not-a-virus:AdWare.Win32.InstallMetrix.ban (Kaspersky), Gen:Variant.Application.Bundler.DomaIQ.22 (AdAware), Trojan.Win32.Swrort.3.FD, SearchProtectToolbar.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: bf7a7452f40e0d21716814857a0a77f9
SHA1: f55526a8f590e5fa25a25225d1b26af202c0739a
SHA256: 9c798c14b0281a513118d2852f37ead5df4345463fe9ca31c2de0709bd9caea8
SSDeep: 24576:M7kSLsPpRbwFnyOrd41zcDbuLvpVnwXxh:G1sR6FnyOrd4S6pVy
Size: 1036416 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: TODO:
Created at: 2014-10-24 23:27:09
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
10772426_:3308
%original file name%.exe:644
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process 10772426_:3308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\errorpagestrings[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\HttpErrorPagesScripts[1] (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\background_gradient[1] (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bullet[1] (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\syntax[1] (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\104[1] (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\info_48[1] (4 bytes)
The process %original file name%.exe:644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\10772426_ (62084 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\10772426 (874 bytes)
Registry activity
The process 10772426_:3308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"fdwSupport" = "1"
"aFormatTagCache" = "01 00 00 00 10 00 00 00 55 00 00 00 1E 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\10772426__RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFilterTags" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\10772426__RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFormatTags" = "2"
[HKLM\SOFTWARE\Microsoft\Tracing\10772426__RASMANCS]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\10772426__RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\10772426__RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\10772426__RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\10772426__RASMANCS]
"EnableConsoleTracing" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
| MD5 | File path |
|---|---|
| 0e7d0cb58a5e7230415cca90e8e50292 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\10772426_ |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
10772426_:3308
%original file name%.exe:644 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\errorpagestrings[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\HttpErrorPagesScripts[1] (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\background_gradient[1] (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bullet[1] (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\syntax[1] (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\104[1] (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\info_48[1] (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\10772426_ (62084 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name: TODO:
Company Name: TODO:
Product Name: TODO:
Product Version: 1.0.0.1
Legal Copyright: Copyright (C) 2014
Legal Trademarks:
Original Filename: Installer.exe
Internal Name: Installer.exe
File Version: 1.0.0.1
File Description: Firefox_Updater
Comments:
Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 39964 | 40448 | 4.52838 | fd3d985130ea423e6c84e214a89e48c0 |
| .rdata | 45056 | 17880 | 17920 | 3.32181 | be2b38baa641d2855feb63d50cd64d0d |
| .data | 65536 | 6944 | 3072 | 1.94762 | 901eb73073ee2def371553d4a4175d7d |
| .rsrc | 73728 | 959248 | 959488 | 5.47425 | f9d4938d1b4e9853d43431e07921f9fc |
| .reloc | 1036288 | 6940 | 7168 | 1.99682 | bdab612a385c301f26544f685c84b84a |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 2
94359ae4d52507bcfc79d494235641bd
a1b086d8bcc1d11321740ab4b108004c
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://installmetrix.com/common/gate/installer_gate_client.php?download_id=10772426&mode=prechecking | 209.188.85.69 |
| hxxp://installmetrix.com/common/gate/installer_gate_client.php?download_id=10772426&mode=getcombo&offers= | 209.188.85.69 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /common/gate/installer_gate_client.php?download_id=10772426&mode=getcombo&offers= HTTP/1.1
User-Agent: 10772426_
Host: installmetrix.com
HTTP/1.1 404 Not Found
Date: Fri, 09 Dec 2016 09:28:12 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 354
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /common/gate/installer_gate_client.php was not found on this server.</p>.<p>Additionally, a 404 Not Found.error was encountered while trying to use an ErrorDocument to handle the request.</p>.</body></html>...
GET /common/gate/installer_gate_client.php?download_id=10772426&mode=prechecking HTTP/1.1
User-Agent: 10772426_
Host: installmetrix.com
HTTP/1.1 404 Not Found
Date: Fri, 09 Dec 2016 09:28:12 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 354
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /common/gate/installer_gate_client.php was not found on this server.</p>.<p>Additionally, a 404 Not Found.error was encountered while trying to use an ErrorDocument to handle the request.</p>.</body></html>...
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
10772426__3308:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
u(SSSSSh
u(SSSSSh
PSSSSSSh
PSSSSSSh
f;T$.uBf
f;T$.uBf
QSShx'
QSShx'
tFHt:Ht.Ht"Hu`
tFHt:Ht.Ht"Hu`
j%XtL9E
j%XtL9E
t'SShl
t'SShl
SSSSh
SSSSh
tWSShW
tWSShW
tl9_ tgSSh
tl9_ tgSSh
u$SShe
u$SShe
FTCP
FTCP
u.Ph
u.Ph
tAHt.HHt
tAHt.HHt
FtPW
FtPW
SSh@B
SSh@B
s%j.Zf
s%j.Zf
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
CCmdTarget
CCmdTarget
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
CNotSupportedException
CNotSupportedException
CHttpFile
CHttpFile
RegDeleteKeyExW
RegDeleteKeyExW
TaskDialogIndirect
TaskDialogIndirect
CMDITabProxyWnd
CMDITabProxyWnd
CMDIChildWndEx
CMDIChildWndEx
CMDIFrameWndEx
CMDIFrameWndEx
CMDIChildWnd
CMDIChildWnd
CMDIFrameWnd
CMDIFrameWnd
CMDIClientAreaWnd
CMDIClientAreaWnd
CMFCToolBarsKeyboardPropertyPage
CMFCToolBarsKeyboardPropertyPage
GetProcessWindowStation
GetProcessWindowStation
operator
operator
hXXp://installmetrix.com/common/gate/report.php?download_id=%s&mode=%d&combo_id=%d&os_name=%s&os_add=%s&os_build=%s&proj_id=%s&offer_id=%s&templateid=%s
hXXp://installmetrix.com/common/gate/report.php?download_id=%s&mode=%d&combo_id=%d&os_name=%s&os_add=%s&os_build=%s&proj_id=%s&offer_id=%s&templateid=%s
first url
first url
Windows 8
Windows 8
Windows Server 2012
Windows Server 2012
Windows 7
Windows 7
Windows Server 2008 R2
Windows Server 2008 R2
Windows Vista
Windows Vista
Windows Server 2008
Windows Server 2008
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition
Windows Server 2003
Windows Server 2003
Windows XP
Windows XP
Windows 2000
Windows 2000
WebStroller=I
WebStroller=I
GetWindowsDirectoryW
GetWindowsDirectoryW
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
CreateDialogIndirectParamW
CreateDialogIndirectParamW
GetKeyState
GetKeyState
SetWindowsHookExW
SetWindowsHookExW
UnhookWindowsHookEx
UnhookWindowsHookEx
GetKeyNameTextW
GetKeyNameTextW
MapVirtualKeyW
MapVirtualKeyW
GetAsyncKeyState
GetAsyncKeyState
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
MapVirtualKeyExW
MapVirtualKeyExW
USER32.dll
USER32.dll
GetViewportExtEx
GetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
COMDLG32.dll
COMDLG32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyW
RegEnumKeyW
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
UrlUnescapeW
UrlUnescapeW
SHLWAPI.dll
SHLWAPI.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
OLEACC.dll
OLEACC.dll
InternetCrackUrlW
InternetCrackUrlW
InternetCanonicalizeUrlW
InternetCanonicalizeUrlW
HttpQueryInfoW
HttpQueryInfoW
InternetOpenUrlW
InternetOpenUrlW
WININET.dll
WININET.dll
IMM32.dll
IMM32.dll
WINMM.dll
WINMM.dll
.?AVCCmdUI@@
.?AVCCmdUI@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.?AVCHttpFile@@
.?AVCHttpFile@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AVCMFCToolBarCmdUI@@
.?AVCMFCToolBarCmdUI@@
.?AVCMDITabProxyWnd@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMDIFrameWnd@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.?AVCMFCCmdUsageCount@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCColorBarCmdUI@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÃ
zcÃ
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCException@@
.PAVCException@@
.?AVCWebGrab@@
.?AVCWebGrab@@
.?AVCWebGrabSession@@
.?AVCWebGrabSession@@
.PAVCInternetException@@
.PAVCInternetException@@
.PAVCFileException@@
.PAVCFileException@@
.?AVCWebPage@@
.?AVCWebPage@@
10772426
10772426
C:\Users
C:\Users
CCC.jjj
CCC.jjj
SSShzzz
SSShzzz
"-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
"-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
var x = document.cookie;
var x = document.cookie;
1 2$2(2,2
1 2$2(2,2
4L4]4w4
4L4]4w4
040:0`0}0
040:0`0}0
>&>,>"?9?
>&>,>"?9?
01
01
11?1^1
11?1^1
!171!2-2~2
!171!2-2~2
=.=;=$>4>
=.=;=$>4>
8„8S8b8p8
8„8S8b8p8
8Â8v8
8Â8v8
5,626;6~6
5,626;6~6
515
515
4 4$4(4,4
4 4$4(4,4
> >$>(>,>0>4>8>
> >$>(>,>0>4>8>
6 6$6(6,6064686
6 6$6(6,6064686
2 2$2(2,20242\2`2|2
2 2$2(2,20242\2`2|2
= =$=(=,=0=4=8=
= =$=(=,=0=4=8=
: :$:(:,:0:4:8:<:>
: :$:(:,:0:4:8:<:>
=,=8=\=|=
=,=8=\=|=
7 7$7(7,7074787
7 7$7(7,7074787
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
KERNEL32.DLL
KERNEL32.DLL
%s%s.dll
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
lX-X-x-XX-XXXXXX
Advapi32.dll
Advapi32.dll
res://%s/%s
res://%s/%s
res://%s/%d
res://%s/%d
comctl32.dll
comctl32.dll
comdlg32.dll
comdlg32.dll
shell32.dll
shell32.dll
accKeyboardShortcut
accKeyboardShortcut
wuser32.dll
wuser32.dll
hhctrl.ocx
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
Afx:%p:%x
commctrl_DragListMsg
commctrl_DragListMsg
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
hXXp://
hXXp://
WININET.DLL
WININET.DLL
SHELL32.DLL
SHELL32.DLL
lXXxXXXXXXXX
lXXxXXXXXXXX
dwmapi.dll
dwmapi.dll
UxTheme.dll
UxTheme.dll
eShell32.dll
eShell32.dll
%s:%x:%x:%x:%x
%s:%x:%x:%x:%x
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
kernel32.dll
kernel32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
mfcm100u.dll
mfcm100u.dll
%sMFCToolBar-%d%x
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBar-%d
%sMFCToolBarParameters
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
TOOLBAR_RESETKEYBAORD
&%d %s
&%d %s
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
COMCTL32.DLL
COMCTL32.DLL
USER32.DLL
USER32.DLL
KeyboardManager
KeyboardManager
MSG_CHECKEMPTYMINIFRAME
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
%sDockingManager-%d
MFCLink_UrlPrefix
MFCLink_UrlPrefix
MFCLink_Url
MFCLink_Url
%sPane-%d%x
%sPane-%d%x
%sPane-%d
%sPane-%d
%sBasePane-%d%x
%sBasePane-%d%x
%sBasePane-%d
%sBasePane-%d
windows
windows
ShowCmd
ShowCmd
%c%d%c%s
%c%d%c%s
%sMDIClientArea-%d
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
Hex={X,X,X}
Hex={X,X,X}
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
%sMFCOutlookBar-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
%sDockablePaneAdapter-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
ENABLE_KEYS
ENABLE_KEYS
KEYS_MENU
KEYS_MENU
KEYS
KEYS
RICHED20.DLL
RICHED20.DLL
RGB(%d, %d, %d)
RGB(%d, %d, %d)
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
%sMFCTasksPane-%d
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
Software\Microsoft\NET Framework Setup\NDP\v2.0.50727
Software\Microsoft\NET Framework Setup\NDP\v2.0.50727
Software\Microsoft\NET Framework Setup\NDP\v1.1.4322
Software\Microsoft\NET Framework Setup\NDP\v1.1.4322
Software\Microsoft\.NETFramework\Policy\v1.0
Software\Microsoft\.NETFramework\Policy\v1.0
%s %s
%s %s
hXXp://%s
hXXp://%s
Downloading %s...
Downloading %s...
Installing %s...
Installing %s...
hXXp://installmetrix.com/common/gate/installer_gate_client.php?download_id=%s&mode=prechecking
hXXp://installmetrix.com/common/gate/installer_gate_client.php?download_id=%s&mode=prechecking
hXXp://installmetrix.com/common/gate/installer_gate_client.php?download_id=%s&mode=getcombo&offers=%s
hXXp://installmetrix.com/common/gate/installer_gate_client.php?download_id=%s&mode=getcombo&offers=%s
%s is being installed
%s is being installed
D:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
D:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
%s (%s:%d)
%s (%s:%d)
.html
.html
chrome
chrome
firefox
firefox
opera
opera
%USERPROFILE%
%USERPROFILE%
amitest.txt
amitest.txt
/s /t /i ElectroLyrics /u hXXp://VVV.amoninst.com/index.php
/s /t /i ElectroLyrics /u hXXp://VVV.amoninst.com/index.php
I/s /t /i WebStroller
I/s /t /i WebStroller
hXXp://sp-storage.conduit-services.com/spidentifier/1.0.2.0/spidentifierimpl.exe
hXXp://sp-storage.conduit-services.com/spidentifier/1.0.2.0/spidentifierimpl.exe
hXXps://sp-storage.spccinta.com/spidentifier/spidentifierstub/SPIdentifier.exe
hXXps://sp-storage.spccinta.com/spidentifier/spidentifierstub/SPIdentifier.exe
hXXp://val.costmin.info
hXXp://val.costmin.info
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Test|Result|1;
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Test|Result|1;
hXXp://VVV.wajam.com/download/wajam_validate.exe
hXXp://VVV.wajam.com/download/wajam_validate.exe
Webstroller - Amonetize
Webstroller - Amonetize
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
%s = %s
%s = %s
Read %d bytes (%0.1f Kb/s)
Read %d bytes (%0.1f Kb/s)
Read %d bytes
Read %d bytes
Resolving name for %s
Resolving name for %s
Resolved name for %s
Resolved name for %s
Unknown status: %d
Unknown status: %d
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\10772426_
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\10772426_
1.0.0.1
1.0.0.1
InstallerManager.exe
InstallerManager.exe
All Files (*.*)
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]
%s [Recovered]