Skip to main content

Trojan.Generic.70781_b7921fcd08


Trojan.Win32.Autoit.wh (Kaspersky), Trojan.Generic.70781 (AdAware), Trojan.Win32.Alureon.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: b7921fcd083df99a3fe59e1712a919c7

SHA1: 7391e5c201fc0a6e5f9bbbc7e71fa06d9c55d561

SHA256: f4acf29addb699c71ede89d9ed43e42c38885ea2a0b3d9645e4ca9408c9f288f

SSDeep: 393216:oPh1Ca/ajg9kGQw61DlxQgAXrInDbthiMheEvYvKBp6hVFWJGGe:Yh1gkejzTAXrInD60eQYvKBp6h31

Size: 17128583 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171

Company: no certificate found

Created at: 2007-10-24 12:48:00

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Trojan creates the following process(es):

trlang.exe:1932
egui.exe:1896
updatepatch.exe:456
ekrn.exe:364
is-5IC2H.tmp:1060
%original file name%.exe:1920
NOD32.FiX.v3.0.tmp:652
NOD32.FiX.v3.0.exe:228
nlv3mod.exe:2968
MsiExec.exe:1204
MsiExec.exe:1328

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process trlang.exe:1932 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\ESET\ESET NOD32 Antivirus\eplgOELang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ekrnScanLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eplgOutlookEmonLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ekrnEpfwLang.dll (1160 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eplgOutlookSmonLang.dll (1160 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ekrnUpdateLang.dll (3848 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eplgOESmonLang.dll (1160 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiUpdateLang.dll (3848 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiScanLang.dll (7832 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiLang.dll (30568 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiSmonLang.dll (1160 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ShellExtLang.dll (2312 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ekrnLang.dll (1160 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ekrnSmonLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiMailPluginsLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eclsLang.dll (1160 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiEpfwLang.dll (20648 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiEmonLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ekrnMailPluginsLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eplgOutlookLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiAmonLang.dll (392 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\$inst (0 bytes)

The process updatepatch.exe:456 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-A2DMS.tmp\is-5IC2H.tmp (3746 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-A2DMS.tmp\is-5IC2H.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-A2DMS.tmp (0 bytes)

The process ekrn.exe:364 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat (60 bytes)
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\EpfwUser.dat (174 bytes)
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat (60 bytes)
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB (388548 bytes)
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\EHttpSrv.xml (2 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\upd0AE4.ver (0 bytes)

The process is-5IC2H.tmp:1060 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\ESET\ESET NOD32 Antivirus\unins001.dat (2064 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\is-VNGOU.tmp (7616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DNMVT.tmp\_isetup\_shfoldr.dll (23 bytes)
%WinDir%\is-M3T4C.tmp (360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DNMVT.tmp\_isetup\_RegDLL.tmp (3 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-DNMVT.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DNMVT.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DNMVT.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DNMVT.tmp\_isetup\_RegDLL.tmp (0 bytes)

The process %original file name%.exe:1920 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\trlang.exe (3941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\NOD32.FiX.v3.0.exe (4727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\hidcon.exe (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\updatepatch.exe (5560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\nod32.msi (118928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\INSTALL.CMD (228 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\trlang.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\NOD32.FiX.v3.0.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\hidcon.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\updatepatch.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\nod32.msi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\INSTALL.CMD (0 bytes)

The process NOD32.FiX.v3.0.tmp:652 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\is-HR45C.tmp (3361 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ESET\ESET NOD32 Antivirus\Uninstall NOD32 FiX.lnk (775 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\is-QAQB8.tmp (3073 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\unins000.dat (934 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\is-5SSES.tmp (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\_isetup\_RegDLL.tmp (3 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\is-GBGIK.tmp (9223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\_isetup\_shfoldr.dll (23 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\NOD32.FiX.v3.0-aRC-ReXBR-nsane.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\_isetup\_RegDLL.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp (0 bytes)

The process NOD32.FiX.v3.0.exe:228 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-67B5L.tmp\NOD32.FiX.v3.0.tmp (3753 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-67B5L.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-67B5L.tmp\NOD32.FiX.v3.0.tmp (0 bytes)

The process MsiExec.exe:1204 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Installer\7af7.msi (122334 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inx5.tmp (5 bytes)

The process MsiExec.exe:1328 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NSF15.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP32.tmp (3851 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP22.tmp (3851 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF12.tmp (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP1E.tmp (301 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF59.tmp (274 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar85.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3E.tmp (4028 bytes)
%System%\drivers\SET8A.tmp (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP64.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF35.tmp (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2E.tmp (106475 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF31.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF18.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab86.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP54.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF53.tmp (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1B.tmp (267 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\em001_32.dat (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2A.tmp (3851 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF4D.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1A.tmp (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP1C.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF45.tmp (271 bytes)
%System%\drivers\SET8E.tmp (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF39.tmp (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF19.tmp (273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3F.tmp (1652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab88.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF7B.tmp (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP20.tmp (53149 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\em003_32.dat (2019 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP52.tmp (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSFE.tmp (300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF4B.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF73.tmp (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF25.tmp (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF6D.tmp (267 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\em000_32.dat (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP66.tmp (10111 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3A.tmp (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5F.tmp (4979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP47.tmp (1652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP42.tmp (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6F.tmp (3565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7C.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF41.tmp (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSFF.tmp (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP38.tmp (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF7D.tmp (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF51.tmp (274 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6E.tmp (2990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1F.tmp (277 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\em004_32.dat (6963 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF23.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF16.tmp (274 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP72.tmp (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF13.tmp (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4F.tmp (1652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF29.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7A.tmp (30 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\em002_32.dat (180567 bytes)
%WinDir%\setupapi.log (10176 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP34.tmp (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7F.tmp (3565 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP56.tmp (10111 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP37.tmp (63073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF5D.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP40.tmp (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6C.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5A.tmp (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF49.tmp (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP28.tmp (53149 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF79.tmp (273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF10.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP27.tmp (63073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF14.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab84.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP57.tmp (4979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP24.tmp (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP60.tmp (1698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP50.tmp (1698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP62.tmp (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar89.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF17.tmp (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF11.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP58.tmp (1698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF75.tmp (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF2D.tmp (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF5B.tmp (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF3D.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar87.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4A.tmp (51 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\em005_32.dat (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF63.tmp (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP70.tmp (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF69.tmp (273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP48.tmp (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP30.tmp (53149 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF2B.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4E.tmp (4028 bytes)
%System%\drivers\SET8C.tmp (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF3B.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5C.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF6B.tmp (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP68.tmp (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP74.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP76.tmp (2990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5E.tmp (10111 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP26.tmp (106475 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP46.tmp (4028 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP36.tmp (106475 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP44.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF71.tmp (273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2C.tmp (74 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2F.tmp (63073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6A.tmp (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP77.tmp (3565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7E.tmp (2990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF33.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF65.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF21.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1D.tmp (300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP67.tmp (4979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF55.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF43.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP78.tmp (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF61.tmp (274 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NSF15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP32.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF59.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar85.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP64.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF35.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab86.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP54.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF53.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF4D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF45.tmp (0 bytes)
%System%\drivers\SET8E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF39.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab88.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF7B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP52.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSFE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF4B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF73.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF6D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP66.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP47.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP42.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF41.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSFF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP38.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF7D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF51.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP72.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP34.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7F.tmp (0 bytes)
%System%\drivers\SET8A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP56.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP37.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF5D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP40.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF49.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF79.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab84.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP57.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP24.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\em001_32_l2.nup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP60.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP50.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP62.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar89.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP58.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF75.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF2D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF5B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF3D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inx5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar87.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF63.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP70.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF69.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP48.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP30.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4E.tmp (0 bytes)
%System%\drivers\SET8C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF3B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF6B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP68.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP74.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ni1BBB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP76.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP26.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\em001_32_l1.nup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP36.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP44.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF71.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP77.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF33.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF65.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP67.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF55.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF43.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP46.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP78.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF61.tmp (0 bytes)

Registry activity

The process trlang.exe:1932 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 0C 78 EE A6 50 35 F8 A4 C6 81 5C BA B6 83 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process egui.exe:1896 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 2F 64 6E 78 65 10 74 30 D6 99 7E 1E EB B2 9A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\ESET\ESET Security\CurrentVersion\Plugins\01000800]
"OutlookIntegrationChangeCounter" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process updatepatch.exe:456 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 8E 5F F3 22 D6 6C DD 37 67 44 9E C8 D6 E3 2A"

The process ekrn.exe:364 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\LocalService\Local Settings\Application Data"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01030200]
"Path" = "Filters/Web/EPFW"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"CleanerBuild" = "1024"

[HKLM\SOFTWARE\Microsoft\Exchange\Client\Extensions]
"Eset Outlook Plugin" = "4.0;C:\PROGRA~1\ESET\ESETNO~1\EPLGOU~4.DLL;1;11010111111000"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101]
"PluginId" = "16777473"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"LastExec" = "1473305893"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Profiles\@My profile]
"Password" = "00 D6 A7 E9 B9 F0 CF F2 68 64 50 AD C5 C8 2C 75"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"FailSafeServer" = "http://update.eset.com/eset_upd/"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020100]
"PluginId" = "16777474"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\100]
"LastExec" = "1473305893"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Profiles\@My profile]
"UserName" = "eavtrial52"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020100]
"DisplayName" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020200]
"DisplayName" = "EPFW e-posta tarayıcı kurulumu"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100]
"PluginId" = "16777472"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100]
"DisplayName" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101]
"DisplayName" = "Uygulamalar veya işletim sistemi tarafından kullanılan dosyaları sürekli koruma."

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000101\Profiles\@My profile]
"AutoStart" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01030200]
"PluginId" = "16777728"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"ArchivesBuild" = "1020"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ScannerBuild" = "2040"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020100]
"Path" = "Filters/Email"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ScannerVersion" = "2740 (20071221)"
"UniqueID" = "0006156F57D0DD20"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010102]
"DisplayName" = "Başlangıçta otomatik dosya tarayıcısı kurulumu"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"PerseusBuild" = "1117"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020101]
"Path" = "Filters/Email"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler]
"TimeStamp" = "1835213340"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020200]
"Path" = "Filters/Email/EPFW"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"EditionName" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"UpdateServerGroup" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100]
"Path" = "Scanners/File/On-demmand"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"ScannerBuild" = "2040"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile]
"ProxyEnabled" = "2"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010102]
"PluginId" = "16778752"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"AdvheurBuild" = "1018"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020101]
"DisplayName" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD C6 3C BA 1E D0 6E 6C CE 18 08 B9 03 E6 C1 9F"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\1]
"LastExec" = "1473305949"

[HKLM\SOFTWARE\Microsoft\Exchange\Client\Extensions]
"Outlook Setup Extension" = "4.0;Outxxx.dll;7;000000000000000;0000000000;OutXXX"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010102]
"Path" = "Filters/Startup"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ScannerVersionId" = "2740"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01030200]
"DisplayName" = "EPFW web tarayıcı kurulumu"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101]
"Path" = "Filters/File/AMON"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020101]
"PluginId" = "16777474"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020200]
"PluginId" = "16777728"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\999999999]
"LastExec" = "1473305949"

The process is-5IC2H.tmp:1060 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01030200]
"Path" = "Filters/Web/EPFW"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileETAG_u20.eset.com" = "d2019a-893-709e1a40"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020100]
"Path" = "Filters/Email"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000100\Profiles]
"Enable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020100]
"PluginId" = "16777474"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"DefaultServerWeight8" = "20"
"DefaultServerWeight9" = "20"
"DefaultServerWeight0" = "20"
"DefaultServerWeight1" = "20"
"DefaultServerWeight2" = "20"
"DefaultServerWeight3" = "20"
"DefaultServerWeight4" = "20"
"DefaultServerWeight5" = "20"
"DefaultServerWeight6" = "20"
"DefaultServerWeight7" = "20"
"VerFileETAG_89.202.157.139" = "8381f2-892-709e1a40"
"VerFileETAG_89.202.157.138" = "96c0ef-892-709e1a40"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Ex~B33E70F6_is1]
"Inno Setup: Icon Group" = "(Default)"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01030200]
"PluginId" = "16777728"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\1038166662]
"Params" = "3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"AdwareEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileETAG_89.202.157.137" = "ed820d-892-709e1a40"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Ex~B33E70F6_is1]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020101]
"Path" = "Filters/Email"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_0]
"Infiltration" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"DefaultServerCount" = "29"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_00000002]
"Flags" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101]
"PluginId" = "1000101"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Profiles]
"Active" = "@My profile"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileLastModified_u39.eset.com" = "Fri, 04 Jan 2008 20:34:41 GMT"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"AdvancedHeuristicsEnable" = "1"
"MailEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_1]
"Flags" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"UpdateServerGroup" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"RtpEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Ex~B33E70F6_is1]
"InstallLocation" = "%Program Files%\ESET\ESET NOD32 Antivirus\"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100]
"Path" = "Scanners/File/On-demmand"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Profiles\@My profile]
"SfxEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Profiles\@My profile]
"SelectedServer" = "http://u20.eset.com/eset_eval/"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020101]
"DisplayName" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Filter]
"MemoryEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\1038166662]
"TriggerSettings" = "327680"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"AdvancedHeuristicsEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileLastModified_u33.eset.com" = "Fri, 04 Jan 2008 20:34:41 GMT"
"VerFileLastModified_update.eset.com" = "Fri, 04 Jan 2008 20:34:41 GMT"
"VerFileLastModified_u24.eset.com" = "Fri, 04 Jan 2008 20:34:41 GMT"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Profiles]
"Enable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileLastModified_u20.eset.com" = "Fri, 04 Jan 2008 20:34:41 GMT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_1]
"Infiltration" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"SectorEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020101]
"PluginId" = "16777474"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"AdvancedHeuristicsEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"SectorEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\1038166662]
"TriggerType" = "4"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"FileEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"ArchiveEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile]
"ScanUnwantedApp" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101]
"Path" = "Filters/File/AMON"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Filter]
"LogAllEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"AdwareEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000100\Profiles]
"Active" = "@In-depth scan"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\1038166662]
"Name" = "NOD32 FiX by TemDono"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileETAG_u33.eset.com" = "8dcdc-892-709e1a40"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ScannerBuild" = "2113"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Default]
"RtpEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"SectorEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"SignaturesEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"UniqueID" = "0004DB97967FE6B1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"DefaultServer29" = "http://u49.eset.com/eset_eval/"
"DefaultServer28" = "http://u48.eset.com/eset_eval/"
"DefaultServer25" = "http://u45.eset.com/eset_eval/"
"DefaultServer24" = "http://u44.eset.com/eset_eval/"
"DefaultServer27" = "http://u47.eset.com/eset_eval/"
"DefaultServer26" = "http://u46.eset.com/eset_eval/"
"DefaultServer21" = "http://u41.eset.com/eset_eval/"
"DefaultServer20" = "http://u40.eset.com/eset_eval/"
"DefaultServer23" = "http://u43.eset.com/eset_eval/"
"DefaultServer22" = "http://u42.eset.com/eset_eval/"
"DefaultServer6" = "http://89.202.157.136/eset_eval/"
"DefaultServer7" = "http://89.202.157.137/eset_eval/"
"DefaultServer4" = "http://u24.eset.com/eset_eval/"
"DefaultServer5" = "http://89.202.157.135/eset_eval/"
"DefaultServer2" = "http://u22.eset.com/eset_eval/"
"DefaultServer3" = "http://u23.eset.com/eset_eval/"
"DefaultServer0" = "http://u20.eset.com/eset_eval/"
"DefaultServer1" = "http://u21.eset.com/eset_eval/"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"CleanLevel" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Profiles\@My profile]
"MemoryEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"DefaultServer8" = "http://89.202.157.138/eset_eval/"
"DefaultServer9" = "http://89.202.157.139/eset_eval/"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles]
"Enable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Ex~B33E70F6_is1]
"NoModify" = "1"
"UninstallString" = "%Program Files%\ESET\ESET NOD32 Antivirus\unins001.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 39 3C 76 86 CF 59 E3 80 8D C5 A8 B7 19 D7 D3"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ScannerVersionId" = "2767"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Default]
"ArchiveEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileETAG_u39.eset.com" = "89a57-892-709e1a40"
"DefaultServerWeight18" = "20"
"DefaultServerWeight19" = "20"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"MemoryEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"DefaultServerWeight12" = "20"
"DefaultServerWeight13" = "20"
"DefaultServerWeight10" = "20"
"DefaultServerWeight11" = "20"
"DefaultServerWeight16" = "20"
"DefaultServerWeight17" = "20"
"DefaultServerWeight14" = "20"
"DefaultServerWeight15" = "20"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Default]
"MailEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"FileEnable" = "1"

[HKLM\SOFTWARE\ESET\NOD\CurrentVersion\InstalledComponents\V3]
"Build" = "805306368"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"HeuristicsEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"SignaturesEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"FailSafeServer" = "http://update.eset.com/eset_upd/"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Filter]
"SfxEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Default]
"AdvancedHeuristicsEnable" = "0"

[HKLM\SOFTWARE\ESET\Nod\CurrentVersion\Info]
"InstallDir" = "Obsolete"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Profiles\@My profile]
"RtpEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Ex~B33E70F6_is1]
"Inno Setup: App Path" = "%Program Files%\ESET\ESET NOD32 Antivirus"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileLastModified_u48.eset.com" = "Fri, 04 Jan 2008 20:34:41 GMT"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Ex~B33E70F6_is1]
"QuietUninstallString" = "%Program Files%\ESET\ESET NOD32 Antivirus\unins001.exe /SILENT"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Default]
"MemoryEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Ex~B33E70F6_is1]
"Inno Setup: User" = "%CurrentUserName%"
"InstallDate" = "20160908"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_0]
"Flags" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100]
"DisplayName" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"CleanLevel" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020200]
"Path" = "Filters/Email/EPFW"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Filter]
"MailEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\1038166662]
"StartFailSettings" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"MemoryEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Filter]
"PreserveFileTimesEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"ArchiveEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\1038166662]
"ModuleID" = "16778752"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010102]
"Path" = "Filters/Startup"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"FileEnable" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileETAG_u44.eset.com" = "4031-892-709e1a40"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020200]
"PluginId" = "16777728"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\UI_Settings\Servers]
"Server_0" = "http://u20.eset.com/eset_eval/"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"ArchiveEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileETAG_update.eset.com" = "8381f2-892-709e1a40"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Profiles\@My profile]
"AdvancedHeuristicsEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileETAG_u23.eset.com" = "d38211-892-709e1a40"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Filter]
"ArchiveEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"MemoryEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"SfxEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Profiles\@My profile]
"UserName" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020100]
"DisplayName" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"RtpEnable" = "1"
"AdwareEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"MailEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100]
"PluginId" = "16777472"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"DefaultServerWeight22" = "20"
"DefaultServerWeight21" = "20"
"DefaultServerWeight20" = "20"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000101\Profiles\@My profile]
"AutoStart" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"DefaultServerWeight26" = "20"
"DefaultServerWeight25" = "20"
"DefaultServerWeight24" = "20"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Ex~B33E70F6_is1]
"Inno Setup: Setup Version" = "5.1.12"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"DefaultServerWeight29" = "20"
"DefaultServerWeight28" = "20"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"MailEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"RtpEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileLastModified_u44.eset.com" = "Fri, 04 Jan 2008 20:34:41 GMT"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"EditionName" = "TNCTR.COM Özel Sürüm by Hakanakt (50 Yýl ücretsiz)"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"SignaturesEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\1038166662]
"LastExec" = "1199657632"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileETAG_u48.eset.com" = "3fec-892-709e1a40"
"DefaultServerWeight23" = "20"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Ex~B33E70F6_is1]
"DisplayName" = "NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Expire in 2050)"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_00000002]
"Infiltration" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileLastModified_89.202.157.137" = "Fri, 04 Jan 2008 20:34:41 GMT"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Profiles\@My profile]
"MailEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileLastModified_89.202.157.139" = "Fri, 04 Jan 2008 20:34:41 GMT"
"VerFileLastModified_89.202.157.138" = "Fri, 04 Jan 2008 20:34:41 GMT"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"SfxEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Default]
"SfxEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"HeuristicsEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010102]
"PluginId" = "16778752"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"HeuristicsEnable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"DefaultServerWeight27" = "20"
"VerFileETAG_u24.eset.com" = "3f0199-892-709e1a40"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"SfxEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Profiles\@My profile]
"ArchiveEnable" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"CleanLevel" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileLastModified_u23.eset.com" = "Fri, 04 Jan 2008 20:34:41 GMT"
"DefaultServer14" = "http://u34.eset.com/eset_eval/"
"DefaultServer15" = "http://u35.eset.com/eset_eval/"
"DefaultServer16" = "http://u36.eset.com/eset_eval/"
"DefaultServer17" = "http://u37.eset.com/eset_eval/"
"DefaultServer10" = "http://u30.eset.com/eset_eval/"
"DefaultServer11" = "http://u31.eset.com/eset_eval/"
"DefaultServer12" = "http://u32.eset.com/eset_eval/"
"DefaultServer13" = "http://u33.eset.com/eset_eval/"
"DefaultServer18" = "http://u38.eset.com/eset_eval/"
"DefaultServer19" = "http://u39.eset.com/eset_eval/"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000800\Profiles\@My profile]
"Active" = "@My profile"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"PackageTag" = "72029443"

The process %original file name%.exe:1920 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D D6 0C 3E 59 B5 4E 86 69 7D 1B AF BB 7E A0 65"

The process NOD32.FiX.v3.0.tmp:652 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_99999997]
"Flags" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\999999999]
"Params" = "3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31"
"TriggerType" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"Inno Setup: App Path" = "%Program Files%\ESET\ESET NOD32 Antivirus"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"DisplayVersion" = "3.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_99999999]
"Flags" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"Inno Setup: Setup Version" = "5.2.2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"Inno Setup: Icon Group" = "ESET\ESET NOD32 Antivirus"
"NoRepair" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_99999997]
"Path" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\7zS1.tmp\NOD32.FiX.v3.0.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"NoModify" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_99999998]
"Flags" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"InstallDate" = "20160908"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\999999999]
"Enabled" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"UninstallString" = "%Program Files%\ESET\ESET NOD32 Antivirus\unins000.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"URLUpdateInfo" = "http://www.nsanedown.com/?request=140184"
"Inno Setup: User" = "%CurrentUserName%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"QuietUninstallString" = "%Program Files%\ESET\ESET NOD32 Antivirus\unins000.exe /SILENT"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\999999999]
"Name" = "NOD32 FiX"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"DisplayName" = "NOD32 FiX"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\999999999]
"ModuleID" = "16778752"
"TriggerSettings" = "120"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_99999998]
"Infiltration" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_99999997]
"Infiltration" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_99999998]
"Path" = "%Program Files%\ESET\ESET NOD32 Antivirus\nlv3mod.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 67 D1 B3 6F 69 F5 A5 1F 51 71 44 5E 25 AC 46"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_99999999]
"Path" = "%Program Files%\ESET\ESET NOD32 Antivirus\Obsoletenodlogin.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"HelpLink" = "http://www.nsaneforums.com/?showforum=20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_99999999]
"Infiltration" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"InstallLocation" = "%Program Files%\ESET\ESET NOD32 Antivirus\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"URLInfoAbout" = "http://www.nsanedown.com/"
"Publisher" = "nsane.down"

The process NOD32.FiX.v3.0.exe:228 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E E5 7A 2D 40 E1 2A 8B F5 CB CC 40 6A AB 94 14"

The process nlv3mod.exe:2968 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 8C 49 3E 46 12 39 FF 39 A9 5C 01 06 CE 32 24"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Profiles\@My profile]
"Password"
"Username"

The process MsiExec.exe:1204 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF B2 7B C5 0F 06 55 14 46 9C 57 BF FB 44 1B 3A"

The process MsiExec.exe:1328 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\ESET\Setup\Drivers\{CBE608F3-7E23-433C-9126-0B720DF8C909}]
"Inf0" = "%Program Files%\ESET\ESET NOD32 Antivirus\Drivers\eamon\eamon.inf"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"LastUpdate" = "1473305886"

[HKCR\Folder\ShellEx\ContextMenuHandlers\ESET Smart Security - Context Menu Shell Extension]
"(Default)" = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

[HKLM\SOFTWARE\ESET\Setup\Drivers\{4A2B7826-D821-4E2F-9E5C-772291C3589B}]
"Inf0" = "%Program Files%\ESET\ESET NOD32 Antivirus\Drivers\easdrv\easdrv.inf"

[HKLM\SOFTWARE\ESET\Setup\Drivers\{4AB32F18-A357-46E6-827C-58F4ACB4104F}]
"DriverVer" = "12/21/2007, 3.0.621.0"

[HKCR\Drives\Shellex\ContextMenuHandlers\ESET Smart Security - Context Menu Shell Extension]
"(Default)" = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

[HKCR\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}]
"(Default)" = "Eset Smart Security - Context Menu Shell Extension"

[HKLM\SOFTWARE\ESET\Setup\Drivers\{4AB32F18-A357-46E6-827C-58F4ACB4104F}]
"Inf0" = "%Program Files%\ESET\ESET NOD32 Antivirus\Drivers\epfwtdir\epfwtdir.inf"

[HKCR\*\shellex\ContextMenuHandlers\ESET Smart Security - Context Menu Shell Extension]
"(Default)" = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"

[HKCR\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32]
"(Default)" = "%Program Files%\ESET\ESET NOD32 Antivirus\shellExt.dll"

[HKLM\SOFTWARE\Microsoft\Driver Signing]
"Policy" = "00"

[HKLM\SOFTWARE\ESET\Setup\Drivers\{CBE608F3-7E23-433C-9126-0B720DF8C909}]
"DriverVer" = "12/21/2007, 3.0.621.0"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "08 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Groups]
"Groups" = "perseus,systemstatus"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "Eset Smart Security - Context Menu Shell Extension"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.PNF" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 16 98 4E 45 33 1D 74 C0 F8 9A 30 F3 55 84 E0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"PrivateHash" = "7D 1E 6F 9D 02 2D 9D 06 A6 A6 A8 32 69 4E 54 D3"

[HKLM\SOFTWARE\ESET\Setup\Drivers\{4A2B7826-D821-4E2F-9E5C-772291C3589B}]
"DriverVer" = "12/21/2007, 3.0.621.0"

[HKLM\SOFTWARE\ESET\Setup\CurrentSession]
"PrevSystemDriversSetting" = "1"

[HKCR\Drive\shellex\ContextMenuHandlers\ESET Smart Security - Context Menu Shell Extension]
"(Default)" = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"LastUpdateAttempt" = "1473305886"

[HKCR\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32]
"ThreadingModel" = "Apartment"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\ESET\Setup\CurrentSession]
"PrevUserDriversSetting"
"PrevSystemDriversSetting"

Dropped PE files

MD5 File path
7a25ad652a3003b8854e873a3324e672c:\Program Files\ESET\ESET NOD32 Antivirus\Drivers\eamon\eamon.sys
c7c17bc80b7264322207abc31f20ea84c:\Program Files\ESET\ESET NOD32 Antivirus\Drivers\easdrv\easdrv.sys
74051da749e5e89a14ddab5ba4a03a7fc:\Program Files\ESET\ESET NOD32 Antivirus\Drivers\epfwtdir\epfwtdir.sys
5171ce57b3a004e30ca2b4062c053085c:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
db82c7aa8cae7b86f71fa2571987bf51c:\Program Files\ESET\ESET NOD32 Antivirus\Obsoletenodlogin.exe
5d830bb888cc596f225cfaa1ed0d9c84c:\Program Files\ESET\ESET NOD32 Antivirus\ShellExtLang.dll
0d2f48ee77a906ec55c28f277fe08e6cc:\Program Files\ESET\ESET NOD32 Antivirus\callmsi.exe
4f9f8cba5e00a5e16f7bfb223eb2aba4c:\Program Files\ESET\ESET NOD32 Antivirus\ecls.exe
fb274511c5e3b8984bd3210302d7fb4dc:\Program Files\ESET\ESET NOD32 Antivirus\eclsLang.dll
4038dc784ec33ead502c25392a945b84c:\Program Files\ESET\ESET NOD32 Antivirus\ecmd.exe
96d4ecd27feef7f5f23a8518eee2f591c:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
bd502632ec4614dfebd897975ba7b651c:\Program Files\ESET\ESET NOD32 Antivirus\eguiAmon.dll
fa88530c577e2a726181c373f78524e7c:\Program Files\ESET\ESET NOD32 Antivirus\eguiAmonLang.dll
268dff9f4482f1ee30f9ffabc77aff4ec:\Program Files\ESET\ESET NOD32 Antivirus\eguiEmon.dll
03f69f843fe322a93ce9ea25f72e1f50c:\Program Files\ESET\ESET NOD32 Antivirus\eguiEmonLang.dll
778f84f111c21baf767cb72aa6934026c:\Program Files\ESET\ESET NOD32 Antivirus\eguiEpfw.dll
b9203e644bb7e3c253a695faaa1e654dc:\Program Files\ESET\ESET NOD32 Antivirus\eguiEpfwLang.dll
538ec42e08dc1de89808e57ed2d48085c:\Program Files\ESET\ESET NOD32 Antivirus\eguiLang.dll
e0b1e342631450bfd1e5860919a9f78cc:\Program Files\ESET\ESET NOD32 Antivirus\eguiMailPlugins.dll
fb430086827f923a818f4f47ebed9114c:\Program Files\ESET\ESET NOD32 Antivirus\eguiMailPluginsLang.dll
66747ce355107a115a3105218ed0ab76c:\Program Files\ESET\ESET NOD32 Antivirus\eguiProduct.dll
1f34681c9142a14074de8d652d4dca61c:\Program Files\ESET\ESET NOD32 Antivirus\eguiScan.dll
10ec573733f707af2ae145f523aaae9ac:\Program Files\ESET\ESET NOD32 Antivirus\eguiScanLang.dll
04ea6c4a7f3285fc50a2b6c4782762f9c:\Program Files\ESET\ESET NOD32 Antivirus\eguiSmonLang.dll
ca7098ef64bc885530deaea533d662a1c:\Program Files\ESET\ESET NOD32 Antivirus\eguiUpdate.dll
e424cd8fd812c426c37b503d84d48009c:\Program Files\ESET\ESET NOD32 Antivirus\eguiUpdateLang.dll
d5d4124827086ba54f6bfe75ce330531c:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
b61cf090f99137c761ee81ec07a7086bc:\Program Files\ESET\ESET NOD32 Antivirus\ekrnAmon.dll
7f29b4cd000376ccc226f1180bdc1826c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnEmon.dll
bbbab58f30f6634674856085265a4e32c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnEpfw.dll
7d80b7cb3eeda37b85e4d58159540eb8c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnEpfwLang.dll
e9d71546989faff4856966c8fd37ae86c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnLang.dll
76d9da47cfcb8f27ba1f37816b24088ac:\Program Files\ESET\ESET NOD32 Antivirus\ekrnMailPlugins.dll
d1631e69c6c73354c9fe6c014a1f5647c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnMailPluginsLang.dll
748c898b132d37187aace7c19849fc67c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnScan.dll
0d1571323b3b8f254d2bff2916c7a02dc:\Program Files\ESET\ESET NOD32 Antivirus\ekrnScanLang.dll
23c3176131fabd55e42bb930621a737dc:\Program Files\ESET\ESET NOD32 Antivirus\ekrnSmonLang.dll
591c12301d2a14a7077f5b2bf774949ac:\Program Files\ESET\ESET NOD32 Antivirus\ekrnUpdate.dll
621ac9d30c0317cf8b2b8de36f184a73c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnUpdateLang.dll
8cf8bb2c81914b786ff5eb57f2a801c0c:\Program Files\ESET\ESET NOD32 Antivirus\eplgHooks.dll
77aec6e05519d29c6bf797c042ee38abc:\Program Files\ESET\ESET NOD32 Antivirus\eplgOE.dll
8a5043a3850bb757ff2a1961a0f636dcc:\Program Files\ESET\ESET NOD32 Antivirus\eplgOEEmon.dll
616c35b74cd2f27351a598823f79c4a4c:\Program Files\ESET\ESET NOD32 Antivirus\eplgOELang.dll
e35f3a6eb2baeafafa56575c45197dbfc:\Program Files\ESET\ESET NOD32 Antivirus\eplgOESmonLang.dll
073d3351182c00bae9663461ffb7b489c:\Program Files\ESET\ESET NOD32 Antivirus\eplgOutlook.dll
cddb6b28bd5bfc09da76534b9777bb9cc:\Program Files\ESET\ESET NOD32 Antivirus\eplgOutlookEmon.dll
322f9e874d7261dc2ce7766c52c9fa04c:\Program Files\ESET\ESET NOD32 Antivirus\eplgOutlookEmonLang.dll
dd942033f8df78e99132de535940e7d8c:\Program Files\ESET\ESET NOD32 Antivirus\eplgOutlookLang.dll
a69c7b71f65ef94bb0dd6ffb1e749401c:\Program Files\ESET\ESET NOD32 Antivirus\eplgOutlookSmonLang.dll
a7a06f72700e74992a7b6815e6f6c336c:\Program Files\ESET\ESET NOD32 Antivirus\http_dll.dll
08a620fc7addf7e8a4c4f755a9bb8977c:\Program Files\ESET\ESET NOD32 Antivirus\mfc80.dll
2624bfbd42bba3c9c54655b5b0119181c:\Program Files\ESET\ESET NOD32 Antivirus\mfc80u.dll
be5902be171b540c1bc97ea014252801c:\Program Files\ESET\ESET NOD32 Antivirus\msvcp80.dll
b29cfcad27488d0365c09de3f3ef04fec:\Program Files\ESET\ESET NOD32 Antivirus\msvcr80.dll
04d88d5f80d7066e8ae5f8b95f34792ac:\Program Files\ESET\ESET NOD32 Antivirus\nlv3mod.exe
4b6ebd84217fca70a0356964c614ca4ac:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll
e7439480898043ec7ad8ff21ff0ead78c:\Program Files\ESET\ESET NOD32 Antivirus\unins000.exe
d396ffb960be609e941df8c562683730c:\Program Files\ESET\ESET NOD32 Antivirus\unins001.exe
5748f6e9a70f8d0740e82aaffc756e7ec:\Program Files\ESET\ESET NOD32 Antivirus\updater.dll
604e889f013dcd71dd17cd2d4bd554a2c:\WINDOWS\Installer\{57ECFB4D-FE11-491A-9AA0-0AF7C3ABC51D}\egui.exe
7a25ad652a3003b8854e873a3324e672c:\WINDOWS\system32\drivers\eamon.sys
c7c17bc80b7264322207abc31f20ea84c:\WINDOWS\system32\drivers\easdrv.sys
74051da749e5e89a14ddab5ba4a03a7fc:\WINDOWS\system32\drivers\epfwtdir.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\DRIVERS\easdrv.sys" the Trojan controls creation and closing of processes by installing the process notifier.


Using the driver "%System%\DRIVERS\epfwtdir.sys" the Trojan controls creation and closing of processes by installing the process notifier.


Using the driver "%System%\DRIVERS\easdrv.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.


Using the driver " %System%\DRIVERS\eamon.sys" the Trojan attaches its filter-device object to the Volume Device Object (VDO) of the file system driver.


Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    trlang.exe:1932
    egui.exe:1896
    updatepatch.exe:456
    ekrn.exe:364
    is-5IC2H.tmp:1060
    %original file name%.exe:1920
    NOD32.FiX.v3.0.tmp:652
    NOD32.FiX.v3.0.exe:228
    nlv3mod.exe:2968
    MsiExec.exe:1204
    MsiExec.exe:1328

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\ESET\ESET NOD32 Antivirus\eplgOELang.dll (392 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\ekrnScanLang.dll (392 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\eplgOutlookEmonLang.dll (392 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\ekrnEpfwLang.dll (1160 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\eplgOutlookSmonLang.dll (1160 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\ekrnUpdateLang.dll (3848 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\eplgOESmonLang.dll (1160 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\eguiUpdateLang.dll (3848 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\eguiScanLang.dll (7832 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\eguiLang.dll (30568 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\eguiSmonLang.dll (1160 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\ShellExtLang.dll (2312 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\ekrnLang.dll (1160 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\ekrnSmonLang.dll (392 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\eguiMailPluginsLang.dll (392 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\eclsLang.dll (1160 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\eguiEpfwLang.dll (20648 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\eguiEmonLang.dll (392 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\ekrnMailPluginsLang.dll (392 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\eplgOutlookLang.dll (392 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\eguiAmonLang.dll (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-A2DMS.tmp\is-5IC2H.tmp (3746 bytes)
    %Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat (60 bytes)
    %Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\EpfwUser.dat (174 bytes)
    %Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat (60 bytes)
    %Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB (388548 bytes)
    %Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\EHttpSrv.xml (2 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\unins001.dat (2064 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\is-VNGOU.tmp (7616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-DNMVT.tmp\_isetup\_shfoldr.dll (23 bytes)
    %WinDir%\is-M3T4C.tmp (360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-DNMVT.tmp\_isetup\_RegDLL.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\trlang.exe (3941 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\NOD32.FiX.v3.0.exe (4727 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\hidcon.exe (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\updatepatch.exe (5560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\nod32.msi (118928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\INSTALL.CMD (228 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\is-HR45C.tmp (3361 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\ESET\ESET NOD32 Antivirus\Uninstall NOD32 FiX.lnk (775 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\is-QAQB8.tmp (3073 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\unins000.dat (934 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\is-5SSES.tmp (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\_isetup\_RegDLL.tmp (3 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\is-GBGIK.tmp (9223 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-67B5L.tmp\NOD32.FiX.v3.0.tmp (3753 bytes)
    %Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Installer\7af7.msi (122334 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\inx5.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF15.tmp (271 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP32.tmp (3851 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP22.tmp (3851 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF12.tmp (265 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP1E.tmp (301 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF59.tmp (274 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar85.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP3E.tmp (4028 bytes)
    %System%\drivers\SET8A.tmp (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP64.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF35.tmp (265 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP2E.tmp (106475 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF31.tmp (271 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF18.tmp (266 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab86.tmp (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP54.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF53.tmp (267 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF1B.tmp (267 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\em001_32.dat (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP2A.tmp (3851 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF4D.tmp (271 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP3C.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF1A.tmp (268 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP1C.tmp (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF45.tmp (271 bytes)
    %System%\drivers\SET8E.tmp (33 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF39.tmp (277 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF19.tmp (273 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP3F.tmp (1652 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab88.tmp (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF7B.tmp (268 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP20.tmp (53149 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\em003_32.dat (2019 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP52.tmp (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSFE.tmp (300 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF4B.tmp (271 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF73.tmp (268 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF25.tmp (265 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF6D.tmp (267 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\em000_32.dat (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP66.tmp (10111 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP3A.tmp (51 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP5F.tmp (4979 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP47.tmp (1652 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP42.tmp (51 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP6F.tmp (3565 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP7C.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF41.tmp (277 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSFF.tmp (277 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP38.tmp (208 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF7D.tmp (267 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF51.tmp (274 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP6E.tmp (2990 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF1F.tmp (277 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\em004_32.dat (6963 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF23.tmp (266 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF16.tmp (274 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP72.tmp (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF13.tmp (277 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP4F.tmp (1652 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF29.tmp (271 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP7A.tmp (30 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\em002_32.dat (180567 bytes)
    %WinDir%\setupapi.log (10176 bytes)
    %System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP34.tmp (74 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP7F.tmp (3565 bytes)
    %System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP56.tmp (10111 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP37.tmp (63073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF5D.tmp (266 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP40.tmp (208 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP6C.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP5A.tmp (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF49.tmp (277 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP28.tmp (53149 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF79.tmp (273 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF10.tmp (271 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP27.tmp (63073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF14.tmp (271 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab84.tmp (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP4C.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP57.tmp (4979 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP24.tmp (74 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP60.tmp (1698 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP50.tmp (1698 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP62.tmp (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar89.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF17.tmp (267 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF11.tmp (266 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP58.tmp (1698 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF75.tmp (267 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF2D.tmp (265 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF5B.tmp (267 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF3D.tmp (271 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar87.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP4A.tmp (51 bytes)
    %Program Files%\ESET\ESET NOD32 Antivirus\em005_32.dat (117 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF63.tmp (267 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP70.tmp (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF69.tmp (273 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP48.tmp (208 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP30.tmp (53149 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF2B.tmp (266 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP4E.tmp (4028 bytes)
    %System%\drivers\SET8C.tmp (39 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF3B.tmp (271 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP5C.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF6B.tmp (268 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP68.tmp (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP74.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP76.tmp (2990 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP5E.tmp (10111 bytes)
    %System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP26.tmp (106475 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP46.tmp (4028 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP36.tmp (106475 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP44.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF71.tmp (273 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP2C.tmp (74 bytes)
    %System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP2F.tmp (63073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP6A.tmp (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP77.tmp (3565 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP7E.tmp (2990 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF33.tmp (266 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF65.tmp (266 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF21.tmp (271 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF1D.tmp (300 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP67.tmp (4979 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF55.tmp (266 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF43.tmp (271 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NUP78.tmp (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSF61.tmp (274 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "egui" = "%Program Files%\ESET\ESET NOD32 Antivirus\egui.exe /hide /waitservice"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: www.tnctr.com
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language:

Company Name: www.tnctr.comProduct Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language:

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409694046942084.540075f527761e4a62f1934404677b8f6cc31
.rdata9830416690168963.05806134d1ad3ec02184774b2c0e4bea00903
.data11878422856128000.901872c820faaa2e85482e274c0a9283f6d130
.rsrc1433602031042032645.26434d4121c9bb46ac93a7152fe478e9ab3f3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://e6845.dscb1.akamaiedge.net/pca3.crl
hxxp://e6845.dscb1.akamaiedge.net/CSC3-2004.crl
hxxp://c-0001.c-msedge.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://c-0001.c-msedge.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://crl.verisign.com/pca3.crl23.37.37.163
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab13.107.4.50
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt13.107.4.50
hxxp://CSC3-2004-crl.verisign.com/CSC3-2004.crl
csc3-2004-crl.verisign.com23.37.37.163

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /CSC3-2004.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: CSC3-2004-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "35e423f44c2b9b573919cef614e62f3b:1473282619"

Last-Modified: Wed, 07 Sep 2016 21:10:19 GMT

Date: Thu, 08 Sep 2016 03:38:08 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Connection: Transfer-Encoding

Content-Type: application/pkix-crl

00006000..0..zV0..y=0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA..160907210001Z..160917210001Z0..xT0!.....'...._.=.t.{...060411095352Z0!........]...n.d.^...041210180734Z0!....B.38..I....Z.Z..060522202503Z0!.....V..=.&..p.K_...041223173514Z0!...$fd{........ZKI..050727182105Z0!...'..P..Tk....i ...081114114704Z0!...*m.......$.e.iw..050113162826Z0!...4..&.....(.V.bD..060717184318Z0!...>.h`a.nZM.VIP....061027222850Z0!...?..!.....Z..%....080514074106Z0!...A.*T-.NB>Ro.S.~..070627153307Z0!...Wf....0?.1.<G4...080827011731Z0!...[.}7.8.t.........070607081209Z0!...^.@.....1..v..`..061207041025Z0!...ol4....{.........080520210256Z0!.....oP...._. .a....061205224400Z0!.....}...../5.=.....041018225848Z0!.....B.w5$.h..,."...060707142917Z0!....]....d..........041217144015Z0!.........1.9.fwI.a..050926191715Z0!............*.>W....041221185802Z0!...."....J..l.......050712133504Z0!....X.r..'7hK._.....080804054612Z0!....Q)..6.....4.[...051018015040Z0!.........Y.=.U=y....060308034429Z0!....:..I.. ......Y..060912161745Z0!......t..Au...e `...060406020106Z0!........&.zR.....J..080220163354Z0!...%.&.f./....>.H...070216105424Z0!...8....n..#b.dM....090505134237Z0!...E..1..>..........070621145128Z0!...L.k'.W..!.;w0....060711202546Z0!...U.......Te.c.....080829025216Z0!...qo..b..>...C.....081214140650Z0!.......?....War.y...061019142712Z0!.......^i7.6_m..W...070122210641Z0!

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Length: 18

Content-Type: text/plain

Last-Modified: Thu, 14 Apr 2016 22:20:39 GMT

Accept-Ranges: bytes

ETag: "8095d7df9b96d11:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

X-CID: 7

X-CCC: RU

X-MSEdge-Ref: Ref A: 12FF7BE133744A30BF8E113B0F531FC3 Ref B: 6073D500E98A8380F3DE914AFD7C2E04 Ref C: Wed Sep 7 20:38:23 2016 PST

Date: Thu, 08 Sep 2016 03:38:22 GMT

1401D1969BE01E11A6....

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Length: 49640

Content-Type: application/octet-stream

Last-Modified: Fri, 15 Apr 2016 17:23:18 GMT

Accept-Ranges: bytes

ETag: "0c730803b97d11:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

X-CID: 7

X-CCC: RU

X-MSEdge-Ref: Ref A: 527BD296FE284F0381B900C25054DD32 Ref B: 19744FB6BA7F5F167D078D514142D405 Ref C: Wed Sep 7 20:38:23 2016 PST

Date: Thu, 08 Sep 2016 03:38:22 GMT

MSCF............,...................I..................HaR .authroot.stl.%.u3S8..CK...<T.......4v.e.3h.......l...kICY*7-viS.ZH{i.."QY...H.T$!..L..g......k^.w.s..y?..}....4.......d.4...0....)...0..@.......D. 0Y......#p.&;..,..L....._.....ppSf^.....\x....PSSC........4..Apw..:..*....."(..6..............".3..6#.*9..yx>.w..aX....U..:.*G?..3......wY.Z=G..^...J.......Qt.U.xiD2..o....1f.a.9...&...T..\.X<u.WU/.]=./8. .sK.......(.<.A$H.............5...y......"...\...IP..A(y....]..fc`.r)Y.$..<.V.............'....f..X.Y.<......R...zq.5nfO,..NE.....*/ud.7.=.".3..........%.. ....F.......,.e.3.e..... ..T...=x.BD.........R.0..3D.....W......v<\{...Oj>.$YT)LQ..........{.......s=.vs..........dY].<.v..<..w[.{.Z..qV.............= ......5.5........tm... ...SZ.....e-1e<.rX..K3>..~]{b#..&......b.e......;...?......7...!W......e\..a>!{....t.....r...TV...h....4...........Bx...aBp...............F....kx. V.q....g.?.q\.z.?h>V..ORz.....t...%.{w...4..(.......m.|..X\,./.4w.6?M$.q;q.............x?...Auip.... 8..".4...a}E.98T..*...N...7]p<G.&I.........7....@.Q.#.%.:..TE7....d..b. .E.V...-.=1.........j.)t...Z &.e.o..m..L.s.2.\...j4.d..............4.....9...3...03...-2c)L.."..y.7.|... !O.1.....i:....J.:.P..5...6.W...XP..J..^.....u.v....|..U..-..Q..CF.r ..........`.V~.C...=.=.m...6N.,..OV.Z...d.K.-....".D.8.V,}X.P.D..X"8.....;DD."../x.(M..O........1V6R./.3|I...9,........eh..........k...W.....t.*...K..a.....x.0#.t..F.!...7Vk ........7....X......2.t!...AB..b...1.&..S.`G...1@.f.I."...vl.g.}Rs....y.z}....}.

<<< skipped >>>

GET /pca3.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "6df834358a0bb5e934947d15c0372dc3:1466795723"

Last-Modified: Fri, 24 Jun 2016 19:15:23 GMT

Date: Thu, 08 Sep 2016 03:38:08 GMT

Content-Length: 933

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..160623000000Z..160930235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H...............DA.............Q>...#........H#......;....._.....v.W..@.:k[.#..,...:...DI. ,g... ..].w.b.d.....1.p.s...];Bs..E.9>...l}....5].HTTP/1.1 200 OK..Server: Apache..ETag: "6df834358a0bb5e934947d15c0372dc3:1466795723"..Last-Modified: Fri, 24 Jun 2016 19:15:23 GMT..Date: Thu, 08 Sep 2016 03:38:08 GMT..Content-Length: 933..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..160623000000Z..160930235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

ekrn.exe_364:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

SSSSSh

SSSSSh

VWt.Pj

VWt.Pj

L$(SSh

L$(SSh

t.hp?B

t.hp?B

t.hpCB

t.hpCB

tCPh

tCPh

inflate 1.2.3 Copyright 1995-2005 Mark Adler

inflate 1.2.3 Copyright 1995-2005 Mark Adler

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

1.2.3

1.2.3

POST /%s HTTP/1.1

POST /%s HTTP/1.1

Host: %s

Host: %s

Content-Length: %d

Content-Length: %d

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

chs_reply=%d

chs_reply=%d

0.0.0.0

0.0.0.0

SupportRequestXML

SupportRequestXML

SupportRequest

SupportRequest

SupportRequestAttachment

SupportRequestAttachment

/supportrequest/

/supportrequest/

RegDeleteKeyExA

RegDeleteKeyExA

RegDeleteKeyExW

RegDeleteKeyExW

%d.%d.%d.%d

%d.%d.%d.%d

Pocet: %d

Pocet: %d

RtlFormatCurrentUserKeyPath

RtlFormatCurrentUserKeyPath

NtCreatePort

NtCreatePort

NtListenPort

NtListenPort

NtConnectPort

NtConnectPort

NtAcceptConnectPort

NtAcceptConnectPort

NtCompleteConnectPort

NtCompleteConnectPort

NtRequestPort

NtRequestPort

NtRequestWaitReplyPort

NtRequestWaitReplyPort

NtReplyWaitReceivePort

NtReplyWaitReceivePort

NtReplyPort

NtReplyPort

NtImpersonateClientOfPort

NtImpersonateClientOfPort

NtCreateKey

NtCreateKey

NtDeleteKey

NtDeleteKey

NtDeleteValueKey

NtDeleteValueKey

NtEnumerateKey

NtEnumerateKey

NtEnumerateValueKey

NtEnumerateValueKey

NtOpenKey

NtOpenKey

NtQueryValueKey

NtQueryValueKey

NtSetValueKey

NtSetValueKey

EHLO %s

EHLO %s

AUTH LOGIN

AUTH LOGIN

HELO %s

HELO %s

MAIL FROM:

MAIL FROM:

%COMPUTERNAME%

%COMPUTERNAME%

RCPT TO:

RCPT TO:

From: %S

From: %S

To: %S

To: %S

Date: %s, %d %s %d d:d:d %cdd

Date: %s, %d %s %d d:d:d %cdd

boundary="%s"

boundary="%s"

Content-Type: text/plain; charset="Windows-%d"

Content-Type: text/plain; charset="Windows-%d"

Subject: %S

Subject: %S

ntdll.dll

ntdll.dll

KERNEL32.DLL

KERNEL32.DLL

"We've all heard that a million monkeys banging on a million typewriters will eventually reproduce the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true." -- Robert Wilensky

"We've all heard that a million monkeys banging on a million typewriters will eventually reproduce the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true." -- Robert Wilensky

POST %s HTTP/1.0

POST %s HTTP/1.0

Content-Type: multipart/form-data; boundary=%s

Content-Type: multipart/form-data; boundary=%s

Host: %s:%d

Host: %s:%d

%s:%s

%s:%s

MS Windows

MS Windows

RegOpenKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegCloseKey

RegCloseKey

RegEnumKeyExW

RegEnumKeyExW

RegEnumKeyW

RegEnumKeyW

RegDeleteKeyW

RegDeleteKeyW

default_nod32ra_password

default_nod32ra_password

s=0x%p,0x%x,0x%x

s=0x%p,0x%x,0x%x

d:\installbuild\ess_3_0_600\build\apps\work\release\ekrn\winnt32\ekrn.pdb

d:\installbuild\ess_3_0_600\build\apps\work\release\ekrn\winnt32\ekrn.pdb

WS2_32.dll

WS2_32.dll

KERNEL32.dll

KERNEL32.dll

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

USER32.dll

USER32.dll

RegOpenKeyW

RegOpenKeyW

RegDeleteKeyA

RegDeleteKeyA

RegCreateKeyExW

RegCreateKeyExW

RegOpenKeyA

RegOpenKeyA

ADVAPI32.dll

ADVAPI32.dll

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

MSVCP80.dll

MSVCP80.dll

MSVCR80.dll

MSVCR80.dll

_amsg_exit

_amsg_exit

_acmdln

_acmdln

_crt_debugger_hook

_crt_debugger_hook

.?AV?$CParamStructHelper@U_CCE_REPORT_EVENT_PARAMS@@@@

.?AV?$CParamStructHelper@U_CCE_REPORT_EVENT_PARAMS@@@@

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

ecmd.exe

ecmd.exe

virlog.dat

virlog.dat

warnlog.dat

warnlog.dat

EHttpSrv

EHttpSrv

shellExt.dll

shellExt.dll

{B089FE88-FB52-11D3-BDF1-0050DA34150D}

{B089FE88-FB52-11D3-BDF1-0050DA34150D}

%USERNAME%

%USERNAME%

%SCANNER%

%SCANNER%

%%BUILD="%u"%%VERSIONID="%u"%ÚTE="%u"%%TIME="%u"

%%BUILD="%u"%%VERSIONID="%u"%ÚTE="%u"%%TIME="%u"

eScan\*.dat

eScan\*.dat

*.lic

*.lic

nod32api.dll

nod32api.dll

nod32aui.dll

nod32aui.dll

Software\ESET\ESET Security\CurrentVersion\Plugins\APIx

Software\ESET\ESET Security\CurrentVersion\Plugins\APIx

Software\ESET\ESET Security\CurrentVersion\Scanners\X

Software\ESET\ESET Security\CurrentVersion\Scanners\X

SECTION;ID=#01000103\SETTINGS\PLUGINS\PLUGIN;ID=%X\PROFILES\NODE;NAME="%s";TYPE=SUBNODE

SECTION;ID=#01000103\SETTINGS\PLUGINS\PLUGIN;ID=%X\PROFILES\NODE;NAME="%s";TYPE=SUBNODE

SECTION;ID=#01000103\STATUS\RECORD;PLUGIN=#%X;UNIQUEID=#%X

SECTION;ID=#01000103\STATUS\RECORD;PLUGIN=#%X;UNIQUEID=#%X

%u.%u.%u %s

%u.%u.%u %s

%d.%d.%d

%d.%d.%d

%u MB

%u MB

egui.exe

egui.exe

RAExceptionHandlerDump [2I64x], REG: EIP=0xx EBP=0xx ESP=0xx EAX=0xx EBX=0xx ECX=0xx EDX=0xx ESI=0xx EDI=0xx EFlags=0xx

RAExceptionHandlerDump [2I64x], REG: EIP=0xx EBP=0xx ESP=0xx EAX=0xx EBX=0xx ECX=0xx EDX=0xx ESI=0xx EDI=0xx EFlags=0xx

RAExceptionHandlerDump [2I64x], ESP[%d]: %s

RAExceptionHandlerDump [2I64x], ESP[%d]: %s

RAExceptionHandlerDump [2I64x], type: %u, req_size: %u, max_rep_size: %u, rep_size: %u, procparam: 0xx

RAExceptionHandlerDump [2I64x], type: %u, req_size: %u, max_rep_size: %u, rep_size: %u, procparam: 0xx

RAExceptionHandlerDump [2I64x], req_buffer[%d]: %s

RAExceptionHandlerDump [2I64x], req_buffer[%d]: %s

RAExceptionHandlerDump [2I64x], rep_buffer[%d]: %s

RAExceptionHandlerDump [2I64x], rep_buffer[%d]: %s

SUPPORT

SUPPORT

PASSWORD

PASSWORD

${ProductType}=%s|${ProductVersion}=%s|${ProductLanguage}=%u|${UpdateTag}=%s|${Platform}=%s|${DaysToExpire}=%i|${EvalId}=%u

${ProductType}=%s|${ProductVersion}=%s|${ProductLanguage}=%u|${UpdateTag}=%s|${Platform}=%s|${DaysToExpire}=%i|${EvalId}=%u

explorer.exe

explorer.exe

${Username}=%s|${DistributorGUID}=%s|${ExpirationState}=%u|${ExpirationDate}=%s|${LicenseType}=%u|${LicenseCancelled}=%u|${PasswordChanged}=%u|${ProductType}=%s|${ProductVersion}=%s|${ProductLanguage}=%u|${UpdateTag}=%s|${Platform}=%s|${DaysToExpire}=%u|${DaysExpired}=%u

${Username}=%s|${DistributorGUID}=%s|${ExpirationState}=%u|${ExpirationDate}=%s|${LicenseType}=%u|${LicenseCancelled}=%u|${PasswordChanged}=%u|${ProductType}=%s|${ProductVersion}=%s|${ProductLanguage}=%u|${UpdateTag}=%s|${Platform}=%s|${DaysToExpire}=%u|${DaysExpired}=%u

eguiProduct.dll

eguiProduct.dll

CMDLINE

CMDLINE

ekrnLang.dll

ekrnLang.dll

UsernamePassword

UsernamePassword

LinkUrl

LinkUrl

PasswordChangedFlag

PasswordChangedFlag

%d.%d

%d.%d

A\\.\easdrv

A\\.\easdrv

d-d-d d:d:d

d-d-d d:d:d

*.dat

*.dat

A %u.%u.%u %s

A %u.%u.%u %s

AreqX.xml

AreqX.xml

*.xml

*.xml

Advapi32.dll

Advapi32.dll

ieframe.dll

ieframe.dll

IpHlpApi.dll

IpHlpApi.dll

dKernel32.dll

dKernel32.dll

mpr.dll

mpr.dll

Netapi32.dll

Netapi32.dll

Ntdll.dll

Ntdll.dll

Rasapi32.dll

Rasapi32.dll

userenv.dll

userenv.dll

kwsock32.dll

kwsock32.dll

WtsApi32.dll

WtsApi32.dll

yLockPassword

yLockPassword

ProxyPassword

ProxyPassword

ProxyPort

ProxyPort

MsgMinStatusLog

MsgMinStatusLog

MsgMinStatusSend

MsgMinStatusSend

MsgFormatError

MsgFormatError

MsgFormatVirus

MsgFormatVirus

SMTP_Password

SMTP_Password

SMTP_Username

SMTP_Username

SMTP_Address

SMTP_Address

SMTP_SenderAddress

SMTP_SenderAddress

SMTP_Server

SMTP_Server

SMTP_Flags

SMTP_Flags

SMTP_Enabled

SMTP_Enabled

*.doc|*.rtf|*.xl?|*.dbf|*.mdb|*.sxw|*.sxc

*.doc|*.rtf|*.xl?|*.dbf|*.mdb|*.sxw|*.sxc

RAClientPassword

RAClientPassword

RAClientPort

RAClientPort

SupportCountry

SupportCountry

SupportCompany

SupportCompany

SupportMail

SupportMail

Node_d

Node_d

LastExec

LastExec

Software\ESET\ESET Security\CurrentVersion\Scheduler\%u

Software\ESET\ESET Security\CurrentVersion\Scheduler\%u

SupportRequests\

SupportRequests\

\\%s\mailslot\messngr

\\%s\mailslot\messngr

\BaseNamedObjects\NODCOMMXToXCommPort

\BaseNamedObjects\NODCOMMXToXCommPort

CNODCOMMXToXReceiverMutex

CNODCOMMXToXReceiverMutex

NODCOMMXToXCommMutex

NODCOMMXToXCommMutex

NODCOMMXToXSendEvent

NODCOMMXToXSendEvent

NODCOMMXToXAckEvent

NODCOMMXToXAckEvent

NODCOMMXToXSection

NODCOMMXToXSection

%sNODCOMMXToXBroadcastMutex

%sNODCOMMXToXBroadcastMutex

%sNODCOMMXToXBroadcast

%sNODCOMMXToXBroadcast

\Device\LanmanRedirector\;%c:

\Device\LanmanRedirector\;%c:

FirewallProduct.instanceGuid="{E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}"

FirewallProduct.instanceGuid="{E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}"

AntiSpywareProduct.instanceGuid="{E5E70D32-0101-4B98-A4D6-D1D15C3BB448}"

AntiSpywareProduct.instanceGuid="{E5E70D32-0101-4B98-A4D6-D1D15C3BB448}"

AntiVirusProduct.instanceGuid="{E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}"

AntiVirusProduct.instanceGuid="{E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}"

{E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

{E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

{E5E70D32-0101-4B98-A4D6-D1D15C3BB448}

{E5E70D32-0101-4B98-A4D6-D1D15C3BB448}

{E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

{E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

\\.\root\SecurityCenter

\\.\root\SecurityCenter

pathToSignedProductExe

pathToSignedProductExe

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion

Windows

Windows

(%u MHz)

(%u MHz)

comctl32.dll

comctl32.dll

NODX.lic

NODX.lic

D\\.\%c:

D\\.\%c:

\\.\PHYSICALDRIVE%d

\\.\PHYSICALDRIVE%d

SERVER;NAME=X_X

SERVER;NAME=X_X

OPTION;OPTNAME=ListeningPort

OPTION;OPTNAME=ListeningPort

GLOBAL\OPTION;OPTNAME=ListeningPort

GLOBAL\OPTION;OPTNAME=ListeningPort

SYSTEM\CurrentControlSet\Services\%s\Parameters

SYSTEM\CurrentControlSet\Services\%s\Parameters

4Error submitting ThreatSense.Net data to RA: TimeoutIError submitting ThreatSense.Net data to RA: Synchronization lost on exitKError submitting ThreatSense.Net data to RA: Synchronization lost on submit

4Error submitting ThreatSense.Net data to RA: TimeoutIError submitting ThreatSense.Net data to RA: Synchronization lost on exitKError submitting ThreatSense.Net data to RA: Synchronization lost on submit

Could not retrieve MAC address.:Authentication to ESET Remote Administrator Server failed.GAuthentication to ESET Remote Administrator Server ended up with error.6Connection to ESET Remote Administrator Server failed.

Could not retrieve MAC address.:Authentication to ESET Remote Administrator Server failed.GAuthentication to ESET Remote Administrator Server ended up with error.6Connection to ESET Remote Administrator Server failed.

%s*Antivirus protection is currently disabled

%s*Antivirus protection is currently disabled

Enable email protection Web access protection is currently disabled

Enable email protection Web access protection is currently disabled

Web access protection was disabled by the user. Enable web access protection

Web access protection was disabled by the user. Enable web access protection

Enable web access protection

Enable web access protection

A computer restart is requiredr%PRODUCTNAME% has been updated to a newer version. For the changes to take effect, a computer restart is required.2I64x], Exception in %s, Code: 0xx, LastError: ÛRAExceptionHandlerDump [2I64x], Flags: 0xx, Address: 0x6x

A computer restart is requiredr%PRODUCTNAME% has been updated to a newer version. For the changes to take effect, a computer restart is required.2I64x], Exception in %s, Code: 0xx, LastError: ÛRAExceptionHandlerDump [2I64x], Flags: 0xx, Address: 0x6x

%s!Remaining trial period:

%s!Remaining trial period:

%s day(s)

%s day(s)

%s!Your license will run out shortly

%s!Your license will run out shortly

The lifetime of this beta version will run out in ${DaysToExpire} day(s). We recommend that you download a newer version from here.

The lifetime of this beta version will run out in ${DaysToExpire} day(s). We recommend that you download a newer version from here.

The lifetime of this version has run out. We recommend that you download a newer version from here.$Automatic startup file scanner setup!Your license will run out shortly

The lifetime of this version has run out. We recommend that you download a newer version from here.$Automatic startup file scanner setup!Your license will run out shortly

Your license with Username ${Username} will run out in ${DaysToExpire} days. Click here to open the purchase page and renew your license. If you have already obtained a new Username and Password, you can change it here.

Your license with Username ${Username} will run out in ${DaysToExpire} days. Click here to open the purchase page and renew your license. If you have already obtained a new Username and Password, you can change it here.

Your license with Username ${Username} has expired ${DaysExpired} days ago. Click here to open the purchase page and renew your license. If you have already obtained a new Username and Password, you can change it here.

Your license with Username ${Username} has expired ${DaysExpired} days ago. Click here to open the purchase page and renew your license. If you have already obtained a new Username and Password, you can change it here.

Your license with Username ${Username} will run out shortly. Click here to open the purchase page and renew your license. If you have already obtained a new Username and Password, you can change it here.

Your license with Username ${Username} will run out shortly. Click here to open the purchase page and renew your license. If you have already obtained a new Username and Password, you can change it here.

Your license with Username ${Username} has expired. Click here to open the purchase page and renew your license. If you have already obtained a new Username and Password, you can change it here.

Your license with Username ${Username} has expired. Click here to open the purchase page and renew your license. If you have already obtained a new Username and Password, you can change it here.

The lifetime of this trial version will run out in ${DaysToExpire} day(s). To purchase the full version of the program, visit our website. If you have already acquired a license, you can upgrade the program to the full version.

The lifetime of this trial version will run out in ${DaysToExpire} day(s). To purchase the full version of the program, visit our website. If you have already acquired a license, you can upgrade the program to the full version.

The lifetime of this trial version has run out. To purchase the full version of the program, visit our website. If you have already acquired a license, you can upgrade the program to the full version.

The lifetime of this trial version has run out. To purchase the full version of the program, visit our website. If you have already acquired a license, you can upgrade the program to the full version.

{%TimeStamp% - Module %Scanner% - Threat Alert triggered on computer %ComputerName%: %InfectedObject% contains %VirusName%.

{%TimeStamp% - Module %Scanner% - Threat Alert triggered on computer %ComputerName%: %InfectedObject% contains %VirusName%.

%TimeStamp% - During execution of %ProgramName% on the computer %ComputerName%, the following warning occurred: %ErrorDescription%

%TimeStamp% - During execution of %ProgramName% on the computer %ComputerName%, the following warning occurred: %ErrorDescription%

Information on operating system

Information on operating system

Operating system:

Operating system:

%s: Warning

%s: Warning

%s: Error

%s: Error

%s: Threat alert

%s: Threat alert

Operating system version:

Operating system version:

Operating system type:

Operating system type:

%s(Version of common control components:

%s(Version of common control components:

once, %s.

once, %s.

repeatedly, every minutes.

repeatedly, every minutes.

Every day at %s.

Every day at %s.

at %s on the following days:

at %s on the following days:

at .

at .

Task will not be run.%Task will be run as soon as possible.LTask will be run if it has not completed within the last hours.

Task will not be run.%Task will be run as soon as possible.LTask will be run if it has not completed within the last hours.

& (At maximum every hours)

& (At maximum every hours)

%s %s

%s %s

dUser does not have administrator privileges. The Anti-Stealth technology is working in limited mode.qAnti-Stealth initialization could not be fully completed. The Anti-Stealth technology is working in limited mode.

dUser does not have administrator privileges. The Anti-Stealth technology is working in limited mode.qAnti-Stealth initialization could not be fully completed. The Anti-Stealth technology is working in limited mode.

Antivirus protection is disabledbVirus scanner initialization failed. Most of the %ProductName% modules will not function properly.cThe files have been qurantined successfully,

Antivirus protection is disabledbVirus scanner initialization failed. Most of the %ProductName% modules will not function properly.cThe files have been qurantined successfully,

but could not be removed from their original location! File %s is too long to submit for analysis!-%d files are too long to submit for analysis!

but could not be removed from their original location! File %s is too long to submit for analysis!-%d files are too long to submit for analysis!

3.0.621

3.0.621

ekrn.exe

ekrn.exe

egui.exe_1896:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

FtPh

FtPh

FtPhL

FtPhL

FtPhG

FtPhG

FtPhK

FtPhK

FtPh,

FtPh,

FtPj

FtPj

FxSSh

FxSSh

NxSSh

NxSSh

VxSSh

VxSSh

F SSh

F SSh

%3xz|8x

%3xz|8x

3xm%1x

3xm%1x

%Program Files%\Microsoft Visual Studio 8\VC\atlmfc\include\afxwin1.inl

%Program Files%\Microsoft Visual Studio 8\VC\atlmfc\include\afxwin1.inl

%Program Files%\Microsoft Visual Studio 8\VC\atlmfc\include\afxwin2.inl

%Program Files%\Microsoft Visual Studio 8\VC\atlmfc\include\afxwin2.inl

CImportExportConfigDlg

CImportExportConfigDlg

CPassword2Dlg

CPassword2Dlg

CPassword1Dlg

CPassword1Dlg

RegDeleteKeyExA

RegDeleteKeyExA

RegDeleteKeyExW

RegDeleteKeyExW

RtlFormatCurrentUserKeyPath

RtlFormatCurrentUserKeyPath

NtCreatePort

NtCreatePort

NtListenPort

NtListenPort

NtConnectPort

NtConnectPort

NtAcceptConnectPort

NtAcceptConnectPort

NtCompleteConnectPort

NtCompleteConnectPort

NtRequestPort

NtRequestPort

NtRequestWaitReplyPort

NtRequestWaitReplyPort

NtReplyWaitReceivePort

NtReplyWaitReceivePort

NtReplyPort

NtReplyPort

NtImpersonateClientOfPort

NtImpersonateClientOfPort

NtCreateKey

NtCreateKey

NtDeleteKey

NtDeleteKey

NtDeleteValueKey

NtDeleteValueKey

NtEnumerateKey

NtEnumerateKey

NtEnumerateValueKey

NtEnumerateValueKey

NtOpenKey

NtOpenKey

NtQueryValueKey

NtQueryValueKey

NtSetValueKey

NtSetValueKey

KERNEL32.DLL

KERNEL32.DLL

ntdll.dll

ntdll.dll

MS Windows

MS Windows

d:\installbuild\ess_3_0_600\build\apps\work\release\egui\winnt32\egui.pdb

d:\installbuild\ess_3_0_600\build\apps\work\release\egui\winnt32\egui.pdb

MFC80U.DLL

MFC80U.DLL

_amsg_exit

_amsg_exit

_wcmdln

_wcmdln

MSVCR80.dll

MSVCR80.dll

_crt_debugger_hook

_crt_debugger_hook

KERNEL32.dll

KERNEL32.dll

GetAsyncKeyState

GetAsyncKeyState

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExW

SetWindowsHookExW

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegEnumKeyW

RegEnumKeyW

RegDeleteKeyA

RegDeleteKeyA

RegDeleteKeyW

RegDeleteKeyW

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyExW

RegOpenKeyA

RegOpenKeyA

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteW

ShellExecuteW

SHELL32.dll

SHELL32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

.PAVCException@@

.PAVCException@@

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@AAV12@@@

.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@AAV12@@@

.?AVCConfigViewPassword@@

.?AVCConfigViewPassword@@

.?AVCConfigViewWeb@@

.?AVCConfigViewWeb@@

.?AVCExecAppDlg@@

.?AVCExecAppDlg@@

.?AVCImportExportConfigDlg@@

.?AVCImportExportConfigDlg@@

.?AVCPanelHelpSupport@@

.?AVCPanelHelpSupport@@

.?AVCPassword1Dlg@@

.?AVCPassword1Dlg@@

.?AVCPassword2Dlg@@

.?AVCPassword2Dlg@@

.?AVCSupportPPDetect@@

.?AVCSupportPPDetect@@

.?AVCSupportPPFinish@@

.?AVCSupportPPFinish@@

.?AVCSupportPPReport@@

.?AVCSupportPPReport@@

.?AVCSupportPPRequest@@

.?AVCSupportPPRequest@@

.?AVCSupportPPSend@@

.?AVCSupportPPSend@@

.?AVCSupportSheet@@

.?AVCSupportSheet@@

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.?AV?$CMap@PAU_TREEITEM@@AAPAU1@V?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@AAV23@@@

.?AV?$CMap@PAU_TREEITEM@@AAPAU1@V?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@AAV23@@@

J%5xh

J%5xh

4jbc.qx

4jbc.qx

???@@@ %%%///

???@@@ %%%///

@ @@ @` @

@ @@ @` @

`@ `@@`@``@

`@ `@@`@``@

) .."$''!

) .."$''!

&lG*mIA}]*kG.kII

&lG*mIA}]*kG.kII

*mG.nIi

*mG.nIi

|.kG9wR?{We

|.kG9wR?{We

.qH.nF4sLv

.qH.nF4sLv

%dJ)R

%dJ)R

(0%xr$

(0%xr$

IbL.OD

IbL.OD

.leK[

.leK[

:CRt|

:CRt|

~~~999]]]

~~~999]]]

;BF.ht

;BF.ht

Q%US-H

Q%US-H

^W.vi0sgA

^W.vi0sgA

z)O%dV

z)O%dV

!'''&&$&&''&

!'''&&$&&''&

==?.jGJJ

==?.jGJJ

" " ,,000,,"

" " ,,000,,"

"*,022333221,,"

"*,022333221,,"

%&*-....---*&!

%&*-....---*&!

S#%%(.FJQ

S#%%(.FJQ

:!%uFm

:!%uFm

h-F},

h-F},

( E

( E

"!-.///0

"!-.///0

$$0%'

$$0%'

E%s (%s:%d)

E%s (%s:%d)

%s (%s:%d)

%s (%s:%d)

${UrlWeb}=hXXp://go.eset.eu|${LangID}=%d|${VersionID}=%d

${UrlWeb}=hXXp://go.eset.eu|${LangID}=%d|${VersionID}=%d

${UrlWeb}/knowledgebase?lng=${LangID}

${UrlWeb}/knowledgebase?lng=${LangID}

${UrlWeb}/virusinfo?lng=${LangID}

${UrlWeb}/virusinfo?lng=${LangID}

${UrlWeb}/virusradar?lng=${LangID}

${UrlWeb}/virusradar?lng=${LangID}

${UrlWeb}/home?lng=${LangID}

${UrlWeb}/home?lng=${LangID}

CMDLINE

CMDLINE

SupportCountry

SupportCountry

SupportCompany

SupportCompany

SupportMail

SupportMail

SupportLastName

SupportLastName

SupportFirstName

SupportFirstName

shell32.dll

shell32.dll

A*.lic

A*.lic

I%d %%

I%d %%

${ScannerID}=X|${ProfileName}=%s

${ScannerID}=X|${ProfileName}=%s

${ScannerID}=X|${ScannerPath}=%s

${ScannerID}=X|${ScannerPath}=%s

I${UrlWeb}/renew?lng=${LangID}&lid=%u&users=%u&dguid=%s&pid=%u&customer=%s

I${UrlWeb}/renew?lng=${LangID}&lid=%u&users=%u&dguid=%s&pid=%u&customer=%s

IFilters/Web

IFilters/Web

Ieset.chm

Ieset.chm

ecls.exe

ecls.exe

eguiProduct.dll

eguiProduct.dll

eguiLang.dll

eguiLang.dll

${UrlWeb}/supportform?lng=${LangID}

${UrlWeb}/supportform?lng=${LangID}

*.dat

*.dat

${UrlWeb}/versioninfo?lng=${LangID}&version=%d

${UrlWeb}/versioninfo?lng=${LangID}&version=%d

Eset System Keyboad Command

Eset System Keyboad Command

#xxx

#xxx

${UrlWeb}/renew?lng=${LangID}&dguid=%s&user=%s

${UrlWeb}/renew?lng=${LangID}&dguid=%s&user=%s

SUPPORT

SUPPORT

Advapi32.dll

Advapi32.dll

ieframe.dll

ieframe.dll

Kernel32.dll

Kernel32.dll

mpr.dll

mpr.dll

Ntdll.dll

Ntdll.dll

user32.dll

user32.dll

tuxtheme.dll

tuxtheme.dll

\BaseNamedObjects\NODCOMMXToXCommPort

\BaseNamedObjects\NODCOMMXToXCommPort

HNODCOMMXToXAckEvent

HNODCOMMXToXAckEvent

NODCOMMXToXSendEvent

NODCOMMXToXSendEvent

NODCOMMXToXCommMutex

NODCOMMXToXCommMutex

NODCOMMXToXReceiverMutex

NODCOMMXToXReceiverMutex

NODCOMMXToXSection

NODCOMMXToXSection

%sNODCOMMXToXBroadcast

%sNODCOMMXToXBroadcast

%sNODCOMMXToXBroadcastMutex

%sNODCOMMXToXBroadcastMutex

Http_Proxy_Port

Http_Proxy_Port

hXXp://

hXXp://

Http_Proxy_Server

Http_Proxy_Server

ÚContents%\system\net\cnetcfg\cnetcfg.ini

ÚContents%\system\net\cnetcfg\cnetcfg.ini

http=

http=

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

comctl32.dll

comctl32.dll

NOD32 for Linux FTP Gateway

NOD32 for Linux FTP Gateway

NOD32 for Linux HTTP Gateway

NOD32 for Linux HTTP Gateway

LockPassword

LockPassword

ProxyPassword

ProxyPassword

ProxyPort

ProxyPort

MsgMinStatusLog

MsgMinStatusLog

MsgMinStatusSend

MsgMinStatusSend

MsgFormatError

MsgFormatError

MsgFormatVirus

MsgFormatVirus

SMTP_Password

SMTP_Password

SMTP_Username

SMTP_Username

SMTP_Address

SMTP_Address

SMTP_SenderAddress

SMTP_SenderAddress

SMTP_Server

SMTP_Server

SMTP_Flags

SMTP_Flags

SMTP_Enabled

SMTP_Enabled

*.doc|*.rtf|*.xl?|*.dbf|*.mdb|*.sxw|*.sxc

*.doc|*.rtf|*.xl?|*.dbf|*.mdb|*.sxw|*.sxc

RAClientPassword

RAClientPassword

RAClientPort

RAClientPort

LastExec

LastExec

I%s%s.

I%s%s.

&Export...

&Export...

&Username and Password setup...

&Username and Password setup...

&Import/export settings...

&Import/export settings...

&Knowledgebase on the web

&Knowledgebase on the web

ESET on the &web

ESET on the &web

Settings can be protected with a password in order to prevent them from unauthorized modification by users.

Settings can be protected with a password in order to prevent them from unauthorized modification by users.

&Password protect settings

&Password protect settings

&Enter password...

&Enter password...

Operating &memory

Operating &memory

Alert windows

Alert windows

Alert windows are displayed if a threat is detected, or if user intervention is required.

Alert windows are displayed if a threat is detected, or if user intervention is required.

Notification windows

Notification windows

&Password:

&Password:

Password setup

Password setup

O&ld password:

O&ld password:

&New password:

&New password:

Con&firm new password:

Con&firm new password:

Import and export settings

Import and export settings

Import and export

Import and export

&Import settings

&Import settings

&Export settings

&Export settings

SMTP server requires &authentication

SMTP server requires &authentication

Web access protection

Web access protection

Enable &web access protection

Enable &web access protection

ThreatSense.Net

ThreatSense.Net

Enable &ThreatSense.Net Early Warning System

Enable &ThreatSense.Net Early Warning System

More information on ThreatSense.Net Early Warning System.

More information on ThreatSense.Net Early Warning System.

An asterisk (*) denotes any number of any characters whereas ? denotes a single character. E.g. *.TXT means you are selecting all text files of any name.

An asterisk (*) denotes any number of any characters whereas ? denotes a single character. E.g. *.TXT means you are selecting all text files of any name.

&Executable file:

&Executable file:

%s (%s)

%s (%s)

Version %s

Version %s

%s, %s RAM

%s, %s RAM

&Revert only "%s" settings to defaults

&Revert only "%s" settings to defaults

To advance to a Customer care support request, click Next.

To advance to a Customer care support request, click Next.

Your support request is ready for submission.

Your support request is ready for submission.

&Interval between task execution (min.):

&Interval between task execution (min.):

&Time of task execution:

&Time of task execution:

T&ime of task execution:

T&ime of task execution:

R&un task immediately if the time since its last execution exceeds specified interval

R&un task immediately if the time since its last execution exceeds specified interval

&Date of task execution:

&Date of task execution:

mailto:support@eset.us

mailto:support@eset.us

Confirm old password

Confirm old password

%s`

%s`

%s

%s

We recommend that you submit your support queries using the following forms:

We recommend that you submit your support queries using the following forms:

Customer Care support request...

Customer Care support request...

Customer Care support request (web form)

Customer Care support request (web form)

Latest news: VVV.eset.comP

Latest news: VVV.eset.comP

Web access protection

Web access protection

Open ESET's websiteT

Open ESET's websiteT

%s;Antivirus and antispyware

%s;Antivirus and antispyware

Opens Personal firewall settings Open website with update detailsY

Opens Personal firewall settings Open website with update detailsY

User interface or in the lower part of the left-hand menu.

User interface or in the lower part of the left-hand menu.

Toggle Advanced mode?)Submit file for analysis...%Displays information about menu items

Toggle Advanced mode?)Submit file for analysis...%Displays information about menu items

The Tools section lets you maintain log files, configure sending of event notifications and alerts by email or over a local network, configure ThreatSense.Net Early Warning System as well as other system tools.

The Tools section lets you maintain log files, configure sending of event notifications and alerts by email or over a local network, configure ThreatSense.Net Early Warning System as well as other system tools.

Path=1001License files (*.lic)|*.lic|All files (*.*)|*.*||

Path=1001License files (*.lic)|*.lic|All files (*.*)|*.*||

Incorrect password!

Incorrect password!

Invalid old password!

Invalid old password!

Passwords do not match!

Passwords do not match!

&Old password:

&Old password:

0XML file (*.xml)|*.xml|Text file (*.txt)|*.txt||

0XML file (*.xml)|*.xml|Text file (*.txt)|*.txt||

seconds7Configuration files (*.xml)|*.xml|All files (*.*)|*.*||

seconds7Configuration files (*.xml)|*.xml|All files (*.*)|*.*||

Password protection setup

Password protection setup

Help and support1Help, troubleshooting, Customer Care and contacts

Help and support1Help, troubleshooting, Customer Care and contacts

Log files$Event logs related to %ProductName%.&Adjust your computer's security level.ASpecial tools designed to increase user comfort and productivity.

Log files$Event logs related to %ProductName%.&Adjust your computer's security level.ASpecial tools designed to increase user comfort and productivity.

Opens a web form with incident specification

Opens a web form with incident specification

Opens ESET's website

Opens ESET's website

"The program license expired on %s.

"The program license expired on %s.

License valid until %s.

License valid until %s.

3Username and Password setup... RChange the protection mode of your computer in the network...

3Username and Password setup... RChange the protection mode of your computer in the network...

Files run before user logon|Files run after user logon|Only the most frequently used files|Frequently used files|Commonly used files|Rarely used files|All registered files8Are you sure you want to remove the scheduled task "%s"? Failed to remove scheduled task. Are you sure you want to run the task "%s"?

Files run before user logon|Files run after user logon|Only the most frequently used files|Frequently used files|Commonly used files|Rarely used files|All registered files8Are you sure you want to remove the scheduled task "%s"? Failed to remove scheduled task. Are you sure you want to run the task "%s"?

Email messages (*.msg,*.eml)|*.msg;*.eml|Programs (*.com,*.exe,*.dll)|*.com;*.exe;*.dll|Scripts (*.bat,*.vbs,*.js)|*.bat;*.vbs;*.js|Documents (*.doc,*.xls)|*.doc;*.xls|All files (*.*)|*.*||

Email messages (*.msg,*.eml)|*.msg;*.eml|Programs (*.com,*.exe,*.dll)|*.com;*.exe;*.dll|Scripts (*.bat,*.vbs,*.js)|*.bat;*.vbs;*.js|Documents (*.doc,*.xls)|*.doc;*.xls|All files (*.*)|*.*||

Email messages (*.msg,*.eml)|*.msg;*.eml|Programs (*.com,*.exe,*.dll)|*.com;*.exe;*.dll|Scripts (*.bat,*.vbs,*.js)|*.bat;*.vbs;*.js|Documents (*.doc,*.xls)|*.doc;*.xls|All files (*.*)|*.*||$Submitting file for analysis failed.

Email messages (*.msg,*.eml)|*.msg;*.eml|Programs (*.com,*.exe,*.dll)|*.com;*.exe;*.dll|Scripts (*.bat,*.vbs,*.js)|*.bat;*.vbs;*.js|Documents (*.doc,*.xls)|*.doc;*.xls|All files (*.*)|*.*||$Submitting file for analysis failed.

Display warning windows

Display warning windows

Set up Username and Password for update...

Set up Username and Password for update...

Import and export settings...

Import and export settings...

Enter entire advanced setup tree.../Antivirus and antispyware/Web access protection

Enter entire advanced setup tree.../Antivirus and antispyware/Web access protection

Some of the suspicious files suitable for analysis have not been approved for submission yet. To open an approval window, click on this message. The added license expired on %s.

Some of the suspicious files suitable for analysis have not been approved for submission yet. To open an approval window, click on this message. The added license expired on %s.

Antispam module(Confirm file submission...4Submission of a suspicious file to ESET for analysis.Confirm submission of pending suspicious files*Antivirus and antispyware/Email protection

Antispam module(Confirm file submission...4Submission of a suspicious file to ESET for analysis.Confirm submission of pending suspicious files*Antivirus and antispyware/Email protection

Web access protection setup

Web access protection setup

Enter your Username and Password here for update

Enter your Username and Password here for update

Import or export settings

Import or export settings

%d

%d

%d (%d%%)

%d (%d%%)

Web access protection

Web access protection

Import settings

Import settings

An error occurred during the import process. Import was not completed successfully. For more information about import, click here.

An error occurred during the import process. Import was not completed successfully. For more information about import, click here.

&Show information about settings import

&Show information about settings import

Export settings

Export settings

An error occurred while exporting settings. Export was not completed properly. For more information about exporting settings, click here.&Show information about settings export

An error occurred while exporting settings. Export was not completed properly. For more information about exporting settings, click here.&Show information about settings export

Purchase full version...

Purchase full version...

Upgrade to the full version after entering a valid Username and Password

Upgrade to the full version after entering a valid Username and Password

5Are you sure you want to delete selected log records?3Are you sure you want to delete selected log files?.Are you sure you want to delete the whole log?.Are you sure you want to delete all log files?

5Are you sure you want to delete selected log records?3Are you sure you want to delete selected log files?.Are you sure you want to delete the whole log?.Are you sure you want to delete all log files?

Choose quarantine folder.0Applications (*.exe)|*.exe|All files (*.*)|*.*||.Add a work folder for running the application.

Choose quarantine folder.0Applications (*.exe)|*.exe|All files (*.*)|*.*||.Add a work folder for running the application.

Configure...}Web access protection

Configure...}Web access protection

Web access protection

Web access protection

Configure email protection parametersGEnable web access protection

Configure email protection parametersGEnable web access protection

Configure Web access protection parameters

Configure Web access protection parameters

Configure email protectionHDisable web access protection

Configure email protectionHDisable web access protection

Configure web access protection parameters

Configure web access protection parameters

@Enable Antivirus and antispyware protection GEnter your Username and Password for update of virus signature database:Change the protection mode of your computer in the network Enable Antivirus and antispyware protection

@Enable Antivirus and antispyware protection GEnter your Username and Password for update of virus signature database:Change the protection mode of your computer in the network Enable Antivirus and antispyware protection

(Advance to Customer care support request

(Advance to Customer care support request

Your license expired on %s. To renew your license, click here.

Your license expired on %s. To renew your license, click here.

Your computer is running in safe mode. Do you want to run an antivirus and antispyware scan of your computer? For more information about the antivirus and antispyware scan in safe mode, click here.BShow information about antivirus and antispyware scan in safe modeFDiagnostic records|Informative records|Warnings|Errors|Critical errors1Never|To infected email only|To all scanned email

Your computer is running in safe mode. Do you want to run an antivirus and antispyware scan of your computer? For more information about the antivirus and antispyware scan in safe mode, click here.BShow information about antivirus and antispyware scan in safe modeFDiagnostic records|Informative records|Warnings|Errors|Critical errors1Never|To infected email only|To all scanned email

ZAllows you to enter the Username and Password you received after purchase or registration.QAllows you to change the sharing mode of your folders and printer in the network.

ZAllows you to enter the Username and Password you received after purchase or registration.QAllows you to change the sharing mode of your folders and printer in the network.

Temporarily disables the antivirus and antispyware protection of files, email and access to the web. All modules will be enabled automatically after the next restart. Use this option carefully!6Enables deactivated antivirus and antispyware modules.

Temporarily disables the antivirus and antispyware protection of files, email and access to the web. All modules will be enabled automatically after the next restart. Use this option carefully!6Enables deactivated antivirus and antispyware modules.

Disables filtering of network traffic. The Personal firewall will be enabled automatically after the next computer restart. Please use this option carefully!BEnables filtering of the network traffic by the Personal firewall.KPermanent protection of files used by applications or the operating system.(Scanning of incoming and outgoing email.TProtection against attacks incoming from web pages and scanning of downloaded files.

Disables filtering of network traffic. The Personal firewall will be enabled automatically after the next computer restart. Please use this option carefully!BEnables filtering of the network traffic by the Personal firewall.KPermanent protection of files used by applications or the operating system.(Scanning of incoming and outgoing email.TProtection against attacks incoming from web pages and scanning of downloaded files.

All files (*.*)|*.*||

All files (*.*)|*.*||

The window will close automatically in %d %s.

The window will close automatically in %d %s.

Virus signature database: %ScannerVersion%

Virus signature database: %ScannerVersion%

Tools/ThreatSense.Net

Tools/ThreatSense.Net

*ThreatSense.Net Early Warning System setup

*ThreatSense.Net Early Warning System setup

The ThreatSense.Net Early Warning System is the best way to help ESET protect you as well as keep you informed about new and evolving threats. This system can submit new threats to ESET's lab and provides feedback that can help protect your computer.

The ThreatSense.Net Early Warning System is the best way to help ESET protect you as well as keep you informed about new and evolving threats. This system can submit new threats to ESET's lab and provides feedback that can help protect your computer.

$ThreatSense.Net Early Warning System

$ThreatSense.Net Early Warning System

ESettings are not password protected.

ESettings are not password protected.

CShow help with information on ThreatSense.Net Early Warning System.ASettings are password protected.

CShow help with information on ThreatSense.Net Early Warning System.ASettings are password protected.

Create new taskX%ProductName% requires your attention. For more information, click on this notification.QYour system is exposed to risk. For more information, click on this notification.1For more information, click on this notification.k@My profile=My profile|@Shellext scan=Context menu scan|@In-depth scan=In-depth scan|@Smart scan=Smart scan

Create new taskX%ProductName% requires your attention. For more information, click on this notification.QYour system is exposed to risk. For more information, click on this notification.1For more information, click on this notification.k@My profile=My profile|@Shellext scan=Context menu scan|@In-depth scan=In-depth scan|@Smart scan=Smart scan

Every time computer starts|The first time the computer starts each day|Dial-up connection to the Internet/VPN|Successful update of the virus signature database|Successful update of the program components|User logon'Task will be run only once on %s at %s.

Every time computer starts|The first time the computer starts each day|Dial-up connection to the Internet/VPN|Successful update of the virus signature database|Successful update of the program components|User logon'Task will be run only once on %s at %s.

Task will be run repeatedly %s.!Task will be run every day at %s..Task will be run at %s on the following days:

Task will be run repeatedly %s.!Task will be run every day at %s..Task will be run at %s on the following days:

Task will not be run.%Task will be run as soon as possible.ATask will be run if it has not been completed within the last %s.

Task will not be run.%Task will be run as soon as possible.ATask will be run if it has not been completed within the last %s.

(once per %s at maximum)

(once per %s at maximum)

Edit task.every minute|every %d minutes|every %d minutes%last hour|last %d hours|last %d hours

Edit task.every minute|every %d minutes|every %d minutes%last hour|last %d hours|last %d hours

hour|%d hour|%d hours

hour|%d hour|%d hours

3.0.621

3.0.621

egui.exe

egui.exe