,
We have created an error report which will help us to improve this product. We will treat this report as confidential and anonymous. No personal data will be transmitted other than what you provide to us.
Jump target not found2The operating system is out of memory or resources!The specified file was not found.!The specified path was not found.AThe .exe file is invalid (non-Win32 .exe or error in .exe image).9The operating system denied access to the specified file.3The file name association is incomplete or invalid._The DDE transaction could not be completed because other DDE transactions were being processed.
The DDE transaction failed.IThe DDE transaction could not be completed because the request timed out.1The specified dynamic-link library was not found.FThere is no application associated with the given file name extension.6There was not enough memory to complete the operation.
Unidentified execution error.=Could not find the startup page specified in Project|Settings
Page does not exist:#The specified object was not found.EThe action could not be performed because the content file is closed.:The Video Object's state was incompatible with the action.2The "SeekTime" value is to large for Video Object.6The "SeekTime" value cannot be less than negative one.
%d arguments required.
Argument %d must be of type %s.
Confirm Abort2Are you sure that you want to abort the operation?
Replace%Select the entire document
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Page %u
Pages %u-%u
Output.prn1Printer Files (*.prn)|*.prn|All Files (*.*)|*.*||
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
#Unable to load mail system support.
Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
7.1.1000.0
2007 Indigo Rose Corporation (VVV.indigorose.com)
ams70_runtime.exe

svchost.exe_716:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_716_rwx_00C80000_00016000:

`.rsrc
Portions Copyright (c) 1999,2003 Avenger by NhT
Kernel32.dll
ntdll.dll
kernel32.dll
789:;<&'()* ,-./12345
user32.dll
urlmon.dll
wininet.dll
advapi32.dll
Shell32.dll
shell32.dll
shlwapi.dll
KWindows
UnitKeylogger
GetWindowsDirectoryW
GetProcessHeap
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyW
RegCloseKey
FindExecutableW
ShellExecuteW
SHDeleteKeyW
URLDownloadToFileW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyboardLayout
GetKeyState
GetKeyboardState
FtpPutFileW
FtpSetCurrentDirectoryW
DeleteUrlCacheEntryW
.idata
.rdata
P.reloc
P.rsrc
DURLDnV
KERNEL32.DLL
oleaut32.dll
PSAPI.dll
x.html
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\Windows
explorer.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
[Execute]
KeyDelBackspace
XtremeKeylogger
hXXp://
.functions
ÞFAULTBROWSER%
\Microsoft\Windows\
svchost.exe
flashplayerupdate.sytes.net
mcigm.exe
write.exe
fil{J5D61A3M-KFBD-7F2K-GLU1-K7S5MBIBK0T8}
PTF.ftpserver.com
ftpuser
ftppass
%System%\MXPMX\mcigm.exe
%System%\MXPMX\
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H5JCKLMWAV.cfg
Software\Microsoft\Active Setup\Installed Components\{J5D61A3M-KFBD-7F2K-GLU1-K7S5MBIBK0T8}

write.exe_496:

.text
`.data
.rsrc
SHELL32.dll
KERNEL32.dll
msvcrt.dll
wordpad.exe
write.pdb
ShellExecuteA
_acmdln
Windows Write
5.1.2600.0 (xpclient.010817-1148)
Windows
Operating System
5.1.2600.0

write.exe_496_rwx_00C80000_00016000:

`.rsrc
Portions Copyright (c) 1999,2003 Avenger by NhT
Kernel32.dll
ntdll.dll
kernel32.dll
789:;<&'()* ,-./12345
user32.dll
urlmon.dll
wininet.dll
advapi32.dll
Shell32.dll
shell32.dll
shlwapi.dll
KWindows
UnitKeylogger
GetWindowsDirectoryW
GetProcessHeap
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyW
RegCloseKey
FindExecutableW
ShellExecuteW
SHDeleteKeyW
URLDownloadToFileW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyboardLayout
GetKeyState
GetKeyboardState
FtpPutFileW
FtpSetCurrentDirectoryW
DeleteUrlCacheEntryW
.idata
.rdata
P.reloc
P.rsrc
DURLDnV
KERNEL32.DLL
oleaut32.dll
PSAPI.dll
x.html
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\Windows
explorer.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
[Execute]
KeyDelBackspace
XtremeKeylogger
hXXp://
.functions
ÞFAULTBROWSER%
\Microsoft\Windows\
svchost.exe
flashplayerupdate.sytes.net
mcigm.exe
write.exe
fil{J5D61A3M-KFBD-7F2K-GLU1-K7S5MBIBK0T8}
PTF.ftpserver.com
ftpuser
ftppass
%System%\MXPMX\mcigm.exe
%System%\MXPMX\
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H5JCKLMWAV.cfg
Software\Microsoft\Active Setup\Installed Components\{J5D61A3M-KFBD-7F2K-GLU1-K7S5MBIBK0T8}
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\cefal.exe

svchost.exe_268:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_268_rwx_00C80000_00016000:

`.rsrc
Portions Copyright (c) 1999,2003 Avenger by NhT
Kernel32.dll
ntdll.dll
kernel32.dll
789:;<&'()* ,-./12345
user32.dll
urlmon.dll
wininet.dll
advapi32.dll
Shell32.dll
shell32.dll
shlwapi.dll
KWindows
UnitKeylogger
GetWindowsDirectoryW
GetProcessHeap
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyW
RegCloseKey
FindExecutableW
ShellExecuteW
SHDeleteKeyW
URLDownloadToFileW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyboardLayout
GetKeyState
GetKeyboardState
FtpPutFileW
FtpSetCurrentDirectoryW
DeleteUrlCacheEntryW
.idata
.rdata
P.reloc
P.rsrc
4DURLDr
KERNEL32.DLL
oleaut32.dll
PSAPI.dll
x.html
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\Windows
explorer.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
[Execute]
KeyDelBackspace
XtremeKeylogger
hXXp://
.functions
ÞFAULTBROWSER%
\Microsoft\Windows\
svchost.exe
flashplayerupdate.sytes.net
C:\User
mncxd.exe
igfxsrvc.exe
{7EVAL775-6E0K-4C23-21G5-M0Q18MWC7472}
PTF.ftpserver.com
ftpuser
ftppass
%System%\MCMP\mncxd.exe
%System%\MCMP\
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H7R4X9Y.cfg
Software\Microsoft\Active Setup\Installed Components\{7EVAL775-6E0K-4C23-21G5-M0Q18MWC7472}

iexplore.exe_1860:

%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512

iexplore.exe_1860_rwx_00C80000_00016000:

`.rsrc
Portions Copyright (c) 1999,2003 Avenger by NhT
Kernel32.dll
ntdll.dll
kernel32.dll
789:;<&'()* ,-./12345
user32.dll
urlmon.dll
wininet.dll
advapi32.dll
Shell32.dll
shell32.dll
shlwapi.dll
KWindows
UnitKeylogger
GetWindowsDirectoryW
GetProcessHeap
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyW
RegCloseKey
FindExecutableW
ShellExecuteW
SHDeleteKeyW
URLDownloadToFileW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyboardLayout
GetKeyState
GetKeyboardState
FtpPutFileW
FtpSetCurrentDirectoryW
DeleteUrlCacheEntryW
.idata
.rdata
P.reloc
P.rsrc
4DURLDr
KERNEL32.DLL
oleaut32.dll
PSAPI.dll
x.html
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\Windows
explorer.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
[Execute]
KeyDelBackspace
XtremeKeylogger
hXXp://
.functions
ÞFAULTBROWSER%
\Microsoft\Windows\
svchost.exe
flashplayerupdate.sytes.net
C:\User
mncxd.exe
igfxsrvc.exe
{7EVAL775-6E0K-4C23-21G5-M0Q18MWC7472}
PTF.ftpserver.com
ftpuser
ftppass
%System%\MCMP\mncxd.exe
%System%\MCMP\
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H7R4X9Y.cfg
Software\Microsoft\Active Setup\Installed Components\{7EVAL775-6E0K-4C23-21G5-M0Q18MWC7472}
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\bis.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    autorun.exe:2016
    write.exe:544
    %original file name%.exe:276
    Media.exe:1632
    Programme.exe:1996
    bis.exe:1748
    bis.exe:1232
    cefal.exe:504
    cefal.exe:644

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_tmpfnt_1\Arial_1.TFT (3824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_tmpfnt_1\Edwardian Script ITC.TFT (64 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H5JCKLMWAV.dat (290 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Programme.exe (96836 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Media.exe (9606 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bis.exe (240 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cefal.exe (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\Disc 01.ico (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Docs\1 AM.rar (9241 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\19.btn (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\autorun.exe (19594 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\6.btn (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\2010_1.bmp (8737 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\5.btn (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Audio\Click1.ogg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\17.8.btn (1137 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\11.btn (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Audio\High1.ogg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Icons\Disc 01.ico (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Plugins\SLIDER\SLIDER.APO (1209 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Docs\3 AM.rar (11034 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Docs\2 AM.rar (11034 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd (13454 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\Diamond-3.btn (60 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\open_face_book_blank_T.png (31 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\button.btn (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\20120.bmp (8737 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\open_face_book_blank_T_1.png (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\17.9.btn (64 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\1.btn (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Audio\01.mp3 (40935 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\9.btn (17 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\2010.bmp (8737 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\machine2.btn (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\012.bmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\Perspective Diamond 1.btn (1209 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\Sans titre.bmp (20 bytes)
    %System%\MCMP\mncxd.exe (1281 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H7R4X9Y.cfg (2 bytes)
    %System%\MXPMX\mcigm.exe (7385 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H5JCKLMWAV.cfg (2 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "MNCXD" = "%System%\MCMP\mncxd.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "JKML" = "%System%\MCMP\mncxd.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "JKLL" = "%System%\MCMP\mncxd.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "MNCXD" = "%System%\MCMP\mncxd.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "MCIGM" = "%System%\MXPMX\mcigm.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "MCIGM" = "%System%\MXPMX\mcigm.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SMPM" = "%System%\MXPMX\mcigm.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "SPMMX" = "%System%\MXPMX\mcigm.exe"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "explorer.exe %System%\MCMP\mncxd.exe"

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "explorer.exe %System%\MCMP\mncxd.exe"

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "explorer.exe %System%\MXPMX\mcigm.exe"

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "explorer.exe %System%\MXPMX\mcigm.exe"

  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now