Fake-AV_5deeff0512

by malwarelabrobot on May 27th, 2014 in Malware Descriptions.

Fake-AV.Win32.FakeAV.iije (Kaspersky), Trojan.Generic.KD.369558 (B) (Emsisoft), Trojan.Generic.KD.369558 (AdAware)
Behaviour: Fake-AV


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5deeff05129a1d4aaf5bac9091d9058f
SHA1: 07f42d03bf6786a9720afca3c21f7c2b28cb429d
SHA256: 77cc991cadb6bd6db66df45324f62786ad74e819928228d5a1369b4661583ee3
SSDeep: 49152:BJqwJxr 7bFSMEFvEVuAuB2xG5d54d8sB YHGST6GzY:BJq9DEFvEMFB2ASgg6G
Size: 2390016 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Fusion Install
Created at: 2005-11-12 20:39:01
Analyzed on: WindowsXP SP3 32-bit


Summary:

FakeAV programs generate exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove those reported threats.

Payload

No specific payload has been found.

Process activity

The Fake-AV creates the following process(es):

wuauclt.exe:540
%original file name%.exe:1656

The Fake-AV injects its code into the following process(es):

exA1uvD2oFpHsJd.exe:1864

File activity

The process exA1uvD2oFpHsJd.exe:1864 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\YIBrzONyx1v2bOpen Cloud AV.ico (676 bytes)
%Documents and Settings%\%current user%\Desktop\Open Cloud AV.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Open Cloud AV\Open Cloud AV.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\ldr.ini (1644 bytes)

The Fake-AV deletes the following file(s):

C:\%original file name%.exe (0 bytes)

The process wuauclt.exe:540 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Fake-AV deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process %original file name%.exe:1656 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):

%System%\config\software (838 bytes)
%System%\config\SOFTWARE.LOG (1987 bytes)
%System%\exA1uvD2oFpHsJd.exe (10752 bytes)

Registry activity

The process exA1uvD2oFpHsJd.exe:1864 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 20 B8 1F 8C 17 F1 92 5A DC EA 65 FC 70 D3 B8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process %original file name%.exe:1656 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F D9 7C 48 14 CE 3C B2 25 70 8C 29 46 45 33 CC"

To automatically run itself each time Windows is booted, the Fake-AV adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xRZqhYCwkVlNx0c8234A" = "%System%\exA1uvD2oFpHsJd.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Screenshot

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1117300 1117696 4.91129 75caa66075b6477bd57a834bec9524b8
.rdata 1122304 1268 1536 3.51403 9e6b659a192e853f991203dd64a0937b
.data 1126400 1268280 1268736 5.54506 ed1563f9848845eb710b9a918ac318de
.reloc 2396160 6721536 1024 1.34685 11b3cd8b4cbfbb39a2e04bba2e5b8bdb

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://google.com/ 173.194.32.166
hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl
hxxp://csc3-2009-crl.verisign.com/CSC3-2009.crl 23.37.37.163
hxxp://crl.verisign.com/pca3-g2.crl 23.37.37.163
hxxp://crl.verisign.com/pca3.crl 23.37.37.163
hxxp://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl 23.37.37.163
www.download.windowsupdate.com 212.30.134.177


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE Lowercase mozilla/2.0 User-Agent Likely Malware

Traffic

GET /CSC3-2009.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "ca78ff71d328047ab1f6f2dd982e54d9:1399928710"
Last-Modified: Mon, 12 May 2014 21:05:10 GMT
Accept-Ranges: bytes
Content-Length: 2249
Date: Tue, 13 May 2014 03:30:38 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA.
.140512210003Z..140526210003Z0...0!.....zOR.D...,oMa...090525061903Z0!
......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!
...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!
.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!
...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!
.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220
Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018
Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736
Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104
Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238
Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756
Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940
Z0!..?..}p 2I..o.\[email protected]`......l..090527022214
Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620
Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259
Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737
Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534
Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205
535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09
<<< skipped >>>


GET /pca3-g2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "072641a27cd10308fabc881f069f37c1:1396126208"
Last-Modified: Sat, 29 Mar 2014 20:50:08 GMT
Accept-Ranges: bytes
Content-Length: 1415
Date: Tue, 13 May 2014 03:30:37 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0
:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1
(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign T
rust Network..140320000000Z..140630235959Z0...0!...=...X.FL...3..I..08
0403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...14
0129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....08
0403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t..
.070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:.
.080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..
."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d.
.9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s.......
....080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f.....
.7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.
:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3...
 F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.
^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~..
[email protected]!..r.q.I-Ln./........080403173458Z0!..t8....D....
.......080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw.
.W.g...140129192921Z0...*.H................V.!F.Y..p.V......s..%..*l.z
=...R./.F....q.......D.t......0b..?.R:9.(.|.....VBp8.......PZ...[o\p..
.U...........$).V.D....B@......
<<< skipped >>>

GET /pca3.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "aee817f55f40eda0bc5c25e988a42128:1396125923"
Last-Modified: Sat, 29 Mar 2014 20:45:23 GMT
Accept-Ranges: bytes
Content-Length: 933
Date: Tue, 13 May 2014 03:30:40 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..140320000000Z..140
630235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............_.w..J.l....[..H.X..)x.
^.....S.O..v....K|.~.RP.k^.R.0........oF.l.w..4.W...A...}..8*.:rO6....
....%.C...........6$s....rQ....v...HTTP/1.1 200 OK..Server: Apache..ET
ag: "aee817f55f40eda0bc5c25e988a42128:1396125923"..Last-Modified: Sat,
 29 Mar 2014 20:45:23 GMT..Accept-Ranges: bytes..Content-Length: 933..
Date: Tue, 13 May 2014 03:30:40 GMT..Connection: keep-alive..Content-T
ype: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0..
.U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Au
thority..140320000000Z..140630235959Z0..x0!...v....a_>..2......0209
24164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...0
80605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P.
<<< skipped >>>


GET /CSC3-2009-2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-2-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "7ec0494a7288a550c3f3de408e9ca884:1399928710"
Last-Modified: Mon, 12 May 2014 21:05:10 GMT
Accept-Ranges: bytes
Content-Length: 37283
Date: Tue, 13 May 2014 03:30:40 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 C
A..140512210002Z..140526210002Z0..h0!.....V..t..'.F(z....121202220203Z
0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100722072726Z
0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100930040708Z
0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091029040207Z
0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100514054218Z
0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091028032204Z
[email protected]!.........}..Dt...!..090922192227Z
0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100523060224Z
0!...,.P.C......*.....100303082219Z0!...NRPL.............100413090225Z
0!....1w....d.&..8....091026111702Z0!......F....e........090608081352Z
0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100219210742Z
0!......Q_.G..|.......091009145530Z0!........>..O...=72..1006161609
34Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..1009221422
43Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..<K...1010
04225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^..........0912
03194409Z0!....B....d...*[email protected]!.......m. .V.....~..1011
11134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:......1006
02074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,s.....1010
11182226Z0!....Um..}.8)........100324085953Z0!....,u.boxr....Z....
<<< skipped >>>


GET / HTTP/1.1
Host: google.com
User-Agent: mozilla/2.0
Connection: close


HTTP/1.1 302 Found
Location: hXXp://VVV.google.com.ua/?gws_rd=cr&ei=zZFxU_3yJeaayQOXlIHIBQ
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=f6c23712edbd5a1d:FF=0:TM=1399951821:LM=1399951821:S=OQTHMyaPiQuxlsvb; expires=Thu, 12-May-2016 03:30:21 GMT; path=/; domain=.google.com
Set-Cookie: NID=67=Od5HoomjUViLtJRDNoQ3IG5m19_yQ2aIjFi5_CD9aRX_dttRQf_PQKL4wdX9Uyu_pFbnSjtTFLUCNtEsVCXFLnsFJRpzFoD0YzTwUxrYqNdRkx4VAl6g04rzoI8lm8Ed; expires=Wed, 12-Nov-2014 03:30:21 GMT; path=/; domain=.google.com; HttpOnly
P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Date: Tue, 13 May 2014 03:30:21 GMT
Server: gws
Content-Length: 262
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic
Connection: close
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gws_rd=cr&ei=zZFxU_3yJeaa
yQOXlIHIBQ">here</A>...</BODY></HTML>....



GET / HTTP/1.1
Host: google.com
User-Agent: mozilla/2.0
Connection: close


HTTP/1.1 302 Found
Location: hXXp://VVV.google.com.ua/?gws_rd=cr&ei=zZFxU5TFJqH_ywOpo4H4BQ
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=c924d52e60b41975:FF=0:TM=1399951821:LM=1399951821:S=ZCyxXXYk2D8IprA9; expires=Thu, 12-May-2016 03:30:21 GMT; path=/; domain=.google.com
Set-Cookie: NID=67=daOBenXY2r7DlDFxIJFnXvQQXKLndHtlO-HLMsio9PU-a7ciJk32PKVB_ep7IKIcf99n0uwyEBmm-xtHd_yGszlNkY5UhBcZyJeHTedPWSRRCZp0TZMAEh8a-hLMsCQh; expires=Wed, 12-Nov-2014 03:30:21 GMT; path=/; domain=.google.com; HttpOnly
P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Date: Tue, 13 May 2014 03:30:21 GMT
Server: gws
Content-Length: 262
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic
Connection: close
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gws_rd=cr&ei=zZFxU5TFJqH_
ywOpo4H4BQ">here</A>...</BODY></HTML>....

The Fake-AV connects to the servers at the folowing location(s):

exA1uvD2oFpHsJd.exe_1864:

`.rsrc
.Wj8hl83
V SSh
N SSh
P SSh
QSSh lW
tFHt:Ht.Ht"Hu`
j%XtL9E
tWSShW
tl9_ tgSSh
SSSSh0
t'SShl
u$SShe
@ SSHPWj
FTCP
u.Ph$
tAHt.HHt
FtPW
SSh@B
xSSSh
FTPjKS
FtPj;S
C.PjRV
1.2.5
%s.zl
avgnt.exe
avgwdsvc.exe
AVGIDSAgent.exe
ccsvchst.exe
AvastUI.exe
mcagent.exe
ldr.ini
chrome.exe
iexplore.exe
http://google.com
http://%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
win32msmsgs.exe
win32itunes.exe
win32java.exe
win32wmplayer.exe
win32photoshop.exe
win32outlook.exe
win32excel.exe
win32winword.exe
win32safari.exe
win32firefox.exe
win32opera.exe
win32iexplore.exe
java.exe
drweb
http://%s/r.php?ver=14&id=%s&hwid=%s&p=%d&os=%s
9992665263
%s (%s:%d)
c:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
Software\Microsoft\Windows\CurrentVersion\Run
%s %s%s
windows\
chargeyourorder.com
ordersonlinenow.com
mediaforclouds.com
ourbigvideostore.com
%d_%d_%d
%d_%d
%s\%s
sysl32.dll
TH_%d
http://photodatastore.com/sp.php?adv=%s&who=S
: Support
&key=
License key validated.
http://%s/ex2.php
%s "%s" %s
[email protected] /c "%s"
del "%s"
if exist "%s" goto a
\oc%d_w32.bat
http://
HTTP/1.1 200 OK
HTTP/1.0 200 OK
POST %s HTTP/1.1
Host: %s
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: %u
GET %s HTTP/1.1
User-Agent: mozilla/2.0
spooler.exe
server.exe
winlogon.exe
un_inst.exe
IEUser.exe
SearchProtocolHost.exe
DllHost.exe
csrss.exe
Windows has detected malicious programs running on your computer.
Click here to activate your Windows antivirus software
http://%s/sig/?id=%s&system=%s&hwid=%s&n=%s
%s|%s|%d
%d.%d.%d
9972665267
9972439689
9882676258
9859198478
9691962564
9378969331
9376471437
9285678582
9221581871
9217457527
9217234169
8874598414
8861321723
8857988267
8838996945
8593214778
8567493449
8558121691
8525752718
8367636975
8356392329
8355289195
8355259195
8196375436
8196345414
8135259195
8132856849
7885832169
7852676282
7715438456
7659421734
7614643697
7592174565
7414541691
7246526785
6899692327
6874821958
6641354156
6637321723
6613528235
6593439566
6526765122
6378962334
6376736918
6315563723
5956636198
5932169186
5919825316
5898714538
5688289871
5379885698
5268174898
5267873675
4723274453
4687259849
4655834325
4439154958
4414895278
4281328365
4268761565
4261996943
4261328365
4235528916
4179195823
4159763697
4146739331
3961218556
3945638233
3924394865
3899836863
3798826765
3787693326
3787625649
3766368952
3619747186
3554156516
3541567625
2961332892
2838763789
2833525916
2819969298
2698736776
2676258959
2621948916
2619969432
2356258973
2343258649
2294654156
2285876582
1961232582
1837663686
1835437232
1789847197
1579859198
1354156739
1225242171
1196121858
1186796371
1171249582
1148762586
svg.ini
software\Microsoft\Windows\CurrentVersion
{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
%u.%u.%u.%u
CluAdmin.exe
setup.exe
wab.exe
paint.exe
pools.exe
user32.exe
explorer.exe
notepad.exe
wmplayer.exe
msimn.exe
iexplorer.exe
calc.exe
%s\%s.exe
%s%s.ico
comctl32.dll
5_%d_%d_%d
4_%d_%d_%d
CSupportDlg
http://jn%s.%s/forum.cgi
email=%s&message=%s
HKEY\LM
HKEY\CU
%s\%s.ico
DEL_%d
Defs39491.db
XXXXXXXXXX
[%d] %s
Software\Microsoft\Windows NT\CurrentVersion\NetworkCards
user32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
CCmdTarget
CNotSupportedException
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
KERNEL32.DLL
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
RegOpenKeyTransactedA
Advapi32.dll
RegCreateKeyTransactedA
RegDeleteKeyTransactedA
comdlg32.dll
shell32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
mfcm100.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
RegDeleteKeyExA
lXXxXXXXXXXX
Shell32.dll
%s:%x:%x:%x:%x
kernel32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
&%d %s
MFCLink_UrlPrefix
MFCLink_Url
ole32.dll
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
KeyboardManager
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
%sPane-%d%x
%sPane-%d
%sBasePane-%d%x
%sBasePane-%d
windows
ShowCmd
%c%d%c%s
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
Hex={X,X,X}
CMDIChildWnd
CMDIFrameWnd
CMDIClientAreaWnd
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
CMFCToolBarsKeyboardPropertyPage
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
RGB(%d, %d, %d)
ENABLE_KEYS
KEYS_MENU
KEYS
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
portuguese-brazilian
operator
GetProcessWindowStation
F%D,3
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
.?AVCCmdTarget@@
.PAVCException@@
.?AVCSupportDlg@@
.?AVCWEbEvents_Bill@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.PAVCFileException@@
.?AVCMFCToolBarCmdUI@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.PAVCOleDispatchException@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
%Documents and Settings%\%current user%\Application Data\YIBrzONyx1v2b
%System%\exA1uvD2oFpHsJd.exe
<:@87@:;?
:9=87@;9?
:9=87@87@
99?87@>:@
58@87@;9?
:7@7:?99?
:8>:7@96?
95@99?<8>
7:?7:?:8>
<7@87@7:?
87@;9?87@
;9?87@99?
7:?99?88>;9?
:8>99?87@
<7@99?7:?57?
68@;9?99?69>
?8?:7@68@
99?69>87@87@;9?
69>99?87@
9:>:7@;9?
87@87@9:>
87@87@<8>
_^`99?69=
qV!.HS6(
;/%URTaMLe
?5.HGIJ;8
qW".FS5*
pP|O.xD
444888888888888
44@444<44
N.tND/
>.wA1u?/q>.s<*u8&|3"
&.DAWI<|
$.YK=
.&!#.87"
).@.= :$
*"=/:1="%
uF%xR-wU
?5.vhV
AgjL2.lii
hKN.zhf
333333333333
333333333
333333333333333
333333333333333333
.IZUUS{> 3a
ð-vF.}I-g@ .,*  /
K1.hv
.ËBBBBBBBBBBBt\V
.ËBBBBBBBBBBBt\Vdr
1(#%1;:$
wO%fH&
O.FjZ
k.Kji
.pu!zl
.iuQ^
9S%CL
Z.pHh
%r9%s
v.Uo7
[n;e%d
,.dnN
%0uFjf
.Noi#
V-7w}
X.ov6
.eQR[
9f[
=dJ.YM
*.egK
@k..tNNm
V.jgo
%FPuU !^w\
e.rl;
4vi_ag.Be
.cg$:
%xT)W
.Bj7=
8=d%f
II.lVE
N}-.Sa4m
NJi%s
qL.ch
.Pu'a
&jf.lg
$7Z.gzc
Z.wjay
M.KS!
Y%uJgF>
p.ZSy
p.VOy
%cP#S
i0_%}
Lc,%D
je.dc7^
.zEG#
p;%sp
Vz?.wJs
MsgC-"
UJ.KWEg1
w.Ls2
S9.aBS
y.wM_
:U.Qw
aúb
\#e.CF
.fg~la
j%S94
%x4}@0
.ak{{
@%u1I:KZ
g.gt#
.PSsQ?r
,H9\%xeb!
J.xn;,
B%9U1
Lv.sD&
@.zk-m4
v}c%uQ
#.VnC&
cl.rb
Un%x3;
,.el"
s8%u4
!.qEi
'%Ud@
.gI[b
 Ih,Nl.Jh)Lh)
=;=9'!1'*!74.'8&;0
v.YeS2
eRSsH
GetCPInfo
GetWindowsDirectoryA
GetProcessHeap
RegCloseKey
RegOpenKeyExA
RegEnumKeyA
RegDeleteKeyA
RegEnumKeyExA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportOrgEx
GdiplusShutdown
ShellExecuteExA
ShellExecuteA
SetWindowsHookExA
UnhookWindowsHookEx
GetKeyState
CreateDialogIndirectParamA
EnumWindows
GetAsyncKeyState
GetKeyNameTextA
MapVirtualKeyA
keybd_event
MapVirtualKeyExA
GetKeyboardState
GetKeyboardLayout
.text
`.rdata
@.data
.rsrc
*!74.'8&;0
2r.qbi
KeyE
%dTR#
k.pc'
ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
gdiplus.dll
IMM32.dll
IPHLPAPI.DLL
MSIMG32.dll
OLEACC.dll
OLEAUT32.dll
oledlg.dll
PSAPI.DLL
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINMM.dll
WINSPOOL.DRV
WSOCK32.dll
Dr.Web
Windows has found spyware infection on your computer!
Click here to update your Windows antivirus software
A
accKeyboardShortcut
hhctrl.ocx
SHELL32.DLL
dwmapi.dll
UxTheme.dll
USER32.DLL
PRICHED20.DLL
ekernel32.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
svchost.exe
Send Error Report
We have created an error report that you can send to us. We will treat
this report as confidential and anonymous.
To see what data this error report contains, click here.
svchost.exe was replaced with unauthorized program.
Windows Security Alert
Windows Firewall has blocked this program from accepting connections from the Internet or a network. If you recognize the program or trust the publisher, you can ublock it.
Windows Security Center
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]
3.0.0.2

exA1uvD2oFpHsJd.exe_1864_rwx_00400000_008B2000:




`.rsrc
.Wj8hl83
V SSh
N SSh
P SSh
QSSh lW
tFHt:Ht.Ht"Hu`
j%XtL9E
tWSShW
tl9_ tgSSh
SSSSh0
t'SShl
u$SShe
@ SSHPWj
FTCP
u.Ph$
tAHt.HHt
FtPW
SSh@B
xSSSh
FTPjKS
FtPj;S
C.PjRV
1.2.5
%s.zl
avgnt.exe
avgwdsvc.exe
AVGIDSAgent.exe
ccsvchst.exe
AvastUI.exe
mcagent.exe
ldr.ini
chrome.exe
iexplore.exe
http://google.com
http://%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
win32msmsgs.exe
win32itunes.exe
win32java.exe
win32wmplayer.exe
win32photoshop.exe
win32outlook.exe
win32excel.exe
win32winword.exe
win32safari.exe
win32firefox.exe
win32opera.exe
win32iexplore.exe
java.exe
drweb
http://%s/r.php?ver=14&id=%s&hwid=%s&p=%d&os=%s
9992665263
%s (%s:%d)
c:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
Software\Microsoft\Windows\CurrentVersion\Run
%s %s%s
windows\
chargeyourorder.com
ordersonlinenow.com
mediaforclouds.com
ourbigvideostore.com
%d_%d_%d
%d_%d
%s\%s
sysl32.dll
TH_%d
http://photodatastore.com/sp.php?adv=%s&who=S
: Support
&key=
License key validated.
http://%s/ex2.php
%s "%s" %s
[email protected] /c "%s"
del "%s"
if exist "%s" goto a
\oc%d_w32.bat
http://
HTTP/1.1 200 OK
HTTP/1.0 200 OK
POST %s HTTP/1.1
Host: %s
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: %u
GET %s HTTP/1.1
User-Agent: mozilla/2.0
spooler.exe
server.exe
winlogon.exe
un_inst.exe
IEUser.exe
SearchProtocolHost.exe
DllHost.exe
csrss.exe
Windows has detected malicious programs running on your computer.
Click here to activate your Windows antivirus software
http://%s/sig/?id=%s&system=%s&hwid=%s&n=%s
%s|%s|%d
%d.%d.%d
9972665267
9972439689
9882676258
9859198478
9691962564
9378969331
9376471437
9285678582
9221581871
9217457527
9217234169
8874598414
8861321723
8857988267
8838996945
8593214778
8567493449
8558121691
8525752718
8367636975
8356392329
8355289195
8355259195
8196375436
8196345414
8135259195
8132856849
7885832169
7852676282
7715438456
7659421734
7614643697
7592174565
7414541691
7246526785
6899692327
6874821958
6641354156
6637321723
6613528235
6593439566
6526765122
6378962334
6376736918
6315563723
5956636198
5932169186
5919825316
5898714538
5688289871
5379885698
5268174898
5267873675
4723274453
4687259849
4655834325
4439154958
4414895278
4281328365
4268761565
4261996943
4261328365
4235528916
4179195823
4159763697
4146739331
3961218556
3945638233
3924394865
3899836863
3798826765
3787693326
3787625649
3766368952
3619747186
3554156516
3541567625
2961332892
2838763789
2833525916
2819969298
2698736776
2676258959
2621948916
2619969432
2356258973
2343258649
2294654156
2285876582
1961232582
1837663686
1835437232
1789847197
1579859198
1354156739
1225242171
1196121858
1186796371
1171249582
1148762586
svg.ini
software\Microsoft\Windows\CurrentVersion
{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
%u.%u.%u.%u
CluAdmin.exe
setup.exe
wab.exe
paint.exe
pools.exe
user32.exe
explorer.exe
notepad.exe
wmplayer.exe
msimn.exe
iexplorer.exe
calc.exe
%s\%s.exe
%s%s.ico
comctl32.dll
5_%d_%d_%d
4_%d_%d_%d
CSupportDlg
http://jn%s.%s/forum.cgi
email=%s&message=%s
HKEY\LM
HKEY\CU
%s\%s.ico
DEL_%d
Defs39491.db
XXXXXXXXXX
[%d] %s
Software\Microsoft\Windows NT\CurrentVersion\NetworkCards
user32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
CCmdTarget
CNotSupportedException
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
KERNEL32.DLL
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
RegOpenKeyTransactedA
Advapi32.dll
RegCreateKeyTransactedA
RegDeleteKeyTransactedA
comdlg32.dll
shell32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
mfcm100.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
RegDeleteKeyExA
lXXxXXXXXXXX
Shell32.dll
%s:%x:%x:%x:%x
kernel32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
&%d %s
MFCLink_UrlPrefix
MFCLink_Url
ole32.dll
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
KeyboardManager
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
%sPane-%d%x
%sPane-%d
%sBasePane-%d%x
%sBasePane-%d
windows
ShowCmd
%c%d%c%s
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
Hex={X,X,X}
CMDIChildWnd
CMDIFrameWnd
CMDIClientAreaWnd
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
CMFCToolBarsKeyboardPropertyPage
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
RGB(%d, %d, %d)
ENABLE_KEYS
KEYS_MENU
KEYS
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
portuguese-brazilian
operator
GetProcessWindowStation
F%D,3
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
.?AVCCmdTarget@@
.PAVCException@@
.?AVCSupportDlg@@
.?AVCWEbEvents_Bill@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.PAVCFileException@@
.?AVCMFCToolBarCmdUI@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.PAVCOleDispatchException@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
%Documents and Settings%\%current user%\Application Data\YIBrzONyx1v2b
%System%\exA1uvD2oFpHsJd.exe
<:@87@:;?
:9=87@;9?
:9=87@87@
99?87@>:@
58@87@;9?
:7@7:?99?
:8>:7@96?
95@99?<8>
7:?7:?:8>
<7@87@7:?
87@;9?87@
;9?87@99?
7:?99?88>;9?
:8>99?87@
<7@99?7:?57?
68@;9?99?69>
?8?:7@68@
99?69>87@87@;9?
69>99?87@
9:>:7@;9?
87@87@9:>
87@87@<8>
_^`99?69=
qV!.HS6(
;/%URTaMLe
?5.HGIJ;8
qW".FS5*
pP|O.xD
444888888888888
44@444<44
N.tND/
>.wA1u?/q>.s<*u8&|3"
&.DAWI<|
$.YK=
.&!#.87"
).@.= :$
*"=/:1="%
uF%xR-wU
?5.vhV
AgjL2.lii
hKN.zhf
333333333333
333333333
333333333333333
333333333333333333
.IZUUS{> 3a
ð-vF.}I-g@ .,*  /
K1.hv
.ËBBBBBBBBBBBt\V
.ËBBBBBBBBBBBt\Vdr
1(#%1;:$
wO%fH&
O.FjZ
k.Kji
.pu!zl
.iuQ^
9S%CL
Z.pHh
%r9%s
v.Uo7
[n;e%d
,.dnN
%0uFjf
.Noi#
V-7w}
X.ov6
.eQR[
9f[
=dJ.YM
*.egK
@k..tNNm
V.jgo
%FPuU !^w\
e.rl;
4vi_ag.Be
.cg$:
%xT)W
.Bj7=
8=d%f
II.lVE
N}-.Sa4m
NJi%s
qL.ch
.Pu'a
&jf.lg
$7Z.gzc
Z.wjay
M.KS!
Y%uJgF>
p.ZSy
p.VOy
%cP#S
i0_%}
Lc,%D
je.dc7^
.zEG#
p;%sp
Vz?.wJs
MsgC-"
UJ.KWEg1
w.Ls2
S9.aBS
y.wM_
:U.Qw
aúb
\#e.CF
.fg~la
j%S94
%x4}@0
.ak{{
@%u1I:KZ
g.gt#
.PSsQ?r
,H9\%xeb!
J.xn;,
B%9U1
Lv.sD&
@.zk-m4
v}c%uQ
#.VnC&
cl.rb
Un%x3;
,.el"
s8%u4
!.qEi
'%Ud@
.gI[b
 Ih,Nl.Jh)Lh)
=;=9'!1'*!74.'8&;0
v.YeS2
eRSsH
GetCPInfo
GetWindowsDirectoryA
GetProcessHeap
RegCloseKey
RegOpenKeyExA
RegEnumKeyA
RegDeleteKeyA
RegEnumKeyExA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportOrgEx
GdiplusShutdown
ShellExecuteExA
ShellExecuteA
SetWindowsHookExA
UnhookWindowsHookEx
GetKeyState
CreateDialogIndirectParamA
EnumWindows
GetAsyncKeyState
GetKeyNameTextA
MapVirtualKeyA
keybd_event
MapVirtualKeyExA
GetKeyboardState
GetKeyboardLayout
.text
`.rdata
@.data
.rsrc
*!74.'8&;0
2r.qbi
KeyE
%dTR#
k.pc'
ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
gdiplus.dll
IMM32.dll
IPHLPAPI.DLL
MSIMG32.dll
OLEACC.dll
OLEAUT32.dll
oledlg.dll
PSAPI.DLL
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINMM.dll
WINSPOOL.DRV
WSOCK32.dll
Dr.Web
Windows has found spyware infection on your computer!
Click here to update your Windows antivirus software
A
accKeyboardShortcut
hhctrl.ocx
SHELL32.DLL
dwmapi.dll
UxTheme.dll
USER32.DLL
PRICHED20.DLL
ekernel32.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
svchost.exe
Send Error Report
We have created an error report that you can send to us. We will treat
this report as confidential and anonymous.
To see what data this error report contains, click here.
svchost.exe was replaced with unauthorized program.
Windows Security Alert
Windows Firewall has blocked this program from accepting connections from the Internet or a network. If you recognize the program or trust the publisher, you can ublock it.
Windows Security Center
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]
3.0.0.2


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    wuauclt.exe:540
    %original file name%.exe:1656

  2. Delete the original Fake-AV file.
  3. Delete or disinfect the following files created/modified by the Fake-AV:

    %Documents and Settings%\%current user%\Application Data\YIBrzONyx1v2bOpen Cloud AV.ico (676 bytes)
    %Documents and Settings%\%current user%\Desktop\Open Cloud AV.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Open Cloud AV\Open Cloud AV.lnk (1 bytes)
    %Documents and Settings%\%current user%\Application Data\ldr.ini (1644 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %System%\config\software (838 bytes)
    %System%\config\SOFTWARE.LOG (1987 bytes)
    %System%\exA1uvD2oFpHsJd.exe (10752 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "xRZqhYCwkVlNx0c8234A" = "%System%\exA1uvD2oFpHsJd.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now