Trojan.Win32.Delphi_fb5bd21333

by malwarelabrobot on November 13th, 2015 in Malware Descriptions.

Trojan.Win32.Diss.susko (Kaspersky), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: fb5bd2133354f5f2f1b2a8784b69d3bc
SHA1: 56346c546f7f003c5e69ceb3bdc937830f785a10
SHA256: 15e85e3657d1a09135d50980594de1c134bb348ed2e3a5ffabff64ef8bc6a36e
SSDeep: 49152:2FN1Z04ewsXx/JHER8HAOGChn0CocgHgWt9qtBB7QtyjiD:2FN1S4e9hS8HAOGChcBHft8C6iD
Size: 2042606 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Video HDV04.10
Created at: 2015-01-31 10:27:21
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:1868
_hndguard.exe:2012

The Trojan injects its code into the following process(es):

hndclient.exe:1176

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process hndclient.exe:1176 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\handyCafe\Client\default.swf (44 bytes)
%Documents and Settings%\All Users\handyCafe\Client\Banners\shbanner.htm (739 bytes)
%Documents and Settings%\All Users\handyCafe\Client\xp4_list.dat (391 bytes)
%Documents and Settings%\All Users\handyCafe\Client\data\sets.ini (117 bytes)
%Documents and Settings%\%current user%\handyCafe\tmp\hc14096096778.tmp (1 bytes)
%Documents and Settings%\All Users\handyCafe\Client\dump.log (30278 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\handyCafe\tmp\hc14096096778.tmp (0 bytes)
%Documents and Settings%\All Users\handyCafe\Client\xp4_list.dat (0 bytes)

The process %original file name%.exe:1868 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The Trojan deletes the following file(s):

Registry activity

The process hndclient.exe:1176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"

[HKLM\SOFTWARE\HandyCafe\Client]
"Path" = "D:\hndclient.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\HandyCafe\Client\Settings]
"_clnorm" = "0"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"WarnOnCloseAdvanced" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\HandyCafe\Client]
"Version" = "3.3.21"
"Path" = "D:\hndclient.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"OpenAllHomePages" = "0"

"NewTabPageShow" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"WarnOnClose" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 E8 AF E6 05 8F DF 8E C1 33 F7 91 54 BE 46 4E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "hndclient.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\HandyCafe\Client]
"Version" = "3.3.21"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"

"hndclient" = "D:\hndclient.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\D:]
"hndclient.exe" = "D:\hndclient.exe:*:Enabled:handyCafe Client"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

"Adobe ARM" = "%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Program Files%\Common Files\Java\Java Update\jusched.exe"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher" = "%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process"

"VMware Tools"

"Adobe ARM"

"SunJavaUpdateSched"

"Adobe Reader Speed Launcher"

"hndclient"

The process %original file name%.exe:1868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 3A FF 2B CF DC DB 25 76 45 25 05 3D C5 B6 06"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"hndclient.exe" = "HandyCafe Client"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process _hndguard.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 01 37 8B 11 8B 96 79 0D 26 14 DA 80 EA 63 C9"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 165770 165888 4.6575 d06d79869523ea3421d1bec81acb4dd3
.rdata 172032 20435 20480 3.73648 e22329333f8810a163be0adc3018660e
.data 192512 136232 5632 2.40214 6754819d963e719555064632286f5a0d
.rsrc 331776 17624 17920 3.22359 2228bf0d08f66c617dd72a81676d6c6b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 41
e00aa5fac6ac532217c355b289b0e89a
826cf2435f5afb5fc966fb473e8d2b8e
1e882c6b3e2534279251c88252f0f628
b4678a329d8286c971dfd2e70d1d4845
884a05bb7947421eb4fe326ee15de0a0
84e276f01e08e29e13bec8efeefe46cc
488a75892901c2712e9eb53a7e387e33
80a993f2093492df18ff7d11fc5e8056
79fec57324cbe4302312b8ad2d64dcd4
3386617b1889f1d72d489371f719ff67
7efafd8d7f804f93387eec1b6bb7c1ac
daf6de8401ce0f21a7c79e6f17241190
0593a4093b848bebd23ca37f01f1ce90
b030c3a9ee1062234d6b737da2e578d8
111d832cc08dc412d6b9bcf75f8b986d
6a6fe9e4673b9ca71207ea8fcf5d7b7f
70a114b46f916359ad20e58ff408c9a3
5fe8ca4ddbc27c75a11c25aba8d8710b
68bbff09c5706e565e4ca40df2936149
b337d41f49871facdc78ab5c2cef5765
e969757a6c88f7ff47e37e471bd6b110
a920ef131a7c9ec746db47c3b34fabcf
bbfc9e517f681bffc36d47babe7c6d7c
17bc21d4b381fd4781f929ad6b3e2904
82b455846c2e167bdf6f65ea439245af

URLs

URL IP
hxxp://ad.handycafe.com/se/adx.php 37.58.77.224


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Http Client Body contains pass= in cleartext

Traffic

POST /se/adx.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
User-Agent: AtWebPost
Host: ad.handycafe.com
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset: UTF-8,*
Cache-Control: no-cache
Connection: close
Content-Length: 285

lang=EN&op=get_banner&RndID=1409156&Mac=00-0C-29-AC-63-98&Version=3.3.21&LocalIp=192.168.220.135&ProductKey=&Serial=&Clients=0&ServerMac=&Screen=1916x902&LngID=1033&LngName=&LngCountry=United States&LngLang=ENU&Lng1=&Lng2=&MenuHeight=0&iType=0&Adtry=1&hpass=hcafe&rand_id=42724-1409156
HTTP/1.1 200 OK
Date: Thu, 12 Nov 2015 05:27:56 GMT
Server: Apache/2.4.12 (Unix) OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.4.42
X-Powered-By: PHP/5.4.42
Vary: Accept-Encoding,User-Agent
Content-Length: 1253
Connection: close
Content-Type: text/html
HND_START.PAKET_ID%ENT09156.AD_LANG%ENT%UA.START_PAGE%ENT%1%ENT%1%E
NT%hXXp://search.handycafe.com/start?ua.POP_UP%ENT%2%ENT%2%ENT%hXXp://
search.handycafe.com/?ua%ENT%search.handycafe.com%ENTF8%ENT"0%ENT%
0%ENTÎNTER%ENT%0%ENT%0%ENT%handycafe.com%ENT%handycafe.com.COOKIE_ST
ART%ENT%1%ENT%0%ENT%0%ENT%1%ENT%0%ENT%0%ENT%1.MENU_AD%ENT000%ENT%htt
p://a4.handycafe.com/ad-ua.html%ENT%0%ENT 00%ENT%0%ENT%handycafe.com
%ENT%handycafe.com%ENT%0.LOGO_AD%ENT 10%ENT%hXXp://ads.handycafe.com
/sr.php?l=ua%ENT%0%ENT%0%ENT%0%ENT%search.php%ENT%search.handycafe.com
%ENT%0.URL_1%ENT10%ENT%hXXp://search.handycafe.com/?ua%ENT%Search%E
NT%0%ENT%0%ENT903B09%ENTD0835C%ENTÿFFFF%ENT%Search%ENT%Search%
ENT%handycafe.com.URL_2%ENT12%ENT%hXXp://search.handycafe.com/?ua%E
NT%Search%ENT%0%ENT%0%ENT5555FF%ENT00FF%ENTÿFFFF%ENT%Search%EN
T%handycafe.com%ENT%handycafe.com.BUTTON%ENT00%ENT%hXXp://search.ha
ndycafe.com/?ua%ENT%Internet%ENT%Search.BUTTON2%ENT00%ENT%hXXp://se
arch.handycafe.com/?ua%ENT%Internet%ENT%Search%ENT%0%ENTW0%ENTP0.S
ILENT_START%ENT%1%ENT%.BG_COLOR_START%ENT%$00F0F0F0%ENT%$00DDDDDD%ENT%
1.WEB_SIZE%ENT0.TRUSTED_SITES%ENT%handycafe.com%ENT%handycafe.net%E
NT%handycafe.com.tr%ENT%ofpof.com%ENT%web.tv.TIMER_STOP.HND_END..

The Trojan connects to the servers at the folowing location(s):

hndclient.exe_1176:

.idata
.edata
P.tls
.rdata
P.reloc
.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
.Owner
EMsgsRec
Support message
Login message
Operating System Header
Invalid login
An error has occurred during program execution.
Go to the Support Page
We have created an error report that you can send to us. We will treat this report as confidential and anonymous.
To see what data the error report contains,
&Send Error Report
Operating System
Login...
Contact the program support to obtain an update.
Invalid login request.
Operating System|Type
Operating System|Build #
Operating System|Update
Operating System|Language
Operating System|Charset
_BugReport | Full EurekaLog bug report
_ExceptMsg | Last exception message
SystemDrive | The drive containing the Windows root directory
SystemRoot | The Windows root directory
WinDir | Windows directory
.vshost
shfolder.dll
DELPHI32.EXE
1111111
[email protected]
%s (Address: %s)
Critical error at: "%s"
Error: "%s".
ECore.Done
ECore.Init
TELVftPathSymbolInfo
Uhx%C
.jdbg
%Program Files% (x86)\EurekaLog 6\Delphi7\EDebug.pas
Try to replaced the Memory Manager used with the last FastMM4 Memory Manager (hXXp://fastmm.sourceforge.net).
ELeaks.pas unit Error
_com.eurekalog.eleaks.dataclass
%c les #Gv , #Mp
%c punpcklbw #Pq , #Qd
%c punpcklwd #Pq , #Qd
%c punpckldq #Pq , #Qd
%c packusdw #Pq , #Qd
%c pcmpgtb #Pq , #Qd
%c pcmpgtw #Pq , #Qd
%c pcmpgtd #Pq , #Qd
%c packsswb #Pq , #Qd
%c punpckhbw #Pq , #Qd
%c punpckhwd #Pq , #Qd
%c punpckhdq #Pq , #Qd
%c packssdw #Pq , #Qd
THTTPResponse
THTTPConnectionBase
THTTPSendReport
THTTPMantisSendReport
THTTPBugzillaSendReport\ND
THTTPFogBugzSendReport
wininet.dll
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpSendRequestExA
HttpEndRequestA
HttpQueryInfoA
FtpOpenFileA
InternetOpenUrlA
https
Cannot create an HTTP connection with the host: %s
Cannot close the HTTP connection with the host: %s
Content-Type: application/x-www-form-urlencoded
[v%s - 1]: %s (%s)
%s (%s)
login.php
login_select_proj_page.php
password
set_project.php
my_view_page.php
view_all_set.php?f=3
view_all_bug_page.php
bug_update_page.php?bug_id=
bug_update_advanced_page.php?bug_id=
bug_report_advanced_page.php
bug_report.php
report_stay
bug_report_token
href="view.php?id=
bug_update_page.php
bug_update.php
reporter_id
view.php
enter_bug.cgi
Bugzilla_login
Bugzilla_password
relogin.cgi
index.cgi?logout=1
buglist.cgi
href="query.cgi?
show_bug.cgi?id=
action="post_bug.cgi"
post_bug.cgi
keywords
attachment.cgi
show_bug.cgi
<label for="component" accesskey="
process_bug.cgi
default.asp
sPassword
fRememberPassword
default.asp?pg=pgeditbug
default.asp?pgx=EV&ixBug=
default.asp?pre=preSubmitBug&sActionToken=
default.asp?pre=preSubmitBug
default.asp?pg=pgEditReleaseNotes
%Program Files% (x86)\EurekaLog 6\Delphi7\EWebTools.pas
Cannot assign a THTTPResponse class to a NIL value.
MSVCRT.DLL
MSVCRT20.DLL
1.2.3
TEurekaClientSMTP
Cannot close the socket: "%s"
Invalid socket: "%s".
Connection error: "%s"
Connected to %d.%d.%d.%d port %d
Error into "send": "%s"
Error into "recv": "%s"
0.0.0.0
IPHLPAPI.DLL
193.121.171.135
Cannot resolve the "%s" MX record.
ESockets.Done
ESockets.Init
Uh.bE
Cannot hook a null procedure ("%s").
Cannot hook the module "%s" located into the shared-area.
Cannot hook the procedure "%s".
EHook.Done
EHook.Init
atSendingWebMessage
atSentWebMessage
eeEmailSMTPError
eeWebHTTPError
eeWebHTTPSError
eeWebFTPError
eeWebTrakerError
TPasswordRequestNotify
Password
TCustomWebFieldsRequestNotify
WebFields
OnPasswordRequest
OnCustomWebFieldsRequest8}E
THTTPConnection
TActiveXException
You are using a 'TEurekaLog' component in module "%s", without activate EurekaLog.
%d %s,
%d %s
{\rtf1\ansi\ansicpg1252\deff0\deflang1040{\fonttbl{\f0\fmodern\fprq1\fcharset%d %s;}}
Microsoft Windows
\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION
%s, %d %s %d %0.2d:%0.2d:%0.2d %s
- %s - %s - %s - %s[%s]
%s $%8.8x - [%8.8x] %s %s
$%8.8x - [%8.8x] %s - %s - %s - %s - %s[%s]
[ERROR] - Section: %s - Address: %s - Message: "%s"
6.0.23
Version : %s
Date : %s
OS : %s
RAD : %s
Dump : %s
Section : %s
LastExcept: %s
Address : %s
Exception : %s
Message : %s
Call Stack: %s
Error: '%s'
EurekaLog 6.0.23 critical bug.
[email protected]
Send manually the "%s" file to the [email protected] email address, after click on OK button to close this box.
[WARNING] - Code: %s - Address: %s - Message: "%s"
[%s] %s
General '%s' error.
PSAPI.DLL
PSAPI.dll
Kernel32.dll
HttpExtensionProc
Content-Length: %d
<title>%s</title>
<!-- EurekaLog ID: %s -->
<br><input type=button value="Ok" OnClick="history.go(-1)" style="width:75;height:25;z-index:100;font-style:normal;font-size:10pt;text-decoration:none;">
EurekaLog_IWShowMessage.html
IntraWeb: Cannot show the error page.
IntraWeb: Cannot create the "%s" template.
IntraWeb
IntraWeb: IntraWebApplication e/o IntraWebServerController are set to nil.
Screenshot.png
BugReport.zip
LastHTMLPage.html
EurekaLog_CustomWebFieldsRequestEvent
EurekaLog_PasswordRequestEventEx
EurekaLog_PasswordRequestEvent
%s=%d; %s=%s
; %s=%s
%s: %s=%s; %s=%d; %s=%d
user32.dll
EurekaLog.ini
WindowsState
\\.\mailslot\
RICHED20.DLL
mapi32.dll
SMTP:
%s %d/%d:
AUTH LOGIN
@localhost.com>
SMTP
\*.zip
- Cannot find the "%s" library.
%s error code: %d%s
HTTPS
Error Code: %d
Error Message: "%s"
%d x %d, %d bit
000.000.000.000
iphlpapi.dll
HardwareInformation.MemorySize
HardwareInformation.AdapterString
windows
winspool.drv
EurekaLog 6.0.23
%s: %s %s:
EAX: %s EDI: %s
EBX: %s ESI: %s
ECX: %s ESP: %s
EDX: %s EIP: %s
%s%s:
|%s|%s|%s|%s|%s|%s|
|%s|%s|%s|%s|%s|%s|%s|
|%s|%s|%s|%s|%s|%s|%s|%s|
_ExceptMsg
_BugReport
Cannot use 'CurrentEurekaLogOptions' function in module "%s" without activate EurekaLog.
%Program Files% (x86)\EurekaLog 6\Delphi7\ExceptionLog.pas
5.0.0
7.2.32
%s: %s=%d - %s=%d
Intraweb_
VCL70.BPL
VISUALCLX70.BPL
INDY70.BPL
INDYCORE70.BPL
ExceptionLog.Done
ExceptionLog.Init
USER32.DLL
comctl32.dll
EInvalidGraphicOperation
%s%s (*.%s)|*.%2:s
%s*.%s
%s (%s)|%1:s|%s
uxtheme.dll
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
%s%s%s%s%s%s%s%s%s%s
PasswordChar4
OnKeyDownP
OnKeyPress
OnKeyUp(
ssHorizontal
OnKeyUp
Proportional
MAPI32.DLL
vsReport
TComboBoxExEnumerator
ole32.dll
AutoHotkeysT
AutoHotkeys
TKeyEvent
TKeyPressEvent
HelpKeyword|
crSQLWait
imm32.dll
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreviewH
WindowState
tagMSG
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
Software\Microsoft\Windows\CurrentVersion\Internet Settings\
EInvalidGridOperation
cmLoginRequest
cmLogin
cmUrl
cmWeb
cmChangePass
cmClearVisitedWeb
cmRequestForLogin
cmWebCamReq
TCafeKey
#,##0.00
#,##0.00
#,##0.00
acc.bat
00-00-00-00-00-00
Invalid ZStream operation!
FtPj
SetPort
Certificates
CertifPers
CertifSite
CertPub
FormSuggest Passwords
ResetWebSettings
NoBrowserSaveWebComplete
NoChangeKeyboardNavigationIndicators
NoWindowsSetupPage
NoSupportInfo
{20D04FE0-3AEA-1069-A2D8-08002B30309D}
{645FF040-5081-101B-9F08-00AA002F954E}
{450D8FBA-AD25-11D0-98A8-0800361B1103}
NoWindowsUpdate
NoFileUrl
Disable the Full Screen view option and F11 key
Disable Certificates & Publishers buttons
Prevent changing Certificate options
Remove the Personal tab from Certificate manager
Prevent Prompt me to save password from being displayed
Disable the Reset web Setting button
Disable Save As Web Page Complete from File>Save As
Remove Windows update from Start Menu|Settings. and IEs Tools menu
Disable the "Windows and buttons" style control (Windows XP)
Disable the "Color scheme" control (Windows XP)
Disable the "Font size" control (Windows XP)
Hide the Themes tag which prevents the user from selecting an alternate theme (Windows XP)
Disable the "Hide keyboard navigation indicators until I use the ALT key" option in the Display Control Panel (Windows 2000/XP)
Prevent users from selecting the option to animate the movement of windows and menus (Windows 2000/XP)
Prevent users from accessing the Change Passwords page (Windows 95/98/Me)
Disable access to the Passwords icon on the control panel (Windows 95/98/Me)
Disable The user profile page controls (Windows 95/98/Me)
Stop users from being able to change the remote administration settings for the computer (Windows 95/98/Me)
Hide the Virtual Memory button from the System icon on the Control Panel (Windows 95/98/Me)
Hide the File System button from the System icon on the Control Panel (Windows 95/98/Me)
Hide the Hardware Profiles page from the System icon on the Control Panel (Windows 95/98/Me)
Disable Device Manager under Control Panel (Windows 95/98/Me)
Disable Task Manager (Windows XP)
Remove access to the Access Control Page (Windows 95/98/Me)
Disable access to the Network ID page (Windows 95/98/Me)
Hide the file and printer sharing controls, stopping users from disabling or creating new file or printer shares (Windows 95/98/Me)
Disable access to the Network Control Panel icon (Windows 95/98/Me)
Hide the printer details and general printer information pages (Windows 95/98/Me)
Remove the Security tab from Windows explorer (Windows XP)
Remove the hardware tab from applicable items in the Control Panel and from the local drive properties (Windows 2000/XP)
Hide the Search Button on the Explorer Toolbar (Windows 2000/XP)
Remove Properties from My Computer (Windows XP)
Remove My Documents from the Start Menu (Windows 2000/Me/XP)
Disable Add/Remove Programs (Windows 2000/XP)
Disable Change and Remove Programs (Windows 2000/XP)
Disable Add Programs (Windows 2000/XP)
Disable Windows Components Wizard (Windows 2000/XP)
Hide "Add a program from CD-ROM or disk" option (Windows 2000/XP)
Hide "Add programs from Microsoft" option (Windows 2000/XP)
Hide "Add programs from your network" option (Windows 2000/XP)
Go directly to Windows Components Wizard (Windows 2000/XP)
Disable Support Information (Windows 2000/XP)
TCPRestrictions,7Q
TCPRestrictions
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\
Software\Microsoft\Windows\CurrentVersion\Policies\System\
Software\Microsoft\Windows\CurrentVersion\Policies\Network\
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\
Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum\
Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
hndclient.exe
_hndguard.exe
Port0
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
WindowsDirectory0
Windows 3.1
Windows 95/98
Windows XP
Windows NT
_list.dat
EXPLORER.EXE
HNDSERVER.EXE
_GUARD.EXE
IPCLN.EXE
CLNFW.EXE
IPLSRV.EXE
IPSRV.EXE
IPLCLN.EXE
IEXPLORE.EXE
ccpxysvc.exe
TOnUDPDataEvent
FromPort
TAtUdp
TAtUdpx
untudp
LocalPortT
RemotePort0
1.0.5
127.0.0.1
%d.%d.%d.%d
tmpdownload_update.tmp
updatecln.exe
tmpdownload_file.tmp
tmpdownload_cafe.tmp
tmpdownload_rules.tmp
tmpdownload_rest.tmp
TClientWeb
Port
RemotePort
AdminPass0
OnUrl
OnAdminLogin
OnLogin
OnWeb
PASSWORD
3.3.21
hXXp://VVV.handycafe.com
data\data.dat
data\fw.dat
data\fwx.dat
_hcfon.dat
Create:UDPCreate
UDPSocketCreateEvent
Error:UDPSocketCreateEvent
230.4.4.46
hremoteserver.dll
brserver.dll
UDPData:Stream
UDPData:Stream2
UDPData:SafeData
UDPData:Exit
LocalPort
RFBPort
BRPort
AdminPass
NoMsg
OnLastMsg
OnLoginFile
OnLoginSound
handyCafe - hXXp://VVV.handycafe.com
PingServer::GetExeName
%d bits, %d x %d - %d
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
Software\Microsoft\Internet Explorer\TypedURLs
iphcln.exe
%s %d %s %s true
%s %d %s %s false
Software\Microsoft\Windows\CurrentVersion\Run
_hndguard.exe -runguard
Software\Microsoft\Windows\CurrentVersion\RunServices
dump.log
\Mozilla\Firefox\
profiles.ini
\user.js
"browser.startup.homepage"
"browser.startup.page"
"general.useragent.extra.handycafe.client"
hXXp://
\Google\Chrome\User Data\Default\
user_pref("browser.startup.homepage", "
user_pref("browser.startup.page", 1);
user_pref("general.useragent.extra.handycafe.client", "handyCafeCln/
\prefs.js
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
_mr.dt
%Program Files% (x86)\Borland\Delphi7\Source\Vcl\OleServer.pas
olepro32.dll
TSQLTimeStampVariantType
TSQLTimeStampData
SqlTimSt
%Program Files% (x86)\Borland\Delphi7\Source\Vcl\SqlTimSt.pas
SQLTimeStamp
%s: %s
TPasswordDialog
Password
TLoginDialog
lng.ini
OnActionExecutet(M
IWebBrowser(
IWebBrowserApp
IWebBrowser2
TWebBrowserStatusTextChange
TWebBrowserProgressChange
TWebBrowserCommandStateChange
TWebBrowserTitleChange
TWebBrowserPropertyChange
TWebBrowserBeforeNavigate2
TWebBrowserNewWindow2
TWebBrowserNavigateComplete2
TWebBrowserDocumentComplete
TWebBrowserOnVisible
TWebBrowserOnToolBar
TWebBrowserOnMenuBar
TWebBrowserOnStatusBar
TWebBrowserOnFullScreen
TWebBrowserOnTheaterMode
TWebBrowser
TWebBrowser(
http/1.
AtTCPComp
TAtTCPClient
PortT
Content-Length: %SIZE%
ÚTATYPE% ¬TION% HTTP/1.0
ÚTATYPE%
AtWebPost
%SIZE%
Host, Action and Port must set!
hc%d%d.tmp
FilterGraph %p pid %x
($%x).
vpDoNotRenderColorKeyAndBorder
Operation
TOnDVDCMD
CmdID
OnDVDCMDStart
OnDVDCMDEnd
OnDVDWarningFormatNotSupported
OnKeyUpT
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/common/JclUnitVersioning.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/common/JvWin32.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/common/JvConsts.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvResources.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvTypes.pas $
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/common/JclResources.pas $
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/common/JclBase.pas $
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/windows/JclWin32.pas $
JCL\source\windows
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/common/JclWideStrings.pas $
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/common/JclLogic.pas $
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/common/JclStrings.pas $
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/windows/JclRegistry.pas $
TRootKey
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/common/Jcl8087.pas $
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/common/JclIniFiles.pas $
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/common/JclSysInfo.pas $
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/windows/JclShell.pas $
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/windows/JclSecurity.pas $
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/common/JclDateTime.pas $
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/common/JclFileUtils.pas $
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/windows/JclConsole.pas $
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/common/JclMath.pas $
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/common/JclSysUtils.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvThemes.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JVCLVer.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvExControls.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvComponentBase.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvExForms.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvExStdCtrls.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvComponent.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvJCLUtils.pas $
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/common/JclRTTI.pas $
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/common/JclMime.pas $
$URL: hXXps://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.101-Build2725/jcl/source/windows/JclSynch.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvStrings.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvPropertyStore.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvProgressUtils.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvTranslateString.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvAppStorage.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvJVCLUtils.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvButton.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvPageList.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvExExtCtrls.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvNavigationPane.pas $
Edit1KeyPress
Edit2KeyPress
TfrmLogin
Login
PanelWeb
default.swf
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="hXXp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="
" quality="high" pluginspage="hXXp://VVV.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvIconList.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvAni.pas $
$URL: hXXps://jvcl.svn.sourceforge.net/svnroot/jvcl/branches/JVCL3_33_PREPARATION/run/JvGIF.pas $
Version: 3.3.21
Admin Password
%s "%s"
*.ini
Passwords do not match.
TfrmChangePass
Change Password
WebBrowser1
ChangePassword1P
WebBrowser2l
UrlTimer2
UrlTimer1
webRefreshTimer
WebLg
WebWB
ChangePassword1Click
UrlTimer1Timer
UrlTimer2Timer
FormKeyPress
webRefreshTimerTimer
WebBrowser2NewWindow2
WebLgBeforeNavigate2
WebWBBeforeNavigate2
WebBrowser1NewWindow2
hXXp://search.handycafe.com/?
%SERVER%
Uh.YV
InternetExplorer.Application
%s;-%s
SpinEdit1KeyUp
WebBrowser1DocumentComplete
AtWebPost1%
ClientLogin
ClientUrl
ClientAdminLogin
ClientWeb
AtWebPost2ThreadExecute
AtWebPost1DownloadCompleted
ClientLogout::Keyex
ClientLogout::Key
ClientLogout::MSGClose
ClientLogout::ChangePassClose
SYSKeys
Software\Microsoft\Windows\CurrentVersion\Policies\System
handycafe.com
_wreq.exe
lgn.ini
lgo.ini
Banners\shbanner.htm
CmdGet =
CmdSent =
Error.log
.html
.mpeg
ClientLogoutRequest::HookKeys
/index.htm?RndID=
_hndguard.exe -rungrd
%s - %sVersion: %sHost: %sError Type: %sError Message: %sOS: %sCmdGet: %sCmdSent: %sProc: %s----%s
%dx%d
&ProductKey=
&hpass=hcafe
/se/adx.php
ad.handycafe.com
URL_1
URL_2
&webY=
Content-type: application/x-www-form-urlencoded
HNetCfg.FwMgr
HNetCfg.FwAuthorizedApplication
data\sets.ini
?456789:;<=
!"#$%&'()* ,-./0123
12005 The URL is invalid.
A12006 The URL scheme could not be recognized or is not supported.
I12012 The Win32 Internet function support is being shut down or unloaded.
12014 Password is incorrect.
)12016 The requested operation is invalid.
!12017 The operation was canceled.
B12018 The type of handle supplied is incorrect for this operation.
l12019 The requested operation cannot be carried out because the handle supplied is not in the correct state.
]12026 The required operation could not be completed because one or more requests are pending.
>12037 SSL certificate date is bad. The certificate is expired.
A12038 SSL certificate common name (host name field) is incorrect.
h12045 The function is unfamiliar with the Certificate Authority that generated the server's certificate.
*12055 The SSL certificate contains errors.
s12110 The requested operation cannot be made on the FTP session handle because an operation is already in progress.
12111 FTP session aborted.
212112 Passive mode is not available on the server.
@12135 The type of the locator is not correct for this operation.
~12136 The requested operation can be made only against a Gopher  server, or with a locator that specifies a Gopher  operation.
312154 The request made to HttpQueryInfo is invalid.
12156 The redirection failed because either the scheme changed (for example, HTTP to FTP) or all attempts made to redirect failed (default is five attempts).
*12160 The HTTP request was not redirected.
,12161 The HTTP cookie requires confirmation.
112162 The HTTP cookie was declined by the server.
612164 The Web site or server indicated is unreachable.
!12169 SSL certificate is invalid.
"12170 SSL certificate was revoked.
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
EAbout.pas
EBase64.pas
EBaseModule.pas
EBorlandDebug.pas
ECheck.pas
ECmdLine.pas
ECommon.pas
EConsts.pas
ECore.pas
ECrc32.pas
EDebug.pas
EDesign.pas
EDisAsm.pas
EEncrypt.pas
EHash.pas
EHook.pas
EIDEOptions.pas
ELang.pas
ELeaks.pas
EListView.pas
ELogManager.pas
EMain.pas
EMessages.pas
ENagScreen.pas
EOption.pas
EParser.pas
EResource.pas
ESockets.pas
EToolsAPI.pas
EToolServices.pas
ETypes.pas
EVariables.pas
EWait.pas
EWebTools.pas
ExceptionLog.pas
EXMLBuilder.pas
EZip.pas
EZlib.pas
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegQueryInfoKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
GetWindowsDirectoryA
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
keybd_event
UnhookWindowsHookEx
SetWindowsHookExA
SetKeyboardState
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
ExitWindowsEx
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
wsock32.dll
shell32.dll
ShellExecuteA
SHFileOperationA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntry
comdlg32.dll
ADVAPI32.DLL
winmm.dll
ws2_32.dll
GetUdpStatistics
GetTcpStatistics
GetUdpTable
GetTcpTable
quartz.dll
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
33333333330
3333338
3333333330
3333833330
3333330
333333330
3333333333
33333333333333
337373?3
333373?33
33333337
3733333
3337333
3333373
3737333
373333?3
333333333
333?33?333
333373?3
338333?330
33383?3330
3833830
<<9876$8
>=<9887$8
hg<1)ú
E(.Fcn
!'''{~~~
   {'''{...
&U%cg^
rP.Kj
X.yq.
Q?J9%c
8j-e}2
q.8ù
{.oiz|
f1aeq.Di
rd$I.BW
vHE%D
O9$%S
%Sm42)
Gf.OlG
KWindows
UrlMon
.JvProgressUtils
JvExExtCtrls
.ScktComp
fJwaIpExport
IdUDPClient
IdUDPBase
rSqlTimSt
EWebTools
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Glyph.Data
IconOptions.AutoArrange
frmChangePass
New Password
Re-type Password
PasswordChar
frmLogin
Icon.Data
Login Request
3.3.12
AtWebPost1
KeyPreview
Picture.Data
WebBrowser2
ChangePassword1
UrlTimer2Timer
webpop
webpopTitleChange
EditLabel.Width
EditLabel.Height
EditLabel.Caption
Admin Password (Re-type)
Disable "Login Request"
On Login
Items.Strings
Client UDP Port
Server UDP Port
IMPORTANT: Please do not change these settings. If you are having troubles please kindly contact us. Our support team will assist to solve your problems. Server / Client Password is not your admin password.
Server / Client Password
#Bitmap Files|*.bmp|Jpeg Files|*.jpg
All files|*.*
%%%c,,,
4###`###
WebBrowser1DocumentComplete
VMROptions.Mode
LoginDialog
Database Login
&Password:
PasswordDialog
Enter password
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
TFRMCHANGEPASS
TFRMLOGIN
TLOGINDIALOG
TPASSWORDDIALOG
To see what data this error report contains,
Send Error Report
No GIF Data to writeÊnnot change the Size of a GIF image
Could not load '%s' libraryLFile specified is not an executable file, dynamic-link library, or icon file
All files (*.*)|*.*
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
Remote Login
CompuServe GIF ImageÊnnot change the Size of a GIF image
*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Field '%s' not found
%s is not a valid BCD value$Could not parse SQL TimeStamp string
Invalid SQL date/time values
RCode NO Error%DNS Server Reports Query Format Error%DNS Server Reports Query Server Error#DNS Server Reports Query Name Error.DNS Server Reports Query Not Implemented Error&DNS Server Reports Query Refused Error
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Socket is not connected..Cannot send or receive after socket is closed.
%s is not a valid service.
Socket Error # %d
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Set Size Exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d<MultiLine must be True when TabPosition is tpLeft or tpRight
Invalid ownerE%d is an invalid PageIndex value. PageIndex must be between 0 and %d=This control requires version 4.70 or greater of COMCTL32.DLL&Cannot change the size of a JPEG image
JPEG error #%d
Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count#No OnGetItem event handler assigned
No help keyword specified.
Value must be between %d and %d
Invalid clipboard format Clipboard does not support Icons
Text exceeds memo capacity/Menu '%s' is already being used by another form
(%dx%d)
Invalid input value7Invalid input value. Use escape key to abandon changes
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'
%s property out of range
Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic$Unknown picture file extension (.%s)
Unsupported clipboard format
*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
No help found for %s#No context-sensitive help installed$No topic-based help system installed0Tab position incompatible with current tab style0Tab style incompatible with current tab position
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Unable to write to %s
Invalid stream format$''%s'' is not a valid component name
Invalid property element: %s
Invalid property type: %s
Invalid data type for '%s'&Cannot insert or delete rows from grid List capacity out of bounds (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists
System Error. Code: %d.
*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
3.3.2.1

hndclient.exe_1176_rwx_00574000_00001000:

data\sets.ini
3.3.21
kernel32.dll

hndclient.exe_1176_rwx_00B2B000_00001000:

EAbout.pas
ECmdLine.pas
EBase64.pas
EBaseModule.pas
EBorlandDebug.pas
ECheck.pas
ECrc32.pas
EDebug.pas
ECommon.pas
EConsts.pas
ECore.pas
EEncrypt.pas
EHash.pas
EHook.pas
ELang.pas
EDesign.pas
EDisAsm.pas
EToolServices.pas
ETypes.pas
EVariables.pas
EWait.pas
EWebTools.pas
ExceptionLog.pas
EXMLBuilder.pas
EZip.pas
EIDEOptions.pas
ELeaks.pas
EListView.pas
ELogManager.pas
EMain.pas
EMessages.pas
ENagScreen.pas
EOption.pas
EParser.pas
EResource.pas
ESockets.pas
EToolsAPI.pas
EZlib.pas
kernel32.dll

_hndguard.exe_2012:

.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
guard.log
hndclient.exe
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
GetCPInfo
ExitWindowsEx
shell32.dll
ShellExecuteA
;0;4;8;<;@;}<
67R7n7
KWindows
Invalid variant operation
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
_hndguard.exe
3.3.13
3.3.1.3


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1868
    _hndguard.exe:2012

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\All Users\handyCafe\Client\default.swf (44 bytes)
    %Documents and Settings%\All Users\handyCafe\Client\Banners\shbanner.htm (739 bytes)
    %Documents and Settings%\All Users\handyCafe\Client\xp4_list.dat (391 bytes)
    %Documents and Settings%\All Users\handyCafe\Client\data\sets.ini (117 bytes)
    %Documents and Settings%\%current user%\handyCafe\tmp\hc14096096778.tmp (1 bytes)
    %Documents and Settings%\All Users\handyCafe\Client\dump.log (30278 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hndclient" = "D:\hndclient.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM" = "%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched" = "%Program Files%\Common Files\Java\Java Update\jusched.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher" = "%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now