Trojan.Win32.Swrort.3_cacf794507

by malwarelabrobot on August 4th, 2017 in Malware Descriptions.

HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Artemis!CACF794507F1 (McAfee), Trojan.Gen.2 (Symantec), Win32/DH{YSRX?} (AVG), Win32:Malware-gen (Avast), Trojan.Win32.Swrort.3.FD, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Worm, WormAutorun, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: cacf794507f17eb2b4be2a7f03ad4e82
SHA1: 138e65b6ea04cda88ad2cd96198951f21836dd14
SHA256: a80361bead47d1b12bf2a12c01dade3d9cabd0f267d09f41d6428299f6078d7c
SSDeep: 3072:k MiDu7IJLu0QSvCcQxznVu/6evSpAr0KzsOwVmBjkpaG:3tDucJvvsbVi5S96szmj
Size: 167936 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-04-24 03:52:37
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

regsvr32.exe:3812
regsvr32.exe:2752
regsvr32.exe:3796
regsvr32.exe:3584
regsvr32.exe:4052
explorer.tmp:2636
cpcsgui.exe:576
%original file name%.exe:452
cpcs.exe:4076

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process regsvr32.exe:3796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll (49 bytes)

The process regsvr32.exe:3584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\ChicaLogic\ChicaPC-Shield\mbamext.dll (77 bytes)

The process regsvr32.exe:4052 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx (499 bytes)

The process explorer.tmp:2636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\ChicaLogic\ChicaPC-Shield\is-NEPOV.tmp (53219 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\is-PMTFI.tmp (24 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\unins000.dat (2508 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\is-L2JG6.tmp (4549 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\cpcs.exe (49 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\is-NI5I2.tmp (601 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\is-KGU74.tmp (673 bytes)
C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-T60M8.tmp (2 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-LEKM4.tmp (12 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-2MBKH.tmp (12 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-2JS43.tmp (10 bytes)
C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-7E5GS.tmp (323 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\is-452NO.tmp (601 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-HI9NT.tmp (11 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-Shield\ChicaPC-Shield.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-9UEPD.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\is-DHP32.tmp (1 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\is-FB8HA.tmp (15 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\is-LI09G.tmp (3361 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-0P3HN.tmp (10 bytes)
C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-IEE1K.tmp (5 bytes)
C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-IIOR9.tmp (114 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-LOIEI.tmp (10 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-3851I.tmp (10 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\is-9Q5EQ.tmp (2321 bytes)
C:\Users\Public\Desktop\ChicaPC-Shield.lnk (1 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\mbamext.dll (601 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-RRBVI.tmp (12 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\unins000.msg (463 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-Shield\Uninstall ChicaPC-Shield.lnk (1 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-BKPM0.tmp (10 bytes)
C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-BJMMU.tmp (289 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\is-469K7.tmp (46 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\is-TT1B0.tmp (2105 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\is-6IJLO.tmp (15278 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\is-MGJDH.tmp (22 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\is-9PTFC.tmp (20 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\cpcsgui.exep (454 bytes)
C:\Windows\System32\drivers\cpcs.sys (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-9UEPD.tmp\_isetup\_RegDLL.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-9UEPD.tmp\mbam.dll (849 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\is-D58IQ.tmp (3073 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-4KMR1.tmp (11 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\is-PQ4IC.tmp (7433 bytes)

The Trojan deletes the following file(s):

%Program Files%\ChicaLogic\ChicaPC-Shield\mbam-filter-64.sys (0 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\mbamext-32.dll (0 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\mbam-ssdt-32.sys (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-9UEPD.tmp (0 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\mbamext-64.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-9UEPD.tmp\_isetup\_shfoldr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-9UEPD.tmp\_isetup (0 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\mbam-filter-32.sys (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-9UEPD.tmp\_isetup\_RegDLL.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-9UEPD.tmp\mbam.dll (0 bytes)

The process %original file name%.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\ChicaPC\explorer.exe (1169732 bytes)

The process cpcs.exe:4076 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\build.conf (786 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\mbamcore.dll (565 bytes)
C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\news.conf (114 bytes)
C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\custom.conf (5 bytes)
C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\config.conf (2 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\mbamnet.dll (146 bytes)
%Program Files%\ChicaLogic\ChicaPC-Shield\mbam.dll (176 bytes)

Registry activity

The process regsvr32.exe:3812 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\SSubTimer6.GSubclass]
"(Default)" = "SSubTimer6.GSubclass"

[HKCR\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\ProgID]
"(Default)" = "SSubTimer6.CTimer"

[HKCR\SSubTimer6.GSubclass\Clsid]
"(Default)" = "{71A27032-C7D8-11D2-BEF8-525400DFB47A}"

[HKCR\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\ProgID]
"(Default)" = "SSubTimer6.ISubclass"

[HKCR\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}]
"(Default)" = "SSubTimer6.ISubclass"

[HKCR\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\TypeLib]
"(Default)" = "{71A2702D-C7D8-11D2-BEF8-525400DFB47A}"

[HKCR\SSubTimer6.CTimer]
"(Default)" = "SSubTimer6.CTimer"

[HKCR\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\SSubTimer6.ISubclass]
"(Default)" = "SSubTimer6.ISubclass"

[HKCR\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}]
"(Default)" = "__CTimer"

[HKCR\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32]
"(Default)" = "%Program Files%\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"

[HKCR\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\SSubTimer6.CTimer\Clsid]
"(Default)" = "{71A27034-C7D8-11D2-BEF8-525400DFB47A}"

[HKCR\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\VERSION]
"(Default)" = "1.0"

[HKCR\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}]
"(Default)" = "_GSubclass"

[HKCR\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\TypeLib]
"(Default)" = "{71A2702D-C7D8-11D2-BEF8-525400DFB47A}"

[HKCR\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}]
"(Default)" = "SSubTimer6.GSubclass"

[HKCR\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\TypeLib]
"(Default)" = "{71A2702D-C7D8-11D2-BEF8-525400DFB47A}"

[HKCR\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\VERSION]
"(Default)" = "1.0"

[HKCR\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\ProgID]
"(Default)" = "SSubTimer6.GSubclass"

[HKCR\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}]
"(Default)" = "_CTimer"

[HKCR\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}]
"(Default)" = "_ISubclass"

[HKCR\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\VERSION]
"(Default)" = "1.0"

[HKCR\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32]
"(Default)" = "%Program Files%\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"

[HKCR\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}]
"(Default)" = "SSubTimer6.CTimer"

[HKCR\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\SSubTimer6.ISubclass\Clsid]
"(Default)" = "{71A2702F-C7D8-11D2-BEF8-525400DFB47A}"

The Trojan deletes the following registry key(s):

[HKCR\SSubTimer6.ISubclass]
[HKCR\SSubTimer6.GSubclass\Clsid]
[HKCR\SSubTimer6.ISubclass\Clsid]
[HKCR\SSubTimer6.CTimer\Clsid]
[HKCR\SSubTimer6.CTimer]
[HKCR\SSubTimer6.GSubclass]

The process regsvr32.exe:2752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\ProgID]
"(Default)" = "vbAcceleratorSGrid6.vbalGrid"

[HKCR\CLSID\{D2129738-6A78-4BCB-915A-412982CAA23D}]
"(Default)" = "vbAcceleratorSGrid6.cGridSortObject"

[HKCR\Interface\{66718B8E-A382-4FE2-AA7A-926F9D8C4621}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{BC39A57D-DF2C-45B4-BFFD-7D55E911C1B2}\Forward]
"(Default)" = "{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}"

[HKCR\Interface\{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}]
"(Default)" = "_cGridCell"

[HKCR\CLSID\{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}\ProgID]
"(Default)" = "vbAcceleratorSGrid6.IGridCellOwnerDraw"

[HKCR\Interface\{BC39A57D-DF2C-45B4-BFFD-7D55E911C1B2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{459A91BC-193F-4A70-959C-BFF69D781142}]
"(Default)" = "_IGridCellOwnerDraw"

[HKCR\Interface\{3E9FB490-7EE2-46E9-B52A-9DE91DD218F4}]
"(Default)" = "cGridCell"

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\VERSION]
"(Default)" = "1.1"

[HKCR\Interface\{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}]
"(Default)" = "_cGridSortObject"

[HKCR\CLSID\{D2129738-6A78-4BCB-915A-412982CAA23D}\VERSION]
"(Default)" = "1.1"

[HKCR\Interface\{CCA2E620-B807-451F-BAFD-2057AF9025FE}]
"(Default)" = "_vbalGrid"

[HKCR\Interface\{3E9FB490-7EE2-46E9-B52A-9DE91DD218F4}\Forward]
"(Default)" = "{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}"

[HKCR\CLSID\{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}\VERSION]
"(Default)" = "1.1"

[HKCR\CLSID\{D2129738-6A78-4BCB-915A-412982CAA23D}\TypeLib]
"(Default)" = "{DE8CE233-DD83-481D-844C-C07B96589D3A}"

[HKCR\vbAcceleratorSGrid6.cGridSortObject\Clsid]
"(Default)" = "{D2129738-6A78-4BCB-915A-412982CAA23D}"

[HKCR\CLSID\{D2129738-6A78-4BCB-915A-412982CAA23D}\ProgID]
"(Default)" = "vbAcceleratorSGrid6.cGridSortObject"

[HKCR\CLSID\{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}\TypeLib]
"(Default)" = "{DE8CE233-DD83-481D-844C-C07B96589D3A}"

[HKCR\Interface\{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{459A91BC-193F-4A70-959C-BFF69D781142}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\vbAcceleratorSGrid6.IGridCellOwnerDraw]
"(Default)" = "vbAcceleratorSGrid6.IGridCellOwnerDraw"

[HKCR\Interface\{3E9FB490-7EE2-46E9-B52A-9DE91DD218F4}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\vbAcceleratorSGrid6.cGridCell\Clsid]
"(Default)" = "{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}"

[HKCR\vbAcceleratorSGrid6.cGridSortObject]
"(Default)" = "vbAcceleratorSGrid6.cGridSortObject"

[HKCR\Interface\{BC39A57D-DF2C-45B4-BFFD-7D55E911C1B2}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{66718B8E-A382-4FE2-AA7A-926F9D8C4621}\Forward]
"(Default)" = "{459A91BC-193F-4A70-959C-BFF69D781142}"

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\Control]
"(Default)" = ""

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Interface\{CCA2E620-B807-451F-BAFD-2057AF9025FE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}]
"(Default)" = "__vbalGrid"

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\InprocServer32]
"(Default)" = "%Program Files%\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"

[HKCR\CLSID\{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}\VERSION]
"(Default)" = "1.1"

[HKCR\vbAcceleratorSGrid6.cGridCell]
"(Default)" = "vbAcceleratorSGrid6.cGridCell"

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}]
"(Default)" = "vbAccelerator Grid Control"

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\MiscStatus]
"(Default)" = "0"

[HKCR\vbAcceleratorSGrid6.vbalGrid\Clsid]
"(Default)" = "{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}"

[HKCR\vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid]
"(Default)" = "{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}"

[HKCR\Interface\{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}\TypeLib]
"(Default)" = "{DE8CE233-DD83-481D-844C-C07B96589D3A}"

[HKCR\Interface\{459A91BC-193F-4A70-959C-BFF69D781142}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}\ProgID]
"(Default)" = "vbAcceleratorSGrid6.cGridCell"

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\TypeLib]
"(Default)" = "{DE8CE233-DD83-481D-844C-C07B96589D3A}"

[HKCR\Interface\{BC39A57D-DF2C-45B4-BFFD-7D55E911C1B2}]
"(Default)" = "cGridSortObject"

[HKCR\Interface\{66718B8E-A382-4FE2-AA7A-926F9D8C4621}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{CCA2E620-B807-451F-BAFD-2057AF9025FE}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}]
"(Default)" = "vbAcceleratorSGrid6.IGridCellOwnerDraw"

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\ToolboxBitmap32]
"(Default)" = "%Program Files%\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx, 30000"

[HKCR\vbAcceleratorSGrid6.vbalGrid]
"(Default)" = "vbAccelerator Grid Control"

[HKCR\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}]
"(Default)" = "vbAcceleratorSGrid6.cGridCell"

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{66718B8E-A382-4FE2-AA7A-926F9D8C4621}]
"(Default)" = "IGridCellOwnerDraw"

[HKCR\Interface\{3E9FB490-7EE2-46E9-B52A-9DE91DD218F4}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

The Trojan deletes the following registry key(s):

[HKCR\vbAcceleratorSGrid6.IGridCellOwnerDraw]
[HKCR\vbAcceleratorSGrid6.cGridSortObject]
[HKCR\vbAcceleratorSGrid6.cGridCell]
[HKCR\vbAcceleratorSGrid6.vbalGrid\Clsid]
[HKCR\vbAcceleratorSGrid6.cGridSortObject\Clsid]
[HKCR\vbAcceleratorSGrid6.cGridCell\Clsid]
[HKCR\vbAcceleratorSGrid6.vbalGrid]
[HKCR\vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid]

The process regsvr32.exe:3796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\TypeLib]
"(Default)" = "{71A2702D-C7D8-11D2-BEF8-525400DFB47A}"

[HKCR\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\ProgID]
"(Default)" = "SSubTimer6.CTimer"

[HKCR\SSubTimer6.GSubclass\Clsid]
"(Default)" = "{71A27032-C7D8-11D2-BEF8-525400DFB47A}"

[HKCR\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\VERSION]
"(Default)" = "1.0"

[HKCR\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\ProgID]
"(Default)" = "SSubTimer6.ISubclass"

[HKCR\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}]
"(Default)" = "SSubTimer6.ISubclass"

[HKCR\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}\TypeLib]
"(Default)" = "{71A2702D-C7D8-11D2-BEF8-525400DFB47A}"

[HKCR\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\VERSION]
"(Default)" = "1.0"

[HKCR\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\TypeLib]
"(Default)" = "{71A2702D-C7D8-11D2-BEF8-525400DFB47A}"

[HKCR\SSubTimer6.CTimer]
"(Default)" = "SSubTimer6.CTimer"

[HKCR\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}\TypeLib]
"(Default)" = "{71A2702D-C7D8-11D2-BEF8-525400DFB47A}"

[HKCR\SSubTimer6.ISubclass]
"(Default)" = "SSubTimer6.ISubclass"

[HKCR\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}]
"(Default)" = "__CTimer"

[HKCR\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32]
"(Default)" = "%Program Files%\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"

[HKCR\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\SSubTimer6.CTimer\Clsid]
"(Default)" = "{71A27034-C7D8-11D2-BEF8-525400DFB47A}"

[HKCR\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\TypeLib]
"(Default)" = "{71A2702D-C7D8-11D2-BEF8-525400DFB47A}"

[HKCR\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\VERSION]
"(Default)" = "1.0"

[HKCR\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}]
"(Default)" = "_GSubclass"

[HKCR\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\TypeLib]
"(Default)" = "{71A2702D-C7D8-11D2-BEF8-525400DFB47A}"

[HKCR\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}]
"(Default)" = "SSubTimer6.GSubclass"

[HKCR\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\TypeLib]
"(Default)" = "{71A2702D-C7D8-11D2-BEF8-525400DFB47A}"

[HKCR\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\ProgID]
"(Default)" = "SSubTimer6.GSubclass"

[HKCR\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\HELPDIR]
"(Default)" = "%Program Files%\ChicaLogic\ChicaPC-Shield"

[HKCR\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}]
"(Default)" = "SSubTimer6.CTimer"

[HKCR\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}]
"(Default)" = "_CTimer"

[HKCR\SSubTimer6.GSubclass]
"(Default)" = "SSubTimer6.GSubclass"

[HKCR\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}]
"(Default)" = "_ISubclass"

[HKCR\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0]
"(Default)" = "vbAccelerator VB6 Subclassing and Timer Assistant (with configurable message response, multi-control support timer bug fix)"

[HKCR\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32]
"(Default)" = "%Program Files%\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"

[HKCR\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\0\win32]
"(Default)" = "%Program Files%\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"

[HKCR\SSubTimer6.ISubclass\Clsid]
"(Default)" = "{71A2702F-C7D8-11D2-BEF8-525400DFB47A}"

The process regsvr32.exe:3584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Folder\shellex\ContextMenuHandlers\MBAMShlExt]
"(Default)" = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"

[HKCR\MBAMExt.MBAMShlExt]
"(Default)" = "MBAMShlExt Class"

[HKCR\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0\win32]
"(Default)" = "%Program Files%\ChicaLogic\ChicaPC-Shield\mbamext.dll"

[HKCR\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\ProgID]
"(Default)" = "MBAMExt.MBAMShlExt.1"

[HKCR\MBAMExt.MBAMShlExt\CLSID]
"(Default)" = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"

[HKCR\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0]
"(Default)" = "MBAMExt 1.0 Type Library"

[HKCR\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\VersionIndependentProgID]
"(Default)" = "MBAMExt.MBAMShlExt"

[HKCR\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\TypeLib]
"(Default)" = "{AFF1A83B-6C83-4342-8E68-1648DE06CB65}"

[HKCR\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\TypeLib]
"(Default)" = "{AFF1A83B-6C83-4342-8E68-1648DE06CB65}"

[HKCR\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\MBAMExt.MBAMShlExt.1\CLSID]
"(Default)" = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"

[HKCR\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}]
"(Default)" = "MBAMShlExt Class"

[HKCR\MBAMExt.MBAMShlExt.1]
"(Default)" = "MBAMShlExt Class"

[HKCR\MBAMExt.MBAMShlExt\CurVer]
"(Default)" = "MBAMExt.MBAMShlExt.1"

[HKCR\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\HELPDIR]
"(Default)" = "%Program Files%\ChicaLogic\ChicaPC-Shield"

[HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt]
"(Default)" = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"

[HKCR\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}]
"(Default)" = "IMBAMShlExt"

[HKCR\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32]
"(Default)" = "%Program Files%\ChicaLogic\ChicaPC-Shield\mbamext.dll"

[HKCR\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

The process regsvr32.exe:4052 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\ProgID]
"(Default)" = "vbAcceleratorSGrid6.vbalGrid"

[HKCR\CLSID\{D2129738-6A78-4BCB-915A-412982CAA23D}]
"(Default)" = "vbAcceleratorSGrid6.cGridSortObject"

[HKCR\Interface\{66718B8E-A382-4FE2-AA7A-926F9D8C4621}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}\TypeLib]
"(Default)" = "{DE8CE233-DD83-481D-844C-C07B96589D3A}"

[HKCR\Interface\{BC39A57D-DF2C-45B4-BFFD-7D55E911C1B2}\Forward]
"(Default)" = "{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}"

[HKCR\Interface\{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}]
"(Default)" = "_cGridCell"

[HKCR\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}\ProgID]
"(Default)" = "vbAcceleratorSGrid6.cGridCell"

[HKCR\Interface\{BC39A57D-DF2C-45B4-BFFD-7D55E911C1B2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{459A91BC-193F-4A70-959C-BFF69D781142}]
"(Default)" = "_IGridCellOwnerDraw"

[HKCR\Interface\{3E9FB490-7EE2-46E9-B52A-9DE91DD218F4}]
"(Default)" = "cGridCell"

[HKCR\CLSID\{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}]
"(Default)" = "vbAcceleratorSGrid6.cGridCell"

[HKCR\Interface\{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}]
"(Default)" = "_cGridSortObject"

[HKCR\CLSID\{D2129738-6A78-4BCB-915A-412982CAA23D}\VERSION]
"(Default)" = "1.1"

[HKCR\Interface\{CCA2E620-B807-451F-BAFD-2057AF9025FE}]
"(Default)" = "_vbalGrid"

[HKCR\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\0\win32]
"(Default)" = "%Program Files%\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"

[HKCR\CLSID\{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}\VERSION]
"(Default)" = "1.1"

[HKCR\CLSID\{D2129738-6A78-4BCB-915A-412982CAA23D}\TypeLib]
"(Default)" = "{DE8CE233-DD83-481D-844C-C07B96589D3A}"

[HKCR\vbAcceleratorSGrid6.cGridSortObject\Clsid]
"(Default)" = "{D2129738-6A78-4BCB-915A-412982CAA23D}"

[HKCR\CLSID\{D2129738-6A78-4BCB-915A-412982CAA23D}\ProgID]
"(Default)" = "vbAcceleratorSGrid6.cGridSortObject"

[HKCR\CLSID\{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}\TypeLib]
"(Default)" = "{DE8CE233-DD83-481D-844C-C07B96589D3A}"

[HKCR\Interface\{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\VERSION]
"(Default)" = "1.1"

[HKCR\Interface\{459A91BC-193F-4A70-959C-BFF69D781142}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\vbAcceleratorSGrid6.IGridCellOwnerDraw]
"(Default)" = "vbAcceleratorSGrid6.IGridCellOwnerDraw"

[HKCR\Interface\{3E9FB490-7EE2-46E9-B52A-9DE91DD218F4}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3E9FB490-7EE2-46E9-B52A-9DE91DD218F4}\Forward]
"(Default)" = "{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}"

[HKCR\vbAcceleratorSGrid6.cGridCell\Clsid]
"(Default)" = "{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}"

[HKCR\vbAcceleratorSGrid6.cGridSortObject]
"(Default)" = "vbAcceleratorSGrid6.cGridSortObject"

[HKCR\Interface\{BC39A57D-DF2C-45B4-BFFD-7D55E911C1B2}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{66718B8E-A382-4FE2-AA7A-926F9D8C4621}\Forward]
"(Default)" = "{459A91BC-193F-4A70-959C-BFF69D781142}"

[HKCR\Interface\{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}\TypeLib]
"(Default)" = "{DE8CE233-DD83-481D-844C-C07B96589D3A}"

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\Control]
"(Default)" = ""

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\FLAGS]
"(Default)" = "2"

[HKCR\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}]
"(Default)" = "__vbalGrid"

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\InprocServer32]
"(Default)" = "%Program Files%\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"

[HKCR\Interface\{CCA2E620-B807-451F-BAFD-2057AF9025FE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\vbAcceleratorSGrid6.cGridCell]
"(Default)" = "vbAcceleratorSGrid6.cGridCell"

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}]
"(Default)" = "vbAccelerator Grid Control"

[HKCR\vbAcceleratorSGrid6.vbalGrid\Clsid]
"(Default)" = "{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}"

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{CCA2E620-B807-451F-BAFD-2057AF9025FE}\TypeLib]
"Version" = "1.1"

[HKCR\vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid]
"(Default)" = "{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}"

[HKCR\Interface\{459A91BC-193F-4A70-959C-BFF69D781142}\TypeLib]
"(Default)" = "{DE8CE233-DD83-481D-844C-C07B96589D3A}"

[HKCR\Interface\{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{459A91BC-193F-4A70-959C-BFF69D781142}\TypeLib]
"Version" = "1.1"

[HKCR\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1]
"(Default)" = "vbAccelerator VB6 SGrid Control 2.0"

[HKCR\CLSID\{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}\TypeLib]
"(Default)" = "{DE8CE233-DD83-481D-844C-C07B96589D3A}"

[HKCR\Interface\{459A91BC-193F-4A70-959C-BFF69D781142}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}\ProgID]
"(Default)" = "vbAcceleratorSGrid6.IGridCellOwnerDraw"

[HKCR\Interface\{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}\TypeLib]
"Version" = "1.1"

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\TypeLib]
"(Default)" = "{DE8CE233-DD83-481D-844C-C07B96589D3A}"

[HKCR\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\TypeLib]
"Version" = "1.1"

[HKCR\Interface\{BC39A57D-DF2C-45B4-BFFD-7D55E911C1B2}]
"(Default)" = "cGridSortObject"

[HKCR\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\TypeLib]
"(Default)" = "{DE8CE233-DD83-481D-844C-C07B96589D3A}"

[HKCR\Interface\{66718B8E-A382-4FE2-AA7A-926F9D8C4621}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{CCA2E620-B807-451F-BAFD-2057AF9025FE}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\HELPDIR]
"(Default)" = "%Program Files%\ChicaLogic\ChicaPC-Shield"

[HKCR\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\ToolboxBitmap32]
"(Default)" = "%Program Files%\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx, 30000"

[HKCR\vbAcceleratorSGrid6.vbalGrid]
"(Default)" = "vbAccelerator Grid Control"

[HKCR\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}]
"(Default)" = "vbAcceleratorSGrid6.IGridCellOwnerDraw"

[HKCR\Interface\{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}\TypeLib]
"Version" = "1.1"

[HKCR\Interface\{66718B8E-A382-4FE2-AA7A-926F9D8C4621}]
"(Default)" = "IGridCellOwnerDraw"

[HKCR\Interface\{CCA2E620-B807-451F-BAFD-2057AF9025FE}\TypeLib]
"(Default)" = "{DE8CE233-DD83-481D-844C-C07B96589D3A}"

[HKCR\CLSID\{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}\VERSION]
"(Default)" = "1.1"

[HKCR\Interface\{3E9FB490-7EE2-46E9-B52A-9DE91DD218F4}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

The process explorer.tmp:2636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ChicaPC-Shield_is1]
"DisplayIcon" = "%Program Files%\ChicaLogic\ChicaPC-Shield\cpcs.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ChicaPC-Shield_is1]
"MajorVersion" = "1"
"Inno Setup: App Path" = "%Program Files%\ChicaLogic\ChicaPC-Shield"
"DisplayVersion" = "1.51.2.1600"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ChicaPC-Shield_is1]
"UninstallString" = "%Program Files%\ChicaLogic\ChicaPC-Shield\unins000.exe"
"Inno Setup: Language" = "English"

[HKLM\SOFTWARE\ChicaPC-Shield]
"InstallPath" = "%Program Files%\ChicaLogic\ChicaPC-Shield"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ChicaPC-Shield_is1]
"NoModify" = "1"

[HKLM\SOFTWARE\ChicaPC-Shield]
"programversion" = "1.51.2.1600"
"DBVersion" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ChicaPC-Shield_is1]
"Inno Setup: Deselected Tasks" = "quicklaunchicon"

[HKCU\Software\ChicaPC-Shield]
"Language" = "English.lng"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"GlobalAssocChangedCounter" = "100"

[HKLM\SOFTWARE\ChicaPC-Shield]
"dbdate" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ChicaPC-Shield_is1]
"InstallLocation" = "%Program Files%\ChicaLogic\ChicaPC-Shield\"
"Publisher" = "ChicaLogic"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cpcs.exe]
"Path" = "%Program Files%\ChicaLogic\ChicaPC-Shield"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ChicaPC-Shield_is1]
"QuietUninstallString" = "%Program Files%\ChicaLogic\ChicaPC-Shield\unins000.exe /SILENT"

"Inno Setup: Icon Group" = "ChicaLogic\ChicaPC-Shield"
"EstimatedSize" = "13279"
"Inno Setup: User" = "%CurrentUserName%"
"Inno Setup: Setup Version" = "5.4.2 (a)"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cpcs.exe]
"(Default)" = "%Program Files%\ChicaLogic\ChicaPC-Shield\cpcs.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ChicaPC-Shield_is1]
"URLInfoAbout" = "http://www.chicalogic.com"
"Inno Setup: Selected Tasks" = "desktopicon"
"NoRepair" = "1"
"DisplayName" = "ChicaPC-Shield version 1.51.2.1600"
"MinorVersion" = "51"
"InstallDate" = "20170803"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ChicaPC-Shield" = "%Program Files%\ChicaLogic\ChicaPC-Shield\cpcsgui.exe /install /silent"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process cpcsgui.exe:576 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ChicaPC-Shield"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ChicaPC-Shield"

The process %original file name%.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process cpcs.exe:4076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\ChicaPC-Shield\UUID]
"StatsId" = "445290b5-77d2-11e7-8a19-0050563baeac"

[HKLM\SOFTWARE\ChicaPC-Shield]
"UseProxy" = "0"

[HKCU\Software\ChicaPC-Shield]
"StartWithWindows" = "1"

[HKLM\SOFTWARE\ChicaPC-Shield]
"advancedheuristics" = "1"

[HKCU\Software\ChicaPC-Shield]
"alwaysscanfiles" = "1"

[HKLM\SOFTWARE\ChicaPC-Shield]
"useauthentication" = "0"

[HKCU\Software\ChicaPC-Shield]
"defaultscan" = "0"
"trialpromptshown" = "0"
"silentipmode" = "0"

[HKLM\SOFTWARE\ChicaPC-Shield]
"notifyinstallprogram" = "1"
"startipdisabled" = "0"

[HKCU\Software\ChicaPC-Shield]
"autosavelog" = "1"
"alwaysscanmemory" = "1"

[HKLM\SOFTWARE\ChicaPC-Shield]
"downloadprogram" = "1"
"updatewarn" = "1"

[HKCU\Software\ChicaPC-Shield]
"alwaysscanstartups" = "1"

[HKLM\SOFTWARE\ChicaPC-Shield]
"hidereg" = "0"

[HKCU\Software\ChicaPC-Shield]
"openlog" = "1"
"selectedrives" = "C:\|D:\|"

[HKLM\SOFTWARE\ChicaPC-Shield\UUID]
"StatsIdVerification" = "c85abc4db5d60ca614413a83e5e24d87"

[HKLM\SOFTWARE\ChicaPC-Shield]
"detectpup" = "2"

[HKCU\Software\ChicaPC-Shield]
"alwaysscanheuristics" = "1"

[HKLM\SOFTWARE\ChicaPC-Shield]
"updatewarndays" = "7"
"detectp2p" = "0"

[HKCU\Software\ChicaPC-Shield]
"ContextMenu" = "1"
"startfsdisabled" = "0"

[HKLM\SOFTWARE\ChicaPC-Shield\UUID]
"StatsIdLastSent2" = "30608351 114179789"

[HKCU\Software\ChicaPC-Shield]
"terminateie" = "0"
"alwaysscanregistry" = "1"
"reportthreats" = "1"

[HKLM\SOFTWARE\ChicaPC-Shield]
"detectpum" = "1"

Dropped PE files

MD5 File path
33e790e072fe613ac98847c3cf4ceb50 c:\Program Files\ChicaLogic\ChicaPC-Shield\cpcs.exe
bd607cf4eacc89295211eb4676a0f507 c:\Program Files\ChicaLogic\ChicaPC-Shield\cpcsgui.exe
1d276e6e0f5ad22c4f4b5bfb727118ca c:\Program Files\ChicaLogic\ChicaPC-Shield\cpcsservice.exe
2b62997d017532ed0d8ab82466cd85ee c:\Program Files\ChicaLogic\ChicaPC-Shield\mbam.dll
023c35197914891ab40bb1436153b982 c:\Program Files\ChicaLogic\ChicaPC-Shield\mbamcore.dll
d97381ceaab43a6abac4171c204265aa c:\Program Files\ChicaLogic\ChicaPC-Shield\mbamext.dll
20d197db0bef40881968ac9226c4a8d9 c:\Program Files\ChicaLogic\ChicaPC-Shield\mbamnet.dll
91ea28804ec3a71126841554199e28bc c:\Program Files\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll
d35094e97b0622d4758ad80cec5458f6 c:\Program Files\ChicaLogic\ChicaPC-Shield\unins000.exe
baa4de42156350754976dd563d02cde4 c:\Program Files\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx
ac8de7d0a4152fa25d0119e4ff1924ed c:\Windows\System32\drivers\cpcs.sys
b92ee8791da9edd21776d4fa941da510 c:\Windows\Temp\ChicaPC\explorer.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 121651 121856 4.59997 b4dc87d95562a77a117176f85f23dced
.rdata 126976 25916 26112 3.39821 fc495375c2b49c30f6b3463f2c179449
.data 155648 16132 6656 2.75132 f5afd6962ce466293f907af09077a3e9
.rsrc 172032 1704 2048 2.59527 0cf2d80ea5778246d969f80c5f7f4eaa
.reloc 176128 9942 10240 3.48991 c6fcf8b22417383a97224fb378347360

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://x25.net/~support/ChicaPC.exe 204.57.81.3
hxxp://e4280.g.akamaiedge.net/v1/config/chicalogic/version.chk
hxxp://e4280.g.akamaiedge.net/v1/config/chicalogic/data/config.1610.conf
hxxp://e4280.g.akamaiedge.net/v1/news/chicalogic/version.chk
hxxp://e4280.g.akamaiedge.net/v1/news/chicalogic/data/news.1600.conf
hxxp://e4280.g.akamaiedge.net/v1/custom/chicalogic/version.chk
hxxp://e4280.g.akamaiedge.net/v1/custom/chicalogic/data/custom.1600.conf
hxxp://data-cdn.mbamupdates.com/v1/config/chicalogic/data/config.1610.conf 23.65.117.251
hxxp://data-cdn.mbamupdates.com/v1/custom/chicalogic/data/custom.1600.conf 23.65.117.251
hxxp://data-cdn.mbamupdates.com/v1/news/chicalogic/data/news.1600.conf 23.65.117.251
hxxp://data-cdn.mbamupdates.com/v1/news/chicalogic/version.chk 23.65.117.251
hxxp://data-cdn.mbamupdates.com/v1/custom/chicalogic/version.chk 23.65.117.251
hxxp://data-cdn.mbamupdates.com/v1/config/chicalogic/version.chk 23.65.117.251
stats.mbamupdates.com 23.21.207.100


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /~support/ChicaPC.exe HTTP/1.1
Host: x25.net
User-agent: HeadReqSample
Connection: close


HTTP/1.1 200 OK
Date: Wed, 02 Aug 2017 22:30:21 GMT
Server: Apache
Last-Modified: Tue, 24 Apr 2012 00:30:51 GMT
ETag: "138102e-8b9bb0-4be61dde944c0"
Accept-Ranges: bytes
Content-Length: 9149360
Connection: close
Content-Type: application/x-msdos-program
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
.........F......@.............@..........................@............
[email protected]........,..........p...@.......
......................................................................
..............CODE....d........................... ..`DATA....L.......
....................@...BSS.....L................................idata
[email protected]................................
[email protected]....................
[email protected]....,.......,[email protected].............@..
[email protected]..............................................
......................................................................
..............................................string................&l
t;[email protected].@..........)@..(@..(@..)@.....$)@..Free..0)@..InitInstance.
.L)@..CleanupInstance..h(@..ClassType..l(@..ClassName...(@..ClassNameI
s...(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..InheritsF
rom...)@..Dispatch...)@..MethodAddress..<*@..MethodName..x*@..Field
Address...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObj
ect.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.
@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.
<<< skipped >>>


GET /v1/news/chicalogic/version.chk HTTP/1.1
Accept-Encoding: gzip, deflate
Connection: Close
Content-Length: 0
Host: data-cdn.mbamupdates.com
User-Agent: mbam - chicalogic_free (scanner) - base:1.51.2.1600 - rules:7622


HTTP/1.1 200 OK
ETag: "480157-4-51b2115abbac0"
Server: Apache
Last-Modified: Sat, 18 Jul 2015 07:16:35 GMT
Accept-Ranges: bytes
Content-MD5: nphMEIFXzqdMiUtc8078RA==
Content-Type: text/plain; charset=UTF-8
Content-Length: 4
Cache-Control: public, must-revalidate, max-age=53
Expires: Wed, 02 Aug 2017 22:31:59 GMT
Date: Wed, 02 Aug 2017 22:31:06 GMT
Connection: close
1600..



GET /v1/custom/chicalogic/data/custom.1600.conf HTTP/1.1
Accept-Encoding: gzip, deflate
Connection: Close
Content-Length: 0
Host: data-cdn.mbamupdates.com
User-Agent: mbam - chicalogic_free (scanner) - base:1.51.2.1600 - rules:7622


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-MD5: Ds9avhV0ac2XoJq H5eGyA==
Content-Type: text/plain; charset=UTF-8
ETag: "60009d-5-4a98c6e3f4b40"
Last-Modified: Tue, 02 Aug 2011 21:28:37 GMT
Server: Apache
Content-Length: 5
Cache-Control: max-age=1780
Expires: Wed, 02 Aug 2017 23:00:47 GMT
Date: Wed, 02 Aug 2017 22:31:07 GMT
Connection: close
.3..S..



GET /v1/config/chicalogic/data/config.1610.conf HTTP/1.1
Accept-Encoding: gzip, deflate
Connection: Close
Content-Length: 0
Host: data-cdn.mbamupdates.com
User-Agent: mbam - chicalogic_free (scanner) - base:1.51.2.1600 - rules:7622


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-MD5: g5o4mN1QySGvpTyqMowVEA==
Content-Type: text/plain; charset=UTF-8
ETag: "1a0246-966-4aa1b79d9d300"
Last-Modified: Wed, 10 Aug 2011 00:08:12 GMT
Server: Apache
Content-Length: 2406
Cache-Control: max-age=1800
Expires: Wed, 02 Aug 2017 23:01:04 GMT
Date: Wed, 02 Aug 2017 22:31:04 GMT
Connection: close
.3.p<o].b......4..t.cFx6.P.x.....f...j...U..$x,_...'.Gd.k?.-M..C...
......@^l......x.V!V.if...E0&...o}"..........Et.......l...5/..v..!d...
...]Rj...R.5.i.....~T..j(k"...y.m.7.....).c..9e..X..B...A.Y5.h#l..~X..
....G...))Q28B..k/I....bk.......@BF...?......nl]. ..Z.*.!.......T.r.7.
s.......v8..4j....GVS..=?.....5....ut......QV/.,c....*o...{........qf.
=......^..`..4...!2^.y.j[....s.S...Vk}.....e..Q.{.WE...9... @...&.....
:i..ep5..u..\......O..g..0.&.e.>.81.t.0.$../..bM.........Y....I.l%.
....H.[;u.a.... .....R..6]x.Js4..x...^[email protected].
.v....Qf....1I..oO.e.M;rO}.NP_....M..(1m.j.ZS..U..,..Y.z9...B....K.`..
0.P.}.H.f..U..Wa...?.. .O...........o.A_.../...|U..j..C..t.I.b..d..Gb.
.&....!c.uu..x..{...x......n=...Z.....H..y.i...BGs.v..G{...7..[.3G/v1.
g8...G...F...8;....M.0p.[6..g..;.m)I........t..-.....G.....].o).....p.
...4....a..F:.....o...\.P.....).......f.T..W...b...j.M....gK.......>
;6)8.I.}$.9. ....X..l.......`j....pR....z}...y}..BN/5..z...xX..g.]....
(.S9B...(.....Q5...P?x....`4...Yo.XA. .../.N.H...VO.......;.z.T2...Dp.
..BX...&.!..l....E.!....xc.6.*.._../..!...&...$...*8g....N..k......=..
.^....[...t.......?(t4.Xgb.....c.:...e..X.7.g.v....2.$...;O...]...[F..
.l.I....o.....h..D..g2\.....cK.y.f..yZ.9z..@@.....e~Z......rs.n...s...
.._..(.8...F..9V^K.P.....:UAM.../..{u.m...X;.p..v].y..K..|...2..G}x.=.
tW.. X........U\v....|6."...../...=.(-.{.......:[email protected].
........x.Q.k.L0.E...uTUi>[email protected].!5..).z...M. .9.5.X...b..4..
.a...vF...Y..5.Y..Z.f..g.z...,...v4.$......!y..Z....3Y..>......
<<< skipped >>>


GET /v1/config/chicalogic/version.chk HTTP/1.1
Accept-Encoding: gzip, deflate
Connection: Close
Content-Length: 0
Host: data-cdn.mbamupdates.com
User-Agent: mbam - chicalogic_free (scanner) - base:1.51.2.1600 - rules:7622


HTTP/1.1 200 OK
ETag: "480247-4-51b2115abbac0"
Server: Apache
Accept-Ranges: bytes
Content-MD5: oUrFWk8nRyxdiU7Bw8dD0g==
Content-Type: text/plain; charset=UTF-8
Last-Modified: Sat, 18 Jul 2015 07:16:35 GMT
Content-Length: 4
Cache-Control: public, must-revalidate, max-age=57
Expires: Wed, 02 Aug 2017 22:32:01 GMT
Date: Wed, 02 Aug 2017 22:31:04 GMT
Connection: close
1610..



GET /v1/custom/chicalogic/version.chk HTTP/1.1
Accept-Encoding: gzip, deflate
Connection: Close
Content-Length: 0
Host: data-cdn.mbamupdates.com
User-Agent: mbam - chicalogic_free (scanner) - base:1.51.2.1600 - rules:7622


HTTP/1.1 200 OK
ETag: "60009e-4-51b2115abbac0"
Server: Apache
Last-Modified: Sat, 18 Jul 2015 07:16:35 GMT
Accept-Ranges: bytes
Content-MD5: nphMEIFXzqdMiUtc8078RA==
Content-Type: text/plain; charset=UTF-8
Content-Length: 4
Cache-Control: public, must-revalidate, max-age=60
Expires: Wed, 02 Aug 2017 22:32:06 GMT
Date: Wed, 02 Aug 2017 22:31:06 GMT
Connection: close
1600..



GET /v1/news/chicalogic/data/news.1600.conf HTTP/1.1
Accept-Encoding: gzip, deflate
Connection: Close
Content-Length: 0
Host: data-cdn.mbamupdates.com
User-Agent: mbam - chicalogic_free (scanner) - base:1.51.2.1600 - rules:7622


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-MD5: /gWfn YOYzJ1c6btIil3pA==
Content-Type: text/plain; charset=UTF-8
ETag: "1a0156-72-4a98c6ff9cc80"
Last-Modified: Tue, 02 Aug 2011 21:29:06 GMT
Server: Apache
Content-Length: 114
Cache-Control: max-age=1800
Expires: Wed, 02 Aug 2017 23:01:06 GMT
Date: Wed, 02 Aug 2017 22:31:06 GMT
Connection: close
.3.p<l.<e......<.. .I=<w.EEc.........b......k5 _.....G`.k{
.s...M..........\a...^..n.A%/yd%...A<,....<v..........h...

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_452:

.text
`.rdata
@.data
.rsrc
@.reloc
xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
GetProcessWindowStation
operator
c:\windows\temp\test.txt
c:\windows\temp\
c:\test.txt
%s%s\%s
GET %s HTTP/1.1
x25.net/~support/afk/TDSSKiller.exe
CreateProcess failed (%d).
%Program Files% (x86)\ChicaLogic\ChicaPC-Shield\
Download cancelled! Press any key to continue...
%s%s\
cpcs.exe
explorer.exe
failed to download. Firewall may be blocking or Windows temp folder is corrupt.
downloaded but failed to run. UAC or malware may have blocked or Windows temp folder is corrupt.
KERNEL32.dll
USER32.dll
GDI32.dll
ShellExecuteA
ShellExecuteExW
SHELL32.dll
WS2_32.dll
GetCPInfo
GetProcessHeap
zcÁ
c:\%original file name%.exe
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
=$=(=,=0=4=8=<=@=
>(>/>4>8><>]>
>&?,?0?4?8?
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
nKERNEL32.DLL
WUSER32.DLL
%S%S\%S
%s failed with error %d: %s
%S [%s]
ChicaPC.exe
hXXp://x25.net/~support/ChicaPC.exe
afk.me

SearchProtocolHost.exe_3432:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
Phx%S
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_2012:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610

cpcs.exe_4076:

.text
`.data
.rsrc
MSVBVM60.DLL
mbam.ctlTab
mbam.ctlProgressBar
mbam.ctlDatePicker
vbalsgrid6.ocx
vbAcceleratorSGrid6.vbalGrid
modRegistryOperations
cmdRemoveAllLogs
cmdRemoveLog
cmdDeleteAll
cmdDelete
cmdRestoreAll
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files% (x86)\Microsoft Visual Studio\VB98\vbalsgrid6.oca
cmdRestore
cmdAddTask
cmdEditTask
cmdDeleteTask
cmdRemoveAllFromIgnore
cmdAddToIgnore
cmdOpenLog
cmdRemoveFromIgnore
cmdScheduler
chkReportThreats
cmdFileAssassin
lblProxyPort
lblProxyPassword
txtProxyPassword
txtProxyPort
chkStartWithWindows
cmdStartTrial
cmdAbort
cmdWebsite
cmdPause
cmdScan
cmdRemove
cmdMainMenu
cmdIgnoreSingleItem
cmdBottomPurchase
cmdRegister
cmdHelp
cmdSaveLog
cmdUpdate
cmdExit
CryptDeriveKey
CryptDestroyKey
UnhookWindowsHookEx
SetWindowsHookExA
ExitWindowsEx
ShellExecuteExA
RegCloseKey
RegOpenKeyExA
RegQueryInfoKeyA
RegEnumKeyExA
RegCreateKeyExA
GetWindowsDirectoryA
ScheduleCmdLine
txtKey
KillRegKey
.Yzfp
ResetKeyPermissions
cmdStart
VBA6.DLL
5cmdLater
cmdSaveTask
cmdCancel
cmdDismiss
cmdLater
Adobe Photoshop CS2 Windows
2007:12:16 00:23:33
>^.xo
 ;.gv
:Óy
ifbPG=RI?KD;52.YVRnlk
%S`xH7
t0SSh
2011:08:01 15:24:50
urlTEXT
MsgeTEXT
hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmp:CreatorTool="Adobe Photoshop CS5 Macintosh" xmp:CreateDate="2011-08-01T14:50:40-07:00" xmp:ModifyDate="2011-08-01T15:24:50-07:00" xmp:MetadataDate="2011-08-01T15:24:50-07:00" xmpMM:InstanceID="xmp.iid:028011740720681195FE80618EE8C9F6" xmpMM:DocumentID="xmp.did:A3FF65DAB4AC11E0B97FE76AB3CEE658" xmpMM:OriginalDocumentID="xmp.did:A3FF65DAB4AC11E0B97FE76AB3CEE658" dc:format="image/jpeg" photoshop:ColorMode="3"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:A3FF65D7B4AC11E0B97FE76AB3CEE658" stRef:documentID="xmp.did:A3FF65D8B4AC11E0B97FE76AB3CEE658"/> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:018011740720681195FE80618EE8C9F6" stEvt:when="2011-08-01T15:24:50-07:00" stEvt:softwareAgent="Adobe Photoshop CS5 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:028011740720681195FE80618EE8C9F6" stEvt:when="2011-08-01T15:24:50-07:00" stEvt:softwareAgent="Adobe Photoshop CS5 Macintosh" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
2011:08:26 14:46:23
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:05:41 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmp:CreatorTool="Adobe Photoshop CS4 Macintosh" xmp:CreateDate="2011-08-25T21:24:38-04:00" xmp:MetadataDate="2011-08-26T14:46:23-04:00" xmp:ModifyDate="2011-08-26T14:46:23-04:00" dc:format="image/jpeg" xmpMM:InstanceID="xmp.iid:B03DBCBA772168118A498E1A0E2875FE" xmpMM:DocumentID="xmp.did:35109A6AE02068118A498E1A0E2875FE" xmpMM:OriginalDocumentID="xmp.did:35109A6AE02068118A498E1A0E2875FE" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;BED2F9BF2FB62614527F5E9EFEFF4C98" exif:PixelXDimension="550" exif:PixelYDimension="200" exif:ColorSpace="1" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;0A5F172594A9B23A605D67D483FA0019" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:35109A6AE02068118A498E1A0E2875FE" stEvt:when="2011-08-25T21:24:38-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:36109A6AE02068118A498E1A0E2875FE" stEvt:when="2011-08-25T21:41:06-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:37109A6AE02068118A498E1A0E2875FE" stEvt:when="2011-08-25T21:48:09-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:38109A6AE02068118A498E1A0E2875FE" stEvt:when="2011-08-25T21:52:16-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:39109A6AE02068118A498E1A0E2875FE" stEvt:when="2011-08-25T21:57:40-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:3A109A6AE02068118A498E1A0E2875FE" stEvt:when="2011-08-25T22:02:26-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:D26D16B2442168118A498E1A0E2875FE" stEvt:when="2011-08-25T22:05:10-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:D36D16B2442168118A498E1A0E2875FE" stEvt:when="2011-08-26T06:56-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:D46D16B2442168118A498E1A0E2875FE" stEvt:when="2011-08-26T07:02:03-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:D56D16B2442168118A498E1A0E2875FE" stEvt:when="2011-08-26T07:03:18-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:D66D16B2442168118A498E1A0E2875FE" stEvt:when="2011-08-26T07:15:05-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:D96D16B2442168118A498E1A0E2875FE" stEvt:when="2011-08-26T11:35:14-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:DA6D16B2442168118A498E1A0E2875FE" stEvt:when="2011-08-26T11:35:14-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:DB6D16B2442168118A498E1A0E2875FE" stEvt:when="2011-08-26T11:58:11-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:EB052FEE712168118A498E1A0E2875FE" stEvt:when="2011-08-26T12:21:25-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:EE052FEE712168118A498E1A0E2875FE" stEvt:when="2011-08-26T12:22:30-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:EF052FEE712168118A498E1A0E2875FE" stEvt:when="2011-08-26T12:22:30-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:A93DBCBA772168118A498E1A0E2875FE" stEvt:when="2011-08-26T14:44:33-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:AA3DBCBA772168118A498E1A0E2875FE" stEvt:when="2011-08-26T14:44:33-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:AD3DBCBA772168118A498E1A0E2875FE" stEvt:when="2011-08-26T14:46:09-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:AE3DBCBA772168118A498E1A0E2875FE" stEvt:when="2011-08-26T14:46:09-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:AF3DBCBA772168118A498E1A0E2875FE" stEvt:when="2011-08-26T14:46:23-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> <rdf:li stEvt:action="converted" stEvt:parameters="from application/vnd.adobe.photoshop to image/jpeg"/> <rdf:li stEvt:action="derived" stEvt:parameters="converted from application/vnd.adobe.photoshop to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:B03DBCBA772168118A498E1A0E2875FE" stEvt:when="2011-08-26T14:46:23-04:00" stEvt:softwareAgent="Adobe Photoshop CS4 Macintosh" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:AF3DBCBA772168118A498E1A0E2875FE" stRef:documentID="xmp.did:35109A6AE02068118A498E1A0E2875FE" stRef:originalDocumentID="xmp.did:35109A6AE02068118A498E1A0E2875FE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
IEC hXXp://VVV.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
vnoifwU.gv
%U["*
bG.Ne
tOQ%f*
;# .Xgb
8.EuS
%SL;Sp
.bad[\
nCmd
..mv{&
_%U!y
.HYCe
d.FGDIP
?DuDp
]%Fjc,4
!!$$%%&'(
\%ZGSSHIJIJ]JTTTTIJIHHSGG<;[
R;<<GSSHYIJJJTTTTTJIISSGZZ
#$%&'(())** ,-.
./'))00*)'&,
"#$%&'()***) ,-"
k7%sA
version="5.1.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="highestAvailable" uiAccess="false"/>
Registry Key
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
english.lng
mbam.dll
mbamcore.dll
mbamext.dll
cpcsswissarmy.sys
cpcsservice.exe
cpcsgui.exe
VVV.chicalogic.com
incidental, special, exemplary, or consequential damages, including, but not limited to, loss
hXXp://
hXXp://VVV.malwarebytes.org/malwarenet.php?name=
\rules.ref
rules.ref
regsvr32.exe /s
\ssubtmr6.dll
\vbalsgrid6.ocx
Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
regsvr32.exe
ChicaPC-Shield is provided as is. Any expressed or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the author be liable for any direct, indirect, incidental, special, exemplary, or consequential damages, including, but not limited to, loss of use, data, or profits; or business interruption, however caused and on any theory of liability, including negligence or otherwise, arising in any way out of the use of this program.
%system%
%systemroot%
explorer.exe
\userinit.exe,
).txt
--- --- ---
windows
keys
\*.txt
iexplore.exe
DELKEY:
HKEY_LOCAL_MACHINE\
Registry keys to delete:
autorun.inf
rundll32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\regedit.exe
\regedit.exe /S
00000000000
SupportedNameSpace
\Languages\*.lng
(Heuristics.Shuriken)
*.txt
Key: ****-****-****-****
keygen.exe
hkey_classes_root
hkey_current_user
hkey_local_machine
hkey_users
regedit.exe
ignore.dat
-error.txt
PROGRAM_ERROR_OS_NOT_SUPPORTED
hXXps://chicalogic.cleverbridge.com/586/purl-chicapc-shield-help
%xaction%
hXXps://
1.51.1119
cpcs.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    regsvr32.exe:3812
    regsvr32.exe:2752
    regsvr32.exe:3796
    regsvr32.exe:3584
    regsvr32.exe:4052
    explorer.tmp:2636
    cpcsgui.exe:576
    %original file name%.exe:452
    cpcs.exe:4076

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll (49 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\mbamext.dll (77 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx (499 bytes)
    C:\ProgramData\ChicaLogic\ChicaPC-Shield\is-NEPOV.tmp (53219 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\is-PMTFI.tmp (24 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\unins000.dat (2508 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\is-L2JG6.tmp (4549 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\cpcs.exe (49 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\is-NI5I2.tmp (601 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\is-KGU74.tmp (673 bytes)
    C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-T60M8.tmp (2 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-LEKM4.tmp (12 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-2MBKH.tmp (12 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-2JS43.tmp (10 bytes)
    C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-7E5GS.tmp (323 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\is-452NO.tmp (601 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-HI9NT.tmp (11 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-Shield\ChicaPC-Shield.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-9UEPD.tmp\_isetup\_shfoldr.dll (47 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\is-DHP32.tmp (1 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\is-FB8HA.tmp (15 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\is-LI09G.tmp (3361 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-0P3HN.tmp (10 bytes)
    C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-IEE1K.tmp (5 bytes)
    C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-IIOR9.tmp (114 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-LOIEI.tmp (10 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-3851I.tmp (10 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\is-9Q5EQ.tmp (2321 bytes)
    C:\Users\Public\Desktop\ChicaPC-Shield.lnk (1 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-RRBVI.tmp (12 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\unins000.msg (463 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-Shield\Uninstall ChicaPC-Shield.lnk (1 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-BKPM0.tmp (10 bytes)
    C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-BJMMU.tmp (289 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\is-469K7.tmp (46 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\is-TT1B0.tmp (2105 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\is-6IJLO.tmp (15278 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\is-MGJDH.tmp (22 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\is-9PTFC.tmp (20 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\cpcsgui.exep (454 bytes)
    C:\Windows\System32\drivers\cpcs.sys (22 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-9UEPD.tmp\_isetup\_RegDLL.tmp (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-9UEPD.tmp\mbam.dll (849 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\is-D58IQ.tmp (3073 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\Languages\is-4KMR1.tmp (11 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\is-PQ4IC.tmp (7433 bytes)
    C:\Windows\Temp\ChicaPC\explorer.exe (1169732 bytes)
    C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\build.conf (786 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\mbamcore.dll (565 bytes)
    C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\news.conf (114 bytes)
    C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\custom.conf (5 bytes)
    C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\config.conf (2 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\mbamnet.dll (146 bytes)
    %Program Files%\ChicaLogic\ChicaPC-Shield\mbam.dll (176 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "ChicaPC-Shield" = "%Program Files%\ChicaLogic\ChicaPC-Shield\cpcsgui.exe /install /silent"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now