MD5: 86a86be9b952ddb1562b20b4036a2ca5
SHA1: ff8efd75159e77468176bef96412445207a679a7
SHA256: 894b952e29a1b061bdd71c2d4c5afdb664db58cb900bfbe2e5665fbe9ebd693c
SSDeep: 12288:1zEB7yi84pUHYtKFm/lXvsMi0IvVVWbrz5rDO350wC2TexDfWLXNq/5:OBeLqtKFm/lX8vVVWbfBDO35LtTewLdG
Size: 747520 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-08-06 02:18:02
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

wuapp.exe:3504
%original file name%.exe:3380
taskhost.exe:872
Dwm.exe:1376
Explorer.EXE:1440
conhost.exe:1648
TPAutoConnect.exe:2160
conhost.exe:2168

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\system.ini (70 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\vkTQTUJqBC\svc.exe (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00051592_Rar\%original file name%.exe (5441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winysswdc.exe (561 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wingrbecm.exe (561 bytes)
C:\ewfps.exe (99 bytes)
C:\autorun.inf (265 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00062155_Rar\wincheck.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winysswdc.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00051592_Rar\%original file name%.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wingrbecm.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00062155_Rar (0 bytes)
C:\Windows\515a2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00051592_Rar (0 bytes)

Registry activity

The process %original file name%.exe:3380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Stvncyfrlda]
"m4_1" = "1735290733"
"m3_1" = "1718420804"
"m3_0" = "17001001"
"m4_4" = "2646195636"
"m4_5" = "86519073"
"m3_5" = "69945096"
"m3_2" = "3487544563"
"m2_2" = "3470576471"
"m2_3" = "910908362"
"m4_0" = "0"
"m2_1" = "1735293664"
"m2_6" = "1821804803"
"m4_2" = "3470581466"
"m2_4" = "2646190137"
"m2_5" = "86522028"
"m2_9" = "2732719960"
"m3_3" = "927474798"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Stvncyfrlda]
"m4_9" = "2732714709"
"m3_7" = "3573965266"

"m3_6" = "1838544551"
"m4_12" = "3643619612"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Stvncyfrlda]
"m4_6" = "1821809806"
"m4_13" = "1083943049"
"m3_4" = "2629490589"

"m4_10" = "173038146"
"m1_5" = "990974441"
"m1_4" = "2043211597"
"m1_7" = "2820037032"
"m1_6" = "942015960"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Stvncyfrlda]
"m1_0" = "1431655765"
"m1_3" = "553799287"
"m1_2" = "2322242303"
"m1_1" = "692605188"
"m4_11" = "1908328879"
"m1_9" = "151879564"
"m2_0" = "5517"
"m3_9" = "2749530364"
"m2_8" = "997420773"
"m3_8" = "980422977"
"m4_14" = "2819233782"

[HKCU\Software\Stvncyfrlda\168128873]
"-824385830" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Stvncyfrlda\168128873]
"910904903" = "0"

[HKCU\Software\Stvncyfrlda]
"m2_10" = "173032746"
"m1_10" = "3127516927"
"m2_12" = "3643615808"
"m1_12" = "1954038609"
"m2_14" = "2819228168"
"m1_14" = "628379951"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Stvncyfrlda\168128873]
"-1648771660" = "30"

[HKCU\Software\Stvncyfrlda]
"m2_7" = "3557105270"

[HKCU\Software\Stvncyfrlda\168128873]
"1821809806" = "0200687474703A2F2F7061647275702E636F6D2F736F62616B61312E67696600687474703A2F2F3139302E3132302E3232372E39313A383038302F736F62616B61766F6C6F732E676966"

[HKCU\Software\Stvncyfrlda]
"m4_7" = "3557100539"
"m3_11" = "1891476358"

"m1_11" = "31487998"

[HKCU\Software\Stvncyfrlda\168128873]
"1735290733" = "14"

[HKCU\Software\Stvncyfrlda]
"m4_3" = "910904903"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKCU\Software\Stvncyfrlda]
"m1_13" = "3959391552"
"m1_8" = "3256253133"

[HKCU\Software\Stvncyfrlda\168128873]
"-737866757" = "1E5571E550EC6AC53AE13D3F7DC0CC8061CA44594227D6670DCDCEE4A123B745EEAD14A703C99DD3DBA2A4D607F69A83882C176653A4259F99BD6A9AA8EBC4B5A7028BF34E1C7C726DDA76137D0018A90E5CEFA084D0BB9F20D2346760CC5762EE70F3336E4A2BF1EC3D5E297DC79279B9237BA952F46582C5B90B54CE577E6852FFEDCF4C3AF6531535847E5DA8CDE9FB42AE7DAD10CECB5628D6CB3D14BE8454AD881D29EE50C7CACF782FDC3C2625A60E29DB5AF20451090ADA90C8E812FAF069C6194C2CA266BD6AA8911F3774E5030BA04C8A9D88FAC4EFE9901B2A630033F20048AF11A37D0019DA4E355233F7FB54DC18CA8FD6E270532510C72C472D"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Stvncyfrlda]
"m2_13" = "1083945517"

[HKCU\Software\Stvncyfrlda\168128873]
"86519073" = "75"

[HKCU\Software\Stvncyfrlda]
"m3_13" = "1100530336"
"m3_12" = "3626914613"
"m4_8" = "997423976"
"m3_10" = "190001259"
"m2_11" = "1908331499"
"m3_14" = "2835971551"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MLvtBYqcKd" = "C:\Users\"%CurrentUserName%"\AppData\Local\VKTQTU~1\svc.exe"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
xmr.pool.minergate.com	136.243.102.157

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY BitCoinMiner Cpuminer Login

Traffic

The Trojan connects to the servers at the folowing location(s):

.text

.rdata

.data

.reloc

0123456789

ntdll.dll

0125789244697858

50%CPU

100%CPU

taskmgr.exe

NtCreateKey

NtOpenKey

NtQueryKey

NtEnumerateKey

NtSetValueKey

NtQueryValueKey

NtEnumerateValueKey

NtDeleteValueKey

NtNotifyChangeKey

NtSaveKey

Shell32.dll

svc.exe

.text$mn

.idata$5

.rdata$zzzdbg

.idata$2

.idata$3

.idata$4

.idata$6

GetProcessHeap

SetThreadExecutionState

GetWindowsDirectoryW

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExW

ADVAPI32.dll

ole32.dll

VgCSP%X

!R7%x8

0].Mk

.Qx=ZK_

Mlt%U

7-u}h

yO.JB|Ea

;_t|%u

n%.DS

]:~.rAN

\.LHTP

.,.pe|

a*.BzO[

z.SVP

.aD\AY

%uf^A`

\.adgj/

%xX{<

T|HtCp

- %cGsambi$ou

t/ux

ourl=URL0

passb:P

S.eadjN

CPU=%d;KHS

c%c==

HTTP/

WebSOj

tX4Fr.rh.46Aw-wl-6

#"! '&%$ *)(/.-,32107654

Û`6

rj<s.yN>

#[.xU

a-C7}

.Wtxz(

lle.muig

.ana2

xz%Dm

7[\]^_`_

tCPb

.pPFgR

K.mi;o

.nnr1

7.46.0386l

.zxx.

TCP_N\LAY

~.Unm3

o.ZFWw

gg_'2r%S___

_i5%s-job_

(;%x'i

1W.pO R

zcÁ

MV.Zh

}X# .idX

yKey!K

#y.Bv

KERNEL32.DLL

Normaliz.dll

WLDAP32.dll

WS2_32.dll

548920469

:2446978580125

:57(924469485801

9244697858

78580!257

1246697

--1}&

pm%n-

."4[87,#|

4.eeh

6B.yU~

zÐj\.

.kA'S

1.eiL

%xBd\qXi

o%sJr$

4%S!M

gm3.hm

Bz-u1}

UrL!(C

%4 7L%f

%xs5&

%u9!Y

[H.Er-

%D.Bu1

%Fmnn J

.Eiew'C

r.jpB

?..eW>1

0;S3.Qgp

.MbZl

%9sJ'

UdS.xU

f.Us<&

"b%xU

>270.362

0),<%"9?

;)$8)-=>

6,)=/*09

16:78=1<

68=084<4

9=:6>656%)".*$) 

 (-($).'?

@.fgw5

G~yv\%U

.LuXl1

q9U

'219(<"3

7i.mX

;.xwC

:;30-7(?

:5789244697858

12446978580125

>9785801257892

:5789244697858`

44697858012578825469

01257892446978489525

:580125789244697858

78480135689244796858

itsbananas62@gmail.com

xmr.pool.minergate.com:45560

%x^3w

SHELL32.DLL

ShellExecuteA

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00051592_Rar\%original file name%.exe

%original file name%.exe

C:\Users\"%CurrentUserName%"\AppData\Local\vkTQTUJqBC\svc.exe

c:\%original file name%.exe

hXXp://padrup.com/sobaka1.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://89.11

.info/home.gifIh

bW.text

JKERNEL32.dll

%x.exe

h.rdla&

mH.MN8

T4.At%

S.twa

.klkjw:9fqwiBumW

.sysa

Zc.pBTa

~%s:*:yd:

.!.VF*

.d&?%x=

GUrlA'

"\'Web%w}

HTTP)s'PS

2GUARDCMD

o.ENHCDM

wWEBWUPD

MM.PF

%xn'[

>>?456789:;

!"#$%&'()* ,-./4

qn%CXf

UP*dB.PPd@.

%FoAN-x

ÄEW

%F" *" a

MSVCRT.dll

SHELL32.dll

SHFileOperationA

\notepad.exe

\explorer.exe

\System32\wuapp.exe

\System32\svchost.exe

-a cryptonight -o stratum tcp://

e\KnownDlls\ntdll.dll

\KnownDlls32\ntdll.dll

\KnownDlls\ntdll.dll

\Software\Microsoft\Windows\CurrentVersion\RunOnce

C:\Users\"%CurrentUserName%"\AppData\Local\VKTQTU~1\svc.exe

%original file name%.exe_3380_rwx_003F0000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.reloc

.text

wuapp.exe_3504:

.text

`.data

.rsrc

@.reloc

wuapp.pdb

KERNEL32.dll

_wcmdln

_amsg_exit

msvcrt.dll

RegCloseKey

RegOpenKeyExW

ADVAPI32.dll

GetProcessHeap

ole32.dll

SHLWAPI.dll

version="6.0.0.0"

name="Microsoft.Windows.windowsupdate.wuapp"

<requestedExecutionLevel

0 0$0<0@0`0|0

Ntdll.dll

WuSqm %ls session datapoint (id:%d) is incremented with dword %d.

WUApp.exe wWinMain() returning hr=%#lx

wuapp.exe: CreateProcess() failed, hr=%#lx

wuapp.exe

WUWeb

Report

7.6.7600.256

Global\WindowsUpdateTracingMutex

WindowsUpdate.log

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace

Windows

shell32.dll

%s: %s [

%s: %s

%s\%s

= Module: %s

= Module: <failed with %d>

= Process: %s

= Process: <failed with %d>

=========== Logging initialized (build: %s, tz: %s) ===========

kernel32.dll

%hs %ls page "%ls", hr=%X

Microsoft.WindowsUpdate

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\

%chdhd

hd-hd-hd%chd:hd:hd:hd

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData

WUAppNotificationWindows

Windows Update Application Launcher

7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1459)

Windows

Operating System

%original file name%.exe_3380_rwx_004A8000_00010000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00051592_Rar\%original file name%.exe

%original file name%.exe

C:\Users\"%CurrentUserName%"\AppData\Local\vkTQTUJqBC\svc.exe

.reloc

.text

c:\%original file name%.exe

hXXp://padrup.com/sobaka1.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://89.11

.info/home.gifIh

bW.text

JKERNEL32.dll

%x.exe

h.rdla&

mH.MN8

T4.At%

S.twa

.klkjw:9fqwiBumW

.sysa

Zc.pBTa

~%s:*:yd:

.!.VF*

.d&?%x=

GUrlA'

"\'Web%w}

HTTP)s'PS

2GUARDCMD

o.ENHCDM

wWEBWUPD

MM.PF

%xn'[

>>?456789:;

!"#$%&'()* ,-./4

qn%CXf

UP*dB.PPd@.

%FoAN-x

ÄEW

%F" *" a

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

USER32.dll

WS2_32.dll

RegCloseKey

SHFileOperationA

%original file name%.exe_3380_rwx_005C0000_00001000:

u%original file name%.exeM_3380_

%original file name%.exe_3380_rwx_013A0000_010BA000:

hXXp://89.11

.info/home.gifIh

bW.text

JKERNEL32.dll

%x.exe

hXXp://89.119.67.154/testo5/

hXXp://kukutrustnet777.info/home.gif

hXXp://kukutrustnet888.info/home.gif

hXXp://kukutrustnet987.info/home.gif

.text

KERNEL32.dll

.reloc

USER32.dll

h.rdata

H.data

ntoskrnl.exe

Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion

hXXp://VVV.klkjwre9fqwieluoi.info/

hXXp://kukutrustnet777888.info/

Software\Microsoft\Windows\CurrentVersion\policies\system

Software\Microsoft\Windows\ShellNoRoam\MUICache

%s:*:Enabled:ipsec

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

GdiPlus.dll

hXXp://

ipfltdrv.sys

VVV.microsoft.com

?%x=%d

&%x=%d

SYSTEM.INI

USER32.DLL

.%c%s

\\.\amsint32

NTDLL.DLL

autorun.inf

ADVAPI32.DLL

win%s.exe

%s.exe

WININET.DLL

InternetOpenUrlA

avast! Web Scanner

Avira AntiVir Premium WebGuard

cmdGuard

cmdAgent

Eset HTTP Server

ProtoPort Firewall service

SpIDer FS Monitor for Windows NT

Symantec Password Validation

WebrootDesktopFirewallDataService

WebrootFirewall

%d%d.tmp

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

%s\%s

%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

Software\Microsoft\Windows\CurrentVersion\Ext\Stats

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

KERNEL32.DLL

Explorer.exe

A2CMD.

ASHWEBSV.

AVGCC.AVGCHSVX.

DRWEB

DWEBLLIO

DWEBIO

FSGUIEXE.

MCVSSHLD.

NPFMSG.

SYMSPORT.

WEBSCANX.

%c%d_%d

purity_control_%x

.adata

M_%d_

?456789:;<=

!"#$%&'()* ,-./0123

mongC:\Windows\

C:\Windows\hywjfubtsnl.log

hXXp://padrup.com/sobaka1.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

C:\Windows\system32\drivers\jijkr.sys

3332337059

SHELL32.DLL

ShellExecuteA

GetProcessHeap

GetWindowsDirectoryA

RegEnumKeyExA

RegDeleteKeyA

RegOpenKeyExA

RegCreateKeyA

RegCloseKey

SHFileOperationA

&3&3&3&389

%F" *" a

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

WS2_32.dll

wuapp.exe_3504_rwx_00060000_0000B000:

.text

`.data

.rsrc

@.reloc

wuapp.pdb

KERNEL32.dll

_wcmdln

_amsg_exit

msvcrt.dll

RegCloseKey

RegOpenKeyExW

ADVAPI32.dll

GetProcessHeap

ole32.dll

SHLWAPI.dll

version="6.0.0.0"

name="Microsoft.Windows.windowsupdate.wuapp"

<requestedExecutionLevel

0 0$0<0@0`0|0

Ntdll.dll

WuSqm %ls session datapoint (id:%d) is incremented with dword %d.

WUApp.exe wWinMain() returning hr=%#lx

wuapp.exe: CreateProcess() failed, hr=%#lx

wuapp.exe

WUWeb

Report

7.6.7600.256

Global\WindowsUpdateTracingMutex

WindowsUpdate.log

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace

Windows

shell32.dll

%s: %s [

%s: %s

%s\%s

= Module: %s

= Module: <failed with %d>

= Process: %s

= Process: <failed with %d>

=========== Logging initialized (build: %s, tz: %s) ===========

kernel32.dll

%hs %ls page "%ls", hr=%X

Microsoft.WindowsUpdate

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\

%chdhd

hd-hd-hd%chd:hd:hd:hd

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData

WUAppNotificationWindows

Windows Update Application Launcher

7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1459)

Windows

Operating System

wuapp.exe_3504_rwx_00100000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.reloc

.text

wuapp.exe_3504_rwx_00110000_00001000:

uwuapp.exeM_3504_

wuapp.exe_3504_rwx_00160000_000E8000:

bb b!"bb#$bbbb%&'bbb(b)*b bbb,-.bb/0123bbbb4b5bbbbbbb6bbbbbb789:;<bbbbbbbb=bbb>?@ABCDEbbbbFbbbbGHbbbbbIbJKLbbbbbMNbbbOObbPbbbbbbbbbQbbRbSTUVWbXbbbbbbYZ[b\bb]^_bb`ba

>%ugj

u.hPH"

t.Gj:W

3|$\3|$4

option requires an argument -- %c

option requires an argument -- %s

unknown option -- %c

unknown option -- %s

\ux

\ux\ux

`%s near '%s'

%s near end of file

unable to decode byte 0x%x

control character 0x%x

invalid Unicode '\uX\uX'

invalid Unicode '\uX'

duplicate object key

unable to open %s: %s

0123456789;

-o, --url=URL URL of mining server

-O, --userpass=U:P username:password pair for mining server

-p, --pass=PASSWORD password for mining server

--cert=FILE certificate for mining server using SSL

-x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy

--no-longpoll disable long polling support

--no-getwork disable getwork support

--no-gbt disable getblocktemplate support

--no-stratum disable X-Stratum support

--no-extranonce disable Stratum extranonce support

--no-redirect ignore requests to change the URL of the mining server

-b, --api-bind IP/Port for the miner API (default: 127.0.0.1:4048)

A127.0.0.1

seturl

CPU=%d;KHS=%.2f|

NAME=%s;VER=%s;API=%s;ALGO=%s;CPUS=%d;KHS=%.2f;ACC=%d;REJ=%d;ACCMN=%.3f;DIFF=%.6f;TEMP=%.1f;FAN=%d;FREQ=%d;UPTIME=%.0f;TS=%u|

%c%c==

%c%c%c=

%c%c%c%c

clientkey: %s

%s258EAFA5-E914-47DA-95CA-C5AB0DC85B11

HTTP/1.1 101 Switching Protocol

Upgrade: WebSocket

Sec-WebSocket-Accept: %s

Sec-WebSocket-Protocol: text

0.0.0.0

API not running (no valid IPs specified)%s

API initialisation failed (%s)%s

API initialisation 2 failed (%s)%s

API bind to port %d failed - trying again in 20sec

API bind to port %d failed (%s)%s

API initialisation 3 failed (%s)%s

API failed (%s)%s

API: connection from %s - %s

Sec-WebSocket-Key

API: exec command %s(%s)

tX4Fr.rh.46Aw-wl-6

.eK9K\9.

t44Fr.rh.66Aw-wl-

..eK9K\9

.rh.44Fr-wl-66Aw

O9K\9..eKW

trh.44Fr.wl-66Aw-

K\9..eK9

h.44Fr.rl-66Aw-w

O\9..eK9K=W

tXXFr.rh.44Aw-wl-66

.44Fr.rh-66Aw-wl

9..eK9K\W

r.rh.44Fw-wl-66A

rj<s.yN>

#[.xU

a-C7}

8.lCd

..r.zb)zKK

K.EGG

..rKzb)zKK

%sXAA

.hWBB

Visual C   CRT: Not enough memory to complete call to strerror.

Operation not permitted

Inappropriate I/O control operation

Broken pipe

GetProcessWindowStation

operator

ftps

https

smtp

smtps

tftp

7.46.0

libcurl/7.46.0

Unrecognized parameter value passed via CURLOPT_SSLVERSION

Curl_poll(%d ds, %d ms)

Pipe broke: handle %p, url = %s

In state %d with no easy_conn, bail out!

Operation timed out after %ld milliseconds with %I64d out of %I64d bytes received

Operation timed out after %ld milliseconds with %I64d bytes received

Internal error clearing splay node = %d

Internal error removing splay node = %d

ignoring failed cookie_init for %s

23[^;

=] =I99[^;

httponly

skipped cookie with bad tailmatch domain: %s

#HttpOnly_

%s cookie %s="%s" for domain %s, path %s, expire %I64d

%s%s%s

# Netscape HTTP Cookie File

# hXXp://curl.haxx.se/docs/http-cookies.html

# This file was generated by libcurl! Edit at your own risk.

# Fatal libcurl error

WARNING: failed to save cookies in %s

security.dll

secur32.dll

Could not resolve %s: %s

init_resolve_thread() failed for %s; %s

getaddrinfo() failed for %s:%d; %s

%s:%d

Hostname %s was found in DNS cache

%5[^:]:%d

Couldn't parse CURLOPT_RESOLVE removal entry '%s'!

%5[^:]:%d:%5s

Couldn't parse CURLOPT_RESOLVE entry '%s'!

Address in '%s' found illegal!

Added %s:%d:%s to DNS cache

rcmd

CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!

Found bundle for host %s: %p

Server doesn't support multi-use yet, wait

Server doesn't support multi-use (yet)

Pipe is full, skip (%zu)

Multiplexed connection found!

Connected to %s (%s) port %ld (#%ld)

Failed to convert %s to ACE;

Protocol "%s" not supported or disabled in libcurl

Illegal characters found in URL

[^:]:%[^

:]://%[^

<url> malformed

SMTP.

Rebuilt URL to: %s

Please URL encode %% as %%, see RFC 6874.

http_proxy

No valid port number in proxy string (%s)

[%*45[0123456789abcdefABCDEF:.]%c

IPv6 numerical address used in URL without brackets

;type=%c

%s://%s%s%s:%hu%s%s%s

Port number out of range

Couldn't find host %s in the _netrc file; using defaults

PTF@example.com

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

%s://%s

Found connection %ld, with requests in the pipe (%zu)

Re-using existing connection! (#%ld) with %s %s

No more connections allowed to host: %d

User-Agent: %s

Connection #%ld to host %s left intact

Send failure: %s

Recv failure: %s

Write callback asked for PAUSE when not supported!

[%s %s %s]

Failed to set SO_KEEPALIVE on fd %d

Failed to set SIO_KEEPALIVE_VALS on fd %d: %d

Couldn't bind to interface '%s'

Local Interface %s is ip %s using address family %i

Name '%s' family %i resolved to '%s' family %i

Couldn't bind to '%s'

getsockname() failed with errno %d: %s

Local port: %hu

Bind to local port %hu failed, trying next

bind failed with errno %d: %s

getpeername() failed with errno %d: %s

ssrem inet_ntop() failed with errno %d: %s

ssloc inet_ntop() failed with errno %d: %s

connect to %s port %ld failed: %s

Failed to connect to %s port %ld: %s

Could not set TCP_NODELAY: %s

TCP_NODELAY set

sa_addr inet_ntop() failed with errno %d: %s

Trying %s...

Immediate connect fail for %s: %s

schannel: SSL/TLS connection with %s port %hu (step 1/3)

schannel: disabled server certificate revocation checks

schannel: checking server certificate revocation

schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates. Also disables SNI.

schannel: SNI or certificate check failed: %s

schannel: AcquireCredentialsHandle failed: %s

schannel: using IP address, SNI is not supported by OS.

schannel: initial InitializeSecurityContext failed: %s

schannel: SSL/TLS connection with %s port %hu (step 2/3)

schannel: a client certificate has been requested

schannel: next InitializeSecurityContext failed: %s

schannel: SSL/TLS connection with %s port %hu (step 3/3)

schannel: incremented credential handle refcount = %d

select/poll on SSL/TLS socket, errno: %d

select/poll on SSL socket, errno: %d

schannel: Curl_read_plain returned CURLE_AGAIN

schannel: Curl_read_plain returned CURLE_RECV_ERROR

schannel: Curl_read_plain returned error %d

schannel: failed to read data from server: %s

schannel: shutting down SSL/TLS connection with %s port %hu

schannel: ApplyControlToken failure: %s

schannel: failed to send close msg: %s (bytes written: %zd)

schannel: decremented credential handle refcount = %d

--:--:--

%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s

operation aborted by callback

Read callback asked for PAUSE when not supported!

seek callback returned error %d

the ioctl callback returned %d

ioctl callback returned error %d

Rewinding stream by : %zd bytes on url %s (zero-length body)

Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)

HTTP server doesn't seem to support byte ranges. Cannot resume.

Simulate a HTTP 304 response!

%s in chunked-encoding

Rewinding stream by : %zu bytes on url %s (size = %I64d, maxdownload = %I64d, bytecount = %I64d, nread = %zd)

Excess found in a non pipelined read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d

No URL set!

%%x

[^?&/:]://%c

Issue another request to this URL: '%s'

Disables POST, goes with %s

HTTPS

%s:%s

%sAuthorization: Basic %s

The requested URL returned error: %d

%s auth using %s with user '%s'

%s, d %s M d:d:d GMT

If-Modified-Since: %s

If-Unmodified-Since: %s

Last-Modified: %s

Referer: %s

Accept-Encoding: %s

Chunky upload is not supported by HTTP 1.0

Host: %s%s%s

Host: %s%s%s:%hu

PTF://

Range: bytes=%s

Content-Range: bytes %s%I64d/%I64d

Content-Range: bytes %s/%I64d

PTF://%s:%s@%s

%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

%s%s=%s

Internal HTTP POST error!

Content-Type: application/x-www-form-urlencoded

Failed sending HTTP POST request

Failed sending HTTP request

HTTP/

Avoided giant realloc for header (max is %d)!

The requested URL returned error: %s

Connection closure while negotiating auth (HTTP 1.0?)

HTTP error before end of send, stop sending

HTTP/%d.%d %d

Lying server, not serving HTTP/2

HTTP =

RTSP/%d.%d =

HTTP 1.0, assume close after body

HTTP/1.0 proxy connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 connection set to keep alive!

Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds

Conn: %ld (%p) Receive pipe weight: (%I64d/%zu), penalized: %s

Site %s:%d is pipeline blacklisted

Server %s is blacklisted

d:d:d

d:d

0123456789

Unsupported protocol

URL using bad/illegal format or missing URL

A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

FTP: weird server reply

FTP: The server failed to connect to data port

FTP: Accepting server connect has timed out

FTP: The server did not accept the PRET command.

FTP: unknown PASS reply

FTP: unknown PASV reply

FTP: unknown 227 response format

FTP: can't figure out the host in the PASV response

Error in the HTTP2 framing layer

FTP: couldn't set file type

FTP: couldn't retrieve (RETR failed) the specified file

HTTP response code said error

FTP: command PORT failed

FTP: command REST failed

Operation was aborted by an application callback

A libcurl function was given a bad argument

An unknown option was passed in to libcurl

SSL peer certificate or SSH remote key was not OK

Problem with the local SSL certificate

Peer certificate cannot be authenticated with given CA certificates

Problem with the SSL CA cert (path? access rights?)

Unrecognized or bad HTTP Content or Transfer-Encoding

Invalid LDAP URL

Issuer check against peer certificate failed

Login denied

TFTP: File Not Found

TFTP: Access Violation

TFTP: Illegal operation

TFTP: Unknown transfer ID

TFTP: No such user

Caller must register CURLOPT_CONV_ callback options

Error in the SSH layer

Unable to parse FTP file list

SSL public key does not match pinned public key

SSL server certificate status verification FAILED

Protocol option is unsupported

Protocol is unsupported

Socket is unsupported

Operation not supported

Address family not supported

Protocol family not supported

Winsock version not supported

Unknown error %d (%#x)

SEC_E_CERT_EXPIRED

SEC_E_CERT_UNKNOWN

SEC_E_CERT_WRONG_USAGE

SEC_E_KDC_CERT_EXPIRED

SEC_E_KDC_CERT_REVOKED

SEC_E_NO_KERB_KEY

SEC_E_NO_S4U_PROT_SUPPORT

SEC_E_QOP_NOT_SUPPORTED

SEC_E_SMARTCARD_CERT_EXPIRED

SEC_E_SMARTCARD_CERT_REVOKED

SEC_E_STRONG_CRYPTO_NOT_SUPPORTED

SEC_E_UNSUPPORTED_FUNCTION

SEC_E_UNSUPPORTED_PREAUTH

SEC_E_ILLEGAL_MESSAGE (0xXX) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.

%s (0xXX)

%s - %s

%d.%d.%d.%d

LOGIN %s %s

AUTHENTICATE %s %s

AUTHENTICATE %s

No known authentication mechanisms supported!

LIST "%s" *

SELECT %s

FETCH %s BODY[%s]<%s>

FETCH %s BODY[%s]

APPEND %s (\Seen) {%I64d}

SEARCH %s

LOGINDISABLED

STARTTLS not supported.

STARTTLS denied. %c

Access denied. %c

%cd

%s %s

USER %s

APOP %s %s

AUTH %s %s

AUTH %s

STLS not supported.

Authentication failed: %d

PASS %s

CLIENT libcurl 7.46.0

MATCH %s %s %s

DEFINE %s %s

WSAStartup failed (%d)

insufficient winsock version to support telnet

%s IAC %s

%s IAC %d

%s %s %s

%s %s %d

%s %d %d

Sending data failed (%d)

%s IAC SB

%s (unsupported)

%d (unknown)

USER,%s

7[^= ]%*[ =]%5s

Syntax error in telnet option: %s

Unknown telnet option %s

%c%c%c%c%s%c%c

7[^,],7s

%c%s%c%s

WS2_32.DLL

failed to load WS2_32.DLL (%d)

failed to find WSACreateEvent function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSAEnumNetworkEvents function (%d)

WSACreateEvent failed (%d)

WSAEnumNetworkEvents failed (%d)

WSACloseEvent failed (%d)

FreeLibrary(wsock2) failed (%d)

TFTP

set timeouts for state %d; Total %ld, retry %d maxtry %d

got option=(%s) value=(%s)

blksize is larger than max supported

%s (%d)

blksize is smaller than min supported

%s (%ld)

%s (%d) %s (%d)

invalid tsize -:%s:- value in OACK packet

%s%c%s%c

tftp_send_first: internal error

Received last DATA packet block %d again.

Received unexpected DATA packet block %d, expecting block %d

Timeout waiting for block %d ACK. Retries = %d

tftp_rx: internal error

Received ACK for block %d, expecting %d

tftp_tx: giving up waiting for block %d ack

tftp_tx: internal error, event: %i

TFTP finished

bind() failed; %s

TFTP response timeout

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

LDAP local: %s

LDAP local: trying to establish %s connection

LDAP local: Cannot connect to %s:%ld

LDAP local: ldap_simple_bind_s %s

LDAP remote: %s

There are more than %d entries

SMTP

SMTPS

EHLO %s

HELO %s

MAIL FROM:%s

MAIL FROM:%s AUTH=%s

MAIL FROM:%s AUTH=%s SIZE=%s

MAIL FROM:%s SIZE=%s

RCPT TO:%s

RCPT TO:<%s>

Got unexpected smtp-server response: %d

Remote access denied: %d

Command failed: %d

MAIL failed: %d

RCPT failed: %d

DATA failed: %d

PORT

FTPS

Preparing for accepting server on data port

FTP response timeout

FTP response aborted due to select/poll error: %d

CWD %s

getsockname() failed: %s

failed to resolve the address provided to PORT: %s

socket failure: %s

bind(port=%hu) on non-local address failed: %s

bind(port=%hu) failed: %s

bind() failed, we ran out of ports!

%s |%d|%s|%hu|

Failure sending EPRT command: %s

,%d,%d

Failure sending PORT command: %s

Connect data stream passively

PRET %s

PRET STOR %s

PRET RETR %s

REST %d

SIZE %s

MDTM %s

APPE %s

STOR %s

RETR %s

%c%c%c%u%c

Illegal port number in EPSV reply

%d,%d,%d,%d,%d,%d

Skip %d.%d.%d.%d for data connection, re-use %s instead

Bad PASV/EPSV response: d

Can't resolve proxy host %s:%hu

Can't resolve new host %s:%hu

Failed to do PORT

dddddd

ddd d:d:d GMT

Last-Modified: %s, d %s M d:d:d GMT

unsupported MDTM reply format

Got a d response code instead of the assumed 200

ftp server doesn't support SIZE

Failed FTP upload: 

RETR response: d

PBSZ %d

ACCT %s

Access denied: d

ACCT rejected by server: d

Got a d ftp-server response when 220 was expected

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

PROT %c

Entry path is '%s'

QUOT command failed with d

MKD %s

Failed to MKD dir: d

PRET command not accepted: d

Remembering we are in dir "%s"

Failure sending ABOR command: %s

server did not report OK, got %d

QUOT string not accepted: %s

TYPE %c

Connecting to %s (%s) port %d

ftp_perform ends with SECONDARY: %d

Wildcard - START of "%s"

Wildcard - "%s" skipped by user

Failure sending QUIT command: %s

Uploading to a URL without a file name!

Couldn't open file %s

Can't open %s for writing

Can't get the size of %s

Refusing to issue an RTSP request [%s] without a session ID.

Transport:

Transport: %s

Refusing to issue an RTSP SETUP without a Transport: header.

Range: %s

%s %s RTSP/1.0

Session: %s

%s%s%s%s%s%s%s%s

Unable to read the CSeq header: [%s]

Got RTSP Session ID Line [%s], but wanted ID [%s]

curl

login

password

%sAuthorization: Digest %s

%sAuthorization: NTLM %s

SOCKS4 communication to %s:%d

SOCKS4 connect to %s (locally resolved)

Failed to resolve "%s" for SOCKS4 connect.

SOCKS4%s request granted.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

User was rejected by the SOCKS5 server (%d %d).

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

Failed to resolve "%s" for SOCKS5 connect.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Can't complete SOCKS5 connection to %s:%d. (%d)

Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)

Establish HTTP proxy tunnel to %s:%hu

%s:%hu

%s%s%s:%hu

Host: %s

CONNECT %s HTTP/%s

%s%s%s%s

HTTP/1.%d %d

TUNNEL_STATE switched to: %d

Received HTTP code %d from proxy after CONNECT

.jpeg

.html

; filename="%s"

%s; boundary=%s

Content-Type: multipart/mixed; boundary=%s

Content-Type: %s

couldn't open file "%s"

--%s--

------------------------xx

%sAuthorization: Negotiate %s

LOGIN

%s xxxxxxxxxxxxxxxx

user=%s

auth=Bearer %s

host=%s

port=%ld

Unsupported SASL authentication mechanism

0123456789-

KGS!@#$%%s/%s

NTLM handshake failure (type-3 message): Status=%x

SSPI error: %s failed: %s

User was rejected by the SOCKS5 server (%u %u).

Invalid SSPI authentication response type (%u %u).

SOCKS5 server authencticated user %s with GSS-API.

SOCKS5 server supports GSS-API %s data protection.

Invalid SSPI encryption response type (%u %u).

SOCKS5 access with%s protection granted.

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

{"method": "submit", "params": {"id": "%s", "job_id": "%s", "nonce": "%s", "result": "%s"},"id":4}

thread %d create failed

%d miner threads started, using '%s' algorithm.

{"method": "getwork", "params": ["%s"], "id":4}

{"method": "getblocktemplate", "params": [{"capabilities": ["coinbasetxn", "coinbasevalue", "longpoll", "workid"], "longpollid": "%s"}], "id":0}

{"method": "getjob", "params": {"id": "%s"}, "id":1}

json_rpc_call failed, retry after %d seconds

...terminating workio thread

...retry after %d seconds

{"method": "login", "params": {"login": "%s", "pass": "%s", "agent": "%s"}, "id": 1}

DEBUG: authenticated in %d ms

CURL initialization failed

DEBUG: job_id='%s' extranonce2=%s ntime=x

network hashrate too high, waiting %s...

Binding thread %d to cpu %d (mask %x)

Binding thread %d to cpu mask %x

work retrieval failed, exiting mining thread %d

Benchmark: %s

Mining timeout of %ds reached, exiting...

CPU #%d: %.2f H/s

CPU #%d: %s kH/s

Total: %s H/s

Total: %s kH/s

CURL init failed

Long-polling on %s

cert

%s detected new block%s

userpass

JSON decode failed(%d): %s

Starting Stratum on %s

Connection changed to %s

%s block %d, diff %.3f

%s %s block %d

net diff: %f -> shift %u, bits x

%s asks job %d for block %d

jansson/%s

pthreads/%d.%d.%d.%d

POK received: xx

getmininginfo not supported

%s block %d, %s

Unknown algo parameter '%s'

incorrect Nfactor %d

Current block is %d

%s:%d: %s

Switching to getwork, gbt version %d

Unrecognized block version: %u

hXXp://

hXXps://

stratum tcp://

unknown protocol -- '%s'

invalid URL -- '%s'

hXXp://%s

invalid username:password pair -- '%s'

invalid address -- '%s'

JSON option %s invalid

%s: unsupported non-option argument -- '%s'

accepted: %lu/%lu (%.2f%%), %s kH/s %s

reject reason: %s

127.0.0.1

block %u was already solved

Using config %s

CPU Supports AES-NI: %s

%s: no URL supplied

https:

{"method": "submit", "params": {"id": "%s", "job_id": "%s", "nonce": "%s", "result": "%s"}, "id":4}

{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}

{"method": "submitblock", "params": ["%s%s", %s], "id":4}

{"method": "submitblock", "params": ["%s%s"], "id":4}

Binding process to cpu mask %x

DEBUG: %s

Hash: %s

Target: %s

http%s

Stratum connection failed: %s

mining.notify

Stratum set nonce %s with extranonce2 size=%d

{"id": 1, "method": "mining.subscribe", "params": []}

{"id": 1, "method": "mining.subscribe", "params": ["cpuminer-multi/1.2-dev", "%s"]}

{"id": 1, "method": "mining.subscribe", "params": ["cpuminer-multi/1.2-dev"]}

JSON-RPC call failed: %s

Stratum session id: %s

{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}

{"id": 3, "method": "mining.extranonce.subscribe", "params": []}

extranonce subscribe not supported

Auth id: %s

JSON returned status "%s"

rpc2_login_decode

%s: fail

json_rpc2.0 error: %s

[%d-d-d d:d:d]%s %s%s

%s\cpuminer\cpuminer-conf.json

%s%scpuminer-conf.json

%.2f %cH/s

%.2f H/s%c

stratum tcp://%s:%d

Ignoring request to reconnect to %s

Server requested reconnection to %s

MESSAGE FROM SERVER: %s

mining.set_difficulty

mining.set_extranonce

client.reconnect

client.get_version

client.show_message

HTTP request failed: %s

xxxx

%ss%s: %s

Remote config read failed: %s

hex2bin failed on '%s'

JSON key '%s' not found

JSON key '%s' is not a string

zcÁ

14835880-0dad-4a61-840a-19d1274b294c

C:\Windows\System32\wuapp.exe

GetCPInfo

GetProcessHeap

PeekNamedPipe

CryptDestroyKey

CryptImportKey

,%.%"8#"

8448408

.text

`.rdata

@.data

.reloc

#y.Bv

KERNEL32.DLL

ADVAPI32.dll

Normaliz.dll

USER32.dll

WLDAP32.dll

WS2_32.dll

.mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

kernel32.dll

USER32.DLL

2.exe

ERROR %d converting to Punycode

combase.dll

taskhost.exe_872_rwx_00580000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.reloc

.text

taskhost.exe_872_rwx_00590000_00001000:

utaskhost.exeM_872_

Dwm.exe_1376_rwx_00110000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.reloc

.text

Dwm.exe_1376_rwx_00120000_00001000:

udwm.exeM_1376_

Explorer.EXE_1440_rwx_01C50000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.reloc

.text

Explorer.EXE_1440_rwx_020D0000_00001000:

uexplorer.exeM_1440_

conhost.exe_1648_rwx_001C0000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.reloc

.text

conhost.exe_1648_rwx_002E0000_00001000:

uconhost.exeM_1648_

TPAutoConnect.exe_2160_rwx_00310000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.reloc

.text

TPAutoConnect.exe_2160_rwx_00390000_00001000:

utpautoconnect.exeM_2160_

conhost.exe_2168_rwx_000B0000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.reloc

.text

conhost.exe_2168_rwx_000C0000_00001000:

uconhost.exeM_2168_

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Windows\system.ini (70 bytes)
   %Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (52 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\vkTQTUJqBC\svc.exe (673 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00051592_Rar\%original file name%.exe (5441 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winysswdc.exe (561 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wingrbecm.exe (561 bytes)
   C:\ewfps.exe (99 bytes)
   C:\autorun.inf (265 bytes)
   %Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
   "MLvtBYqcKd" = "C:\Users\"%CurrentUserName%"\AppData\Local\VKTQTU~1\svc.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.