• Home
  • Blog
  • Online Scan
  • Update History
  • Online Scan: Analyze ucbrowser_v6.1.2015.1007_4618_(build1702211800)_(en-us)_online_installer.exe file and fix runtime errors, Fix System Error
    Welcome to my blog. I found a malicious code that was added into the ucbrowser_v6.1.2015.1007_4618_(build1702211800)_(en-us)_online_installer.exe file. Due to infection by malicious code, the file contents changed. The MD5 value of the infected file is: 9a77a845525a3d72f46b3ece99ed575c, and the file size is: 1.3 MB ( 1,314,666 bytes )
    Risk level of malicious code
     
     
     
     
     
    ( 3 stars by 263 users )
    Behavior of malicious code ( 498 votes ) If you know more this malicious code, please vote. We sincerely hope you may share your information with other computer users and help them.
    1. Infect file
    12.65% (63)
    2. Intentionally destroy data
    12.65% (63)
    3. Steal personal privacy
    10.44% (52)
    4. Infect other computers through the Internet
    12.05% (60)
    5. Install the backdoor program so that the computer is controlled remotely
    14.26% (71)
    6. Cheat or threaten users to buy something
    12.05% (60)
    7. Download and install other programs without permission in the background
    11.85% (59)
    8. Pop up various advertisements and induce users to click
    14.06% (70)
    Binary Code Analysis:
    When the program runs, the PE loader will try to load the file to 0x00400000 in the virtual address space, Address Of Entry Point: 0x0014B4AD. This file has 7 SECTION.
    DOS Header
    DOS Stub
    ...
     
    NT File Signature
    NT HEADER
    FILE HEADER
     
    OPTIONAL HEADER
    Data Directory
    .text SECTION #1
    .rdata SECTION #2
    .data SECTION #3
    .gfids SECTION #4
    .tls SECTION #5
    .rsrc SECTION #6
    .reloc SECTION #7
    About this malicious code
    This malicious code is a 32-bit program that infects an EXE file. When the file is run or the file is loaded, the malicious code in the file is run first. Later, this malicious code also infects the following files:

    • ucbrowser_v6.1.2015.1007_4618_(build1702211800)_(en-us)_online_installer.exe

    Tip: There is something I must emphasize. The file names listed above are infected by malicious code. It does not mean that all files named by these names are malicious files. It is inaccurate to determine whether a file is a malicious program based on its file name.

    The malicious code also infects files on the following path:

    • c:\windows\system32\eventproviders\ar-sa\
    • c:\windows\system32\drvstore\lbd_d996e5cc178082520d5c11260a28955c8455fd4a\
    • c:\windows\system32\spool\drivers\x64\{69fe0d1b-befb-4d0b-b98b-9468954c880c}\
    • c:\windows\system32\drivers\sv-se\
    • c:\windows\system32\spool\xpsep\amd64\
    • c:\windows\diagnostics\system\audio\zh-cn\
    • c:\windows\diagnostics\system\printer\uk-ua\
    • c:\windows\softwaredistribution.bck\download\73d0044450d22d6ecd55ffe68d3fa9d1\msil_system.web.routing.resources_31bf3856ad364e35_6.3.9600.16384_fr-fr_523eb970465b2a95\
    • c:\windows\temp\nagent_autopatches\patch_10_2_434_nagent_e2017-06-08-17-25-44\data_protcomp\
    • c:\windows\application compatibility scripts\ru-ru\
    • c:\windows\system32\migration\nb-no\
    • c:\windows\drivers\exe\me driver (intel)\uns\
    • c:\windows\ccm\clientux\el\
    • c:\windows\syswow64\dynamsoft\dynamicwebtwain\forchrome\
    • c:\windows\resources\themes\aero\aerolite.msstyles\windows xp (olive)\
    • c:\windows\twain_64\kodak\kds_i900\
    • c:\windows\resources\themes\royalenoir\
    Tip: The code of most malicious files is fixed, rarely changed, which means, this type of malicious files regardless of which computer they are in, will copy themselves into the pre-set path, so we can go to the path listed above to find this file, and there is a great chance to find it.
    Are all the files with the same file name listed above and with the same path malicious files?
    Of course not. The file name is just the identification of the file. Strictly speaking, the file is modified by malicious code.

    The following are methods commonly used by malicious code in order to confuse users:

    • Deliberately modify their own file name to some system file name, or some well-known software name.
    • Generate malicious files in the system folder or in the installation folder of some well-known software, and even name their own folder with an antivirus software name (actually the user did not install this antivirus software). In fact, these malicious files are not system files, nor part of the famous software.

    For example, one of the most common system file names is: explorer.exe, and under normal circumstances, the system only has an explorer.exe process. When you open the Task Manager and find that there are two or more explorer.exe processes, it is likely the camouflage of some malicious viruses. As shown in the following figure, there are two explorer.exe processes in Task Manager.

    When I find the path where the file is located, it will be clear that the real explorer.exe system file is located under "C:\ Windows\", and the malicious file that pretends to be system process is under the other path.

    The running status of the ucbrowser_v6.1.2015.1007_4618_(build1702211800)_(en-us)_online_installer.exe file that is infected with malicious code:
    ucbrowser_v6.1.2015.1007_4618_(build1702211800)_(en-us)_online_installer.exe running statusTake up memory 121K
    Occupy CPU resources between 44% - 63%
    Run the program with the Administrator permissions.
    At runtime, 16 Windows system files, 0 external files (not owned by the Windows system), are called
    Windows system files
  • File name
  • Number of calling functions
  • gdiplus.dll
  • 9
  • IPHLPAPI.DLL
  • 1
  • VERSION.dll
  • 3
  • MSIMG32.dll
  • 1
  • WS2_32.dll
  • 26
  • PSAPI.DLL
  • 1
  • WINMM.dll
  • 3
  • ADVAPI32.dll
  • 12
  • KERNEL32.dll
  • 176
  • GDI32.dll
  • 27
  • SHELL32.dll
  • 8
  • ole32.dll
  • 10
  • OLEAUT32.dll
  • 5
  • USER32.dll
  • 80
  • COMCTL32.dll
  • 1
  • USERENV.dll
  • 2
  • Not owned by the windows system
  • File name
  • Number of calling functions
  • In general, the most accurate way to determine if a file is a malicious file is to analyze its code and see what happens when these functions are called while the program is running. Does it have malicious behavior (destroying data or stealing data)? I have listed the functions called by this file and some internal data, but there is too much data, I can't show them all here. →Click here← to see the full binary code analysis page.
    Export function:
    The following function is a function provided by this file. The export function is useful for analyzing the specific behavior of a runtime file, starting from the function entry address, and debugging the code line by line. You can get a lot of data generated by this file.
    Export File - online_installer.exe
  • Ordinals
  • Function Name
  • Entry Address
  • 0x00000001
  • GetHandleVerifier
  • 0x0000EE00
  • ucbrowser_v6.1.2015.1007_4618_(build1702211800)_(en-us)_online_installer.exe runtime behavior analysis
    The ADVAPI32.dll dynamic link library is loaded and the functions in the file are called: ( Advapi32.dll is part of a high-level API application interface service library that contains functions related to object security, registry manipulation, and event logging. It is generally located in the system directory: \WINDOWS\system32\ )
  • RegOpenKeyExW: Opens the specified registry key. Note that key names are not case sensitive.
  • RegQueryValueExW: Retrieves the data associated with the default or unnamed value of a specified registry key.
  • The KERNEL32.dll dynamic link library is loaded and the functions in the file are called: ( Kernel32.dll is a very important 32-bit dynamic link library file in the Windows operating system. It is a kernel-level file. It controls the system's memory management, data input and output operations and interrupt handling. When the Windows operating system starts, kernel32.dll resides in a specific write-protected area of memory, so that other programs cannot occupy this memory area. )
  • UnhandledExceptionFilter: An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged.
  • GetStartupInfoW: Retrieves the contents of the STARTUPINFO structure that was specified when the calling process was created.
  • RtlUnwind: Initiates an unwind of procedure call frames.
  • GetConsoleMode: Retrieves the current input mode of a console's input buffer or the current output mode of a console screen buffer.
  • ExitProcess: Ends the calling process and all its threads.
  • ReadConsoleW: Reads character input from the console input buffer and removes it from the buffer.
  • GetLastError: Retrieves the calling thread's last-error code value.
  • GetCurrentProcess: Retrieves a pseudo handle for the current process.
  • GetCurrentThreadId: Retrieves the thread identifier of the calling thread.
  • GetModuleFileNameW: Retrieves the fully qualified path for the file that contains the specified module.
  • GetModuleHandleW: Retrieves a module handle for the specified module. The module must have been loaded by the calling process.
  • GetProcAddress: Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
  • GetTickCount: Retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days.
  • CreateFileW: Creates or opens a file or I/O device. The most commonly used I/O devices are as follows: file, file stream, directory, physical disk, volume, console buffer, tape drive, communications resource, mailslot, and pipe. The function returns a handle that can be used to access the file or device for various types of I/O depending on the file or device and the flags and attributes specified.
  • CreateEventW: Creates or opens a named or unnamed event object and returns a handle to the object.
  • WaitForSingleObject: Waits until the specified object is in the signaled state or the time-out interval elapses.
  • GetCurrentProcessId: Retrieves the process identifier of the calling process.
  • OpenProcess: Opens an existing local process object.
  • CreateToolhelp32Snapshot: Takes a snapshot of the specified processes, as well as the heaps, modules, and threads used by these processes.
  • Process32FirstW: Retrieves information about the first process encountered in a system snapshot.
  • Process32NextW: Retrieves information about the next process recorded in a system snapshot.
  • GetModuleHandleExW: Retrieves a module handle for the specified module. The module must have been loaded by the calling process.
  • LoadLibraryW: Loads the specified module into the address space of the calling process. The specified module may cause other modules to be loaded.
  • SetThreadPriority: Sets the priority value for the specified thread. This value, together with the priority class of the thread's process, determines the thread's base priority level.
  • GetSystemTimeAsFileTime: Retrieves the current system date and time. The information is in Coordinated Universal Time (UTC) format.
  • QueryPerformanceCounter: Retrieves the current value of the performance counter, which is a high resolution (<1us) time stamp that can be used for time-interval measurements.
  • DuplicateHandle: Duplicates an object handle.
  • CreateThread: Creates a thread to execute within the virtual address space of the calling process.
  • IsDebuggerPresent: Determines whether the calling process is being debugged by a user-mode debugger.
  • TerminateProcess: Ends the calling process and all its threads.
  • SetHandleInformation: Sets certain properties of an object handle.
  • GetStdHandle: Retrieves a handle to the specified standard device (standard input, standard output, or standard error).
  • AssignProcessToJobObject: Assigns a process to an existing job object.
  • ResumeThread: Decrements a thread's suspend count. When the suspend count is decremented to zero, the execution of the thread is resumed.
  • SetFileTime: Sets the date and time that the specified file or directory was created, last accessed, or last modified.
  • FlushFileBuffers: Flushes the buffers of a specified file and causes all buffered data to be written to a file.
  • TlsSetValue: Stores a value in the calling thread's thread local storage (TLS) slot for the specified TLS index. Each thread of a process has its own slot for each TLS index.
  • TlsAlloc: Allocates a thread local storage (TLS) index. Any thread of the process can subsequently use this index to store and retrieve values that are local to the thread, because each thread receives its own slot for the index.
  • TlsGetValue: Retrieves the value in the calling thread's thread local storage (TLS) slot for the specified TLS index. Each thread of a process has its own slot for each TLS index.
  • GetQueuedCompletionStatus: Attempts to dequeue an I/O completion packet from the specified I/O completion port. If there is no completion packet queued, the function waits for a pending I/O operation associated with the completion port to complete.
  • PostQueuedCompletionStatus: Posts an I/O completion packet to an I/O completion port.
  • CreateIoCompletionPort: Creates an input/output (I/O) completion port and associates it with a specified file handle, or creates an I/O completion port that is not yet associated with a file handle, allowing association at a later time. Associating an instance of an opened file handle with an I/O completion port allows a process to receive notification of the completion of asynchronous I/O operations involving that file handle.
  • SetEvent: Sets the specified event object to the signaled state.
  • SetEnvironmentVariableW: Sets the contents of the specified environment variable for the current process.
  • GetModuleHandleExA: Retrieves a module handle for the specified module. The module must have been loaded by the calling process.
  • DeviceIoControl: Sends a control code directly to a specified device driver, causing the corresponding device to perform the corresponding operation.
  • CreateFileA: Creates or opens a file or I/O device. The most commonly used I/O devices are as follows: file, file stream, directory, physical disk, volume, console buffer, tape drive, communications resource, mailslot, and pipe. The function returns a handle that can be used to access the file or device for various types of I/O depending on the file or device and the flags and attributes specified.
  • SetUnhandledExceptionFilter: Enables an application to supersede the top-level exception handler of each thread of a process.
  • SetErrorMode: Controls whether the system will handle the specified types of serious errors or whether the process will handle them.
  • CreateFileMappingW: Creates or opens a named or unnamed file mapping object for a specified file.
  • WriteConsoleW: Writes a character string to a console screen buffer beginning at the current cursor location.
  • GetEnvironmentStringsW: Retrieves the environment variables for the current process.
  • FreeEnvironmentStringsW: Frees a block of environment strings.
  • SetEnvironmentVariableA: Sets the contents of the specified environment variable for the current process.
  • The SHELL32.dll dynamic link library is loaded and the functions in the file are called: ( Shell32.dll is an important file stored in the \Windows\System32\ folder. Normally it is created automatically during the installation of the operating system and is critical to the normal operation of the system. Under normal circumstances, users are not advised to make arbitrary modifications to this type of file. Its existence plays an important role in maintaining the stability of the computer system. )
  • ShellExecuteW: Performs an operation on a specified file.
  • ShellExecuteExW: Performs an operation on a specified file.
  • The USER32.dll dynamic link library is loaded and the functions in the file are called: ( User32.dlll is a Windows user interface related application program interface for Windows processing, basic user interface and other features, such as creating windows and sending messages. )
  • GetWindowRect: Retrieves the dimensions of the bounding rectangle of the specified window.
  • The following files have been identified as malicious files. Some files are variants of ucbrowser_v6.1.2015.1007_4618_(build1702211800)_(en-us)_online_installer.exe; some files are another type of malicious file, but use the same file name as ucbrowser_v6.1.2015.1007_4618_(build1702211800)_(en-us)_online_installer.exe.

    It is a simple and effective way to determine whether a file is a malicious file by a hash value, which has lower false detection rate than the "static signature" method. So, if the MD5 value of a file on the computer is the same as the MD5 value listed below, then it is sure that the file is a malicious file.

    This is my analysis results to the code of each malicious below, mainly provided to industry professionals who engage in the maintenance of computer security. If you are interested, you can also have a view, but it may require certain computer knowledge.
    • File Md5
    • File Size
    • File Bit
    • File Type
    • Binary Code Analysis

    How to repair or remove ucbrowser_v6.1.2015.1007_4618_(build1702211800)_(en-us)_online_installer.exe

    Method 1: Manual Removal

    • Reboot the system and then enter safe mode (Click here to see how each Windows version (XP/Vista/7/8/10) goes into safe mode)

    • Open Task Manager and if ucbrowser_v6.1.2015.1007_4618_(build1702211800)_(en-us)_online_installer.exe is running, end this program.
    ucbrowser_v6.1.2015.1007_4618_(build1702211800)_(en-us)_online_installer.exe running status

    • Show all hidden files.
    Step: "My Computer" -> "Floder Options" ->"View" -> "Show hidden files, folders, and drives"

    • Malicious code used to generate or infect files on the following paths, so you need to one by one go into the following path, and delete all files [  ucbrowser_v6.1.2015.1007_4618_(build1702211800)_(en-us)_online_installer.exe  ]

    • c:\windows\system32\eventproviders\ar-sa\
    • c:\windows\system32\drvstore\lbd_d996e5cc178082520d5c11260a28955c8455fd4a\
    • c:\windows\system32\spool\drivers\x64\{69fe0d1b-befb-4d0b-b98b-9468954c880c}\
    • c:\windows\system32\drivers\sv-se\
    • c:\windows\system32\spool\xpsep\amd64\
    • c:\windows\diagnostics\system\audio\zh-cn\

    • Finally, restart your computer.

    Method 2: Automatic Removal Using Tools (Recommended)

    This is free virus detection software, and it can be well compatible with many well-known anti-virus software, so users do not have to uninstall anti-virus software on the computer.

    It is "environmentally friendly" for computers. After downloading, it can be used by decompression and without installation. In the process of running, it will not write any information to the registry, nor create any new files to the Windows folder of the system disk. When you do not need it, you can delete it. It will not leave any spam information on your computer.

    When you find your operating system is abnormal, and the file name listed above appears in the Task Manager, or there are several processes in running with the same name as the core file name, it is best to download the anti-virus software to check your system.

    Online detection of ucbrowser_v6.1.2015.1007_4618_(build1702211800)_(en-us)_online_installer.exe

    If you don't know if ucbrowser_v6.1.2015.1007_4618_(build1702211800)_(en-us)_online_installer.exe is infected with malicious code on your computer, you may also use online scan tool.

    • Use the following online detection function to check the file.
  • • Enter the file name, or file MD5, for the query.
  • • You can also scan a file online. Click the "Upload File" button, and then click the "submit" button, to immediately detect whether the file is a virus. (Tip: The maximum size of the file uploaded cannot exceed 8MB)
  • How do I use the T21 engine for online scanning?

    T21 can detect unknown files online, mainly using "behavior-based" judgment mechanism. It is very simple to use T21.

    1. Click the "Upload File" button, select the file you want to detect, and then click "Submit".
    2. The next step is to wait for the system to check, which may take a little time, so please be patient.
    3. When the T21 scan engine finishes detection, the test results are immediately fed back, as shown below:

    • If you suspect that there are malicious files on your computer, but you cannot find where they are, or if you want to make a thorough check on your computer, you can download the automatic scanning tool.

    If you want to know what kind of T21 system is, you can click here to view the introduction of T21. You can also go to the home page to read the original intention and philosophy of my development of T21 system.

    Other captured malicious files:
    gmailpasswordhacker.exe file analysis
    operasetup.exe file analysis
    firefox setup stub 52.0.2.exe file analysis
    icnitts.exe file analysis
    ioproduct.exe file analysis
    run_d491f.exe file analysis
    sysvhnl.exe file analysis
    wincryn.exe file analysis
    clickonce_bootstrap.exe file analysis
    Copyright statement: The above data is obtained by my analysis, and without authorization, you may not copy or reprint it.
    Leave a Reply

    Your email address will not be published. Required fields are marked *
    If you need help, please leave a message, try to match the picture, and I will reply as soon as possible to each question.

    Name *

    Email

      Comment   Reply To: 
      ToolBar:
    Preview, Read Only, Click here Edit Post.

    User Reply & Help
    »[May 02, 2019]Ahmed Ali Shah say: Cool. Android Fastboot Reset Tool is one of the best way to unlock android devices. I think it is th ......
    Reply: Thank you for your attention. According to the monitoring, this executable file should be infected b …View >>>
    »[April 27, 2019]Sergei Zolotarev say: I am playing CDs on my computer or listening to MP3 music on my hard disk. But when I run Photoshop ......
    Reply: This kind of fault may be caused by the computer configuration being too low. For example, the CPU f …View >>>
    »[April 09, 2019]Guest say: The CPU is a newly purchased boxed Celeron D 2.8GHz. The motherboard is a Mercedes 865PE. The temper ......
    Reply: This happens because the objects detected by the two are different. AID32 and HWiNFO detect the temp …View >>>
    »[April 05, 2019]amlan say: When I played a song on my computer, I sometimes plugged in the earphones and found that the sound o ......
    Reply: This situation can be caused by the following reasons:The impedance of the headset. Normally used he …View >>>
    »[March 26, 2019]Alok say: When the scanner is turned on, the "SCSI card not found" error message appears. What happened?
    Reply: This is because the fuse is set on the SCSI card. When a bad circuit condition (voltage instability  …View >>>
    »[March 06, 2019]utkrasht say: My computer uses the Geforce2 MX400 graphics card, but it is not very smooth when playing some 3D ga ......
    Reply: From the enumerated phenomenon, there may be problems with high-end video memory. In general applica …View >>>
    Copyright © 2016-2019 mygoodtools.com All rights reserved.