Trojan.Win32.Autoit.wh (Kaspersky), Trojan.Generic.70781 (AdAware), Trojan.Win32.Alureon.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b7921fcd083df99a3fe59e1712a919c7
SHA1: 7391e5c201fc0a6e5f9bbbc7e71fa06d9c55d561
SHA256: f4acf29addb699c71ede89d9ed43e42c38885ea2a0b3d9645e4ca9408c9f288f
SSDeep: 393216:oPh1Ca/ajg9kGQw61DlxQgAXrInDbthiMheEvYvKBp6hVFWJGGe:Yh1gkejzTAXrInD60eQYvKBp6h31
Size: 17128583 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2007-10-24 12:48:00
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
trlang.exe:1932
egui.exe:1896
updatepatch.exe:456
ekrn.exe:364
is-5IC2H.tmp:1060
%original file name%.exe:1920
NOD32.FiX.v3.0.tmp:652
NOD32.FiX.v3.0.exe:228
nlv3mod.exe:2968
MsiExec.exe:1204
MsiExec.exe:1328
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process trlang.exe:1932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\ESET\ESET NOD32 Antivirus\eplgOELang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ekrnScanLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eplgOutlookEmonLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ekrnEpfwLang.dll (1160 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eplgOutlookSmonLang.dll (1160 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ekrnUpdateLang.dll (3848 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eplgOESmonLang.dll (1160 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiUpdateLang.dll (3848 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiScanLang.dll (7832 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiLang.dll (30568 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiSmonLang.dll (1160 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ShellExtLang.dll (2312 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ekrnLang.dll (1160 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ekrnSmonLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiMailPluginsLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eclsLang.dll (1160 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiEpfwLang.dll (20648 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiEmonLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ekrnMailPluginsLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eplgOutlookLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiAmonLang.dll (392 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\$inst (0 bytes)
The process updatepatch.exe:456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-A2DMS.tmp\is-5IC2H.tmp (3746 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-A2DMS.tmp\is-5IC2H.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-A2DMS.tmp (0 bytes)
The process ekrn.exe:364 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat (60 bytes)
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\EpfwUser.dat (174 bytes)
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat (60 bytes)
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB (388548 bytes)
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\EHttpSrv.xml (2 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\upd0AE4.ver (0 bytes)
The process is-5IC2H.tmp:1060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\ESET\ESET NOD32 Antivirus\unins001.dat (2064 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\is-VNGOU.tmp (7616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DNMVT.tmp\_isetup\_shfoldr.dll (23 bytes)
%WinDir%\is-M3T4C.tmp (360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DNMVT.tmp\_isetup\_RegDLL.tmp (3 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-DNMVT.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DNMVT.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DNMVT.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DNMVT.tmp\_isetup\_RegDLL.tmp (0 bytes)
The process %original file name%.exe:1920 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\trlang.exe (3941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\NOD32.FiX.v3.0.exe (4727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\hidcon.exe (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\updatepatch.exe (5560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\nod32.msi (118928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\INSTALL.CMD (228 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\trlang.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\NOD32.FiX.v3.0.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\hidcon.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\updatepatch.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\nod32.msi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\INSTALL.CMD (0 bytes)
The process NOD32.FiX.v3.0.tmp:652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\is-HR45C.tmp (3361 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ESET\ESET NOD32 Antivirus\Uninstall NOD32 FiX.lnk (775 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\is-QAQB8.tmp (3073 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\unins000.dat (934 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\is-5SSES.tmp (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\_isetup\_RegDLL.tmp (3 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\is-GBGIK.tmp (9223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\_isetup\_shfoldr.dll (23 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\NOD32.FiX.v3.0-aRC-ReXBR-nsane.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\_isetup\_RegDLL.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp (0 bytes)
The process NOD32.FiX.v3.0.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-67B5L.tmp\NOD32.FiX.v3.0.tmp (3753 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-67B5L.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-67B5L.tmp\NOD32.FiX.v3.0.tmp (0 bytes)
The process MsiExec.exe:1204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Installer\7af7.msi (122334 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inx5.tmp (5 bytes)
The process MsiExec.exe:1328 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\NSF15.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP32.tmp (3851 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP22.tmp (3851 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF12.tmp (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP1E.tmp (301 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF59.tmp (274 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar85.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3E.tmp (4028 bytes)
%System%\drivers\SET8A.tmp (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP64.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF35.tmp (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2E.tmp (106475 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF31.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF18.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab86.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP54.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF53.tmp (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1B.tmp (267 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\em001_32.dat (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2A.tmp (3851 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF4D.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1A.tmp (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP1C.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF45.tmp (271 bytes)
%System%\drivers\SET8E.tmp (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF39.tmp (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF19.tmp (273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3F.tmp (1652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab88.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF7B.tmp (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP20.tmp (53149 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\em003_32.dat (2019 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP52.tmp (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSFE.tmp (300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF4B.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF73.tmp (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF25.tmp (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF6D.tmp (267 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\em000_32.dat (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP66.tmp (10111 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3A.tmp (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5F.tmp (4979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP47.tmp (1652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP42.tmp (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6F.tmp (3565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7C.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF41.tmp (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSFF.tmp (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP38.tmp (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF7D.tmp (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF51.tmp (274 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6E.tmp (2990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1F.tmp (277 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\em004_32.dat (6963 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF23.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF16.tmp (274 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP72.tmp (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF13.tmp (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4F.tmp (1652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF29.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7A.tmp (30 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\em002_32.dat (180567 bytes)
%WinDir%\setupapi.log (10176 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP34.tmp (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7F.tmp (3565 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP56.tmp (10111 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP37.tmp (63073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF5D.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP40.tmp (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6C.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5A.tmp (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF49.tmp (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP28.tmp (53149 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF79.tmp (273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF10.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP27.tmp (63073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF14.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab84.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP57.tmp (4979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP24.tmp (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP60.tmp (1698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP50.tmp (1698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP62.tmp (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar89.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF17.tmp (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF11.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP58.tmp (1698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF75.tmp (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF2D.tmp (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF5B.tmp (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF3D.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar87.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4A.tmp (51 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\em005_32.dat (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF63.tmp (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP70.tmp (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF69.tmp (273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP48.tmp (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP30.tmp (53149 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF2B.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4E.tmp (4028 bytes)
%System%\drivers\SET8C.tmp (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF3B.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5C.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF6B.tmp (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP68.tmp (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP74.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP76.tmp (2990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5E.tmp (10111 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP26.tmp (106475 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP46.tmp (4028 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP36.tmp (106475 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP44.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF71.tmp (273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2C.tmp (74 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2F.tmp (63073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6A.tmp (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP77.tmp (3565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7E.tmp (2990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF33.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF65.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF21.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1D.tmp (300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP67.tmp (4979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF55.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF43.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP78.tmp (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF61.tmp (274 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\NSF15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP32.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF59.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar85.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP64.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF35.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab86.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP54.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF53.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF4D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF45.tmp (0 bytes)
%System%\drivers\SET8E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF39.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab88.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF7B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP52.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSFE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF4B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF73.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF6D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP66.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP47.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP42.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF41.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSFF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP38.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF7D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF51.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP72.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP34.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7F.tmp (0 bytes)
%System%\drivers\SET8A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP56.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP37.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF5D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP40.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF49.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF79.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab84.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP57.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP24.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\em001_32_l2.nup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP60.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP50.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP62.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar89.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP58.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF75.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF2D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF5B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF3D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inx5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar87.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF63.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP70.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF69.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP48.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP30.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4E.tmp (0 bytes)
%System%\drivers\SET8C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF3B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF6B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP68.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP74.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ni1BBB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP76.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP26.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles\em001_32_l1.nup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP36.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP44.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF71.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP77.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF33.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF65.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP67.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF55.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF43.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP46.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP78.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF61.tmp (0 bytes)
Registry activity
The process trlang.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 0C 78 EE A6 50 35 F8 A4 C6 81 5C BA B6 83 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process egui.exe:1896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 2F 64 6E 78 65 10 74 30 D6 99 7E 1E EB B2 9A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\ESET\ESET Security\CurrentVersion\Plugins\01000800]
"OutlookIntegrationChangeCounter" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process updatepatch.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 8E 5F F3 22 D6 6C DD 37 67 44 9E C8 D6 E3 2A"
The process ekrn.exe:364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\LocalService\Local Settings\Application Data"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01030200]
"Path" = "Filters/Web/EPFW"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"CleanerBuild" = "1024"
[HKLM\SOFTWARE\Microsoft\Exchange\Client\Extensions]
"Eset Outlook Plugin" = "4.0;C:\PROGRA~1\ESET\ESETNO~1\EPLGOU~4.DLL;1;11010111111000"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101]
"PluginId" = "16777473"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"LastExec" = "1473305893"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Profiles\@My profile]
"Password" = "00 D6 A7 E9 B9 F0 CF F2 68 64 50 AD C5 C8 2C 75"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"FailSafeServer" = "http://update.eset.com/eset_upd/"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020100]
"PluginId" = "16777474"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\100]
"LastExec" = "1473305893"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Profiles\@My profile]
"UserName" = "eavtrial52"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020100]
"DisplayName" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020200]
"DisplayName" = "EPFW e-posta tarayıcı kurulumu"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100]
"PluginId" = "16777472"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100]
"DisplayName" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101]
"DisplayName" = "Uygulamalar veya işletim sistemi tarafından kullanılan dosyaları sürekli koruma."
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000101\Profiles\@My profile]
"AutoStart" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01030200]
"PluginId" = "16777728"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"ArchivesBuild" = "1020"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ScannerBuild" = "2040"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020100]
"Path" = "Filters/Email"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ScannerVersion" = "2740 (20071221)"
"UniqueID" = "0006156F57D0DD20"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010102]
"DisplayName" = "Başlangıçta otomatik dosya tarayıcısı kurulumu"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"PerseusBuild" = "1117"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020101]
"Path" = "Filters/Email"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler]
"TimeStamp" = "1835213340"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020200]
"Path" = "Filters/Email/EPFW"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"EditionName" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"UpdateServerGroup" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100]
"Path" = "Scanners/File/On-demmand"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"ScannerBuild" = "2040"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile]
"ProxyEnabled" = "2"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010102]
"PluginId" = "16778752"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"AdvheurBuild" = "1018"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020101]
"DisplayName" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD C6 3C BA 1E D0 6E 6C CE 18 08 B9 03 E6 C1 9F"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\1]
"LastExec" = "1473305949"
[HKLM\SOFTWARE\Microsoft\Exchange\Client\Extensions]
"Outlook Setup Extension" = "4.0;Outxxx.dll;7;000000000000000;0000000000;OutXXX"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010102]
"Path" = "Filters/Startup"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ScannerVersionId" = "2740"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01030200]
"DisplayName" = "EPFW web tarayıcı kurulumu"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101]
"Path" = "Filters/File/AMON"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020101]
"PluginId" = "16777474"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020200]
"PluginId" = "16777728"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\999999999]
"LastExec" = "1473305949"
The process is-5IC2H.tmp:1060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01030200]
"Path" = "Filters/Web/EPFW"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileETAG_u20.eset.com" = "d2019a-893-709e1a40"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020100]
"Path" = "Filters/Email"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000100\Profiles]
"Enable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020100]
"PluginId" = "16777474"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"DefaultServerWeight8" = "20"
"DefaultServerWeight9" = "20"
"DefaultServerWeight0" = "20"
"DefaultServerWeight1" = "20"
"DefaultServerWeight2" = "20"
"DefaultServerWeight3" = "20"
"DefaultServerWeight4" = "20"
"DefaultServerWeight5" = "20"
"DefaultServerWeight6" = "20"
"DefaultServerWeight7" = "20"
"VerFileETAG_89.202.157.139" = "8381f2-892-709e1a40"
"VerFileETAG_89.202.157.138" = "96c0ef-892-709e1a40"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Ex~B33E70F6_is1]
"Inno Setup: Icon Group" = "(Default)"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01030200]
"PluginId" = "16777728"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\1038166662]
"Params" = "3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"AdwareEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileETAG_89.202.157.137" = "ed820d-892-709e1a40"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Ex~B33E70F6_is1]
"NoRepair" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020101]
"Path" = "Filters/Email"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_0]
"Infiltration" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"DefaultServerCount" = "29"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_00000002]
"Flags" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101]
"PluginId" = "1000101"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Profiles]
"Active" = "@My profile"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileLastModified_u39.eset.com" = "Fri, 04 Jan 2008 20:34:41 GMT"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"AdvancedHeuristicsEnable" = "1"
"MailEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_1]
"Flags" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"UpdateServerGroup" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"RtpEnable" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Ex~B33E70F6_is1]
"InstallLocation" = "%Program Files%\ESET\ESET NOD32 Antivirus\"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100]
"Path" = "Scanners/File/On-demmand"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Profiles\@My profile]
"SfxEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Profiles\@My profile]
"SelectedServer" = "http://u20.eset.com/eset_eval/"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020101]
"DisplayName" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Filter]
"MemoryEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\1038166662]
"TriggerSettings" = "327680"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"AdvancedHeuristicsEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileLastModified_u33.eset.com" = "Fri, 04 Jan 2008 20:34:41 GMT"
"VerFileLastModified_update.eset.com" = "Fri, 04 Jan 2008 20:34:41 GMT"
"VerFileLastModified_u24.eset.com" = "Fri, 04 Jan 2008 20:34:41 GMT"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Profiles]
"Enable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileLastModified_u20.eset.com" = "Fri, 04 Jan 2008 20:34:41 GMT"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_1]
"Infiltration" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"SectorEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020101]
"PluginId" = "16777474"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"AdvancedHeuristicsEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"SectorEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\1038166662]
"TriggerType" = "4"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"FileEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"ArchiveEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile]
"ScanUnwantedApp" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101]
"Path" = "Filters/File/AMON"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Filter]
"LogAllEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"AdwareEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000100\Profiles]
"Active" = "@In-depth scan"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\1038166662]
"Name" = "NOD32 FiX by TemDono"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileETAG_u33.eset.com" = "8dcdc-892-709e1a40"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ScannerBuild" = "2113"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Default]
"RtpEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"SectorEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"SignaturesEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"UniqueID" = "0004DB97967FE6B1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"DefaultServer29" = "http://u49.eset.com/eset_eval/"
"DefaultServer28" = "http://u48.eset.com/eset_eval/"
"DefaultServer25" = "http://u45.eset.com/eset_eval/"
"DefaultServer24" = "http://u44.eset.com/eset_eval/"
"DefaultServer27" = "http://u47.eset.com/eset_eval/"
"DefaultServer26" = "http://u46.eset.com/eset_eval/"
"DefaultServer21" = "http://u41.eset.com/eset_eval/"
"DefaultServer20" = "http://u40.eset.com/eset_eval/"
"DefaultServer23" = "http://u43.eset.com/eset_eval/"
"DefaultServer22" = "http://u42.eset.com/eset_eval/"
"DefaultServer6" = "http://89.202.157.136/eset_eval/"
"DefaultServer7" = "http://89.202.157.137/eset_eval/"
"DefaultServer4" = "http://u24.eset.com/eset_eval/"
"DefaultServer5" = "http://89.202.157.135/eset_eval/"
"DefaultServer2" = "http://u22.eset.com/eset_eval/"
"DefaultServer3" = "http://u23.eset.com/eset_eval/"
"DefaultServer0" = "http://u20.eset.com/eset_eval/"
"DefaultServer1" = "http://u21.eset.com/eset_eval/"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"CleanLevel" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Profiles\@My profile]
"MemoryEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"DefaultServer8" = "http://89.202.157.138/eset_eval/"
"DefaultServer9" = "http://89.202.157.139/eset_eval/"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles]
"Enable" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Ex~B33E70F6_is1]
"NoModify" = "1"
"UninstallString" = "%Program Files%\ESET\ESET NOD32 Antivirus\unins001.exe"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 39 3C 76 86 CF 59 E3 80 8D C5 A8 B7 19 D7 D3"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ScannerVersionId" = "2767"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Default]
"ArchiveEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileETAG_u39.eset.com" = "89a57-892-709e1a40"
"DefaultServerWeight18" = "20"
"DefaultServerWeight19" = "20"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"MemoryEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"DefaultServerWeight12" = "20"
"DefaultServerWeight13" = "20"
"DefaultServerWeight10" = "20"
"DefaultServerWeight11" = "20"
"DefaultServerWeight16" = "20"
"DefaultServerWeight17" = "20"
"DefaultServerWeight14" = "20"
"DefaultServerWeight15" = "20"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Default]
"MailEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"FileEnable" = "1"
[HKLM\SOFTWARE\ESET\NOD\CurrentVersion\InstalledComponents\V3]
"Build" = "805306368"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"HeuristicsEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"SignaturesEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"FailSafeServer" = "http://update.eset.com/eset_upd/"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Filter]
"SfxEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Default]
"AdvancedHeuristicsEnable" = "0"
[HKLM\SOFTWARE\ESET\Nod\CurrentVersion\Info]
"InstallDir" = "Obsolete"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Profiles\@My profile]
"RtpEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Ex~B33E70F6_is1]
"Inno Setup: App Path" = "%Program Files%\ESET\ESET NOD32 Antivirus"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileLastModified_u48.eset.com" = "Fri, 04 Jan 2008 20:34:41 GMT"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Ex~B33E70F6_is1]
"QuietUninstallString" = "%Program Files%\ESET\ESET NOD32 Antivirus\unins001.exe /SILENT"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Default]
"MemoryEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Ex~B33E70F6_is1]
"Inno Setup: User" = "%CurrentUserName%"
"InstallDate" = "20160908"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_0]
"Flags" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100]
"DisplayName" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"CleanLevel" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020200]
"Path" = "Filters/Email/EPFW"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Filter]
"MailEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\1038166662]
"StartFailSettings" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"MemoryEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Filter]
"PreserveFileTimesEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"ArchiveEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\1038166662]
"ModuleID" = "16778752"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010102]
"Path" = "Filters/Startup"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"FileEnable" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileETAG_u44.eset.com" = "4031-892-709e1a40"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020200]
"PluginId" = "16777728"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\UI_Settings\Servers]
"Server_0" = "http://u20.eset.com/eset_eval/"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"ArchiveEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileETAG_update.eset.com" = "8381f2-892-709e1a40"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Profiles\@My profile]
"AdvancedHeuristicsEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileETAG_u23.eset.com" = "d38211-892-709e1a40"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Filter]
"ArchiveEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"MemoryEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"SfxEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Profiles\@My profile]
"UserName" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020100]
"DisplayName" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"RtpEnable" = "1"
"AdwareEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"MailEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100]
"PluginId" = "16777472"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"DefaultServerWeight22" = "20"
"DefaultServerWeight21" = "20"
"DefaultServerWeight20" = "20"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000101\Profiles\@My profile]
"AutoStart" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"DefaultServerWeight26" = "20"
"DefaultServerWeight25" = "20"
"DefaultServerWeight24" = "20"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Ex~B33E70F6_is1]
"Inno Setup: Setup Version" = "5.1.12"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"DefaultServerWeight29" = "20"
"DefaultServerWeight28" = "20"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"MailEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"RtpEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileLastModified_u44.eset.com" = "Fri, 04 Jan 2008 20:34:41 GMT"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"EditionName" = "TNCTR.COM Özel Sürüm by Hakanakt (50 Yýl ücretsiz)"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"SignaturesEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\1038166662]
"LastExec" = "1199657632"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileETAG_u48.eset.com" = "3fec-892-709e1a40"
"DefaultServerWeight23" = "20"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Ex~B33E70F6_is1]
"DisplayName" = "NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Expire in 2050)"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_00000002]
"Infiltration" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileLastModified_89.202.157.137" = "Fri, 04 Jan 2008 20:34:41 GMT"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Profiles\@My profile]
"MailEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileLastModified_89.202.157.139" = "Fri, 04 Jan 2008 20:34:41 GMT"
"VerFileLastModified_89.202.157.138" = "Fri, 04 Jan 2008 20:34:41 GMT"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"SfxEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Default]
"SfxEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"HeuristicsEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010102]
"PluginId" = "16778752"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Smart scan]
"HeuristicsEnable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"DefaultServerWeight27" = "20"
"VerFileETAG_u24.eset.com" = "3f0199-892-709e1a40"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@Shellext scan]
"SfxEnable" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101\Profiles\@My profile]
"ArchiveEnable" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles\@In-depth scan]
"CleanLevel" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"VerFileLastModified_u23.eset.com" = "Fri, 04 Jan 2008 20:34:41 GMT"
"DefaultServer14" = "http://u34.eset.com/eset_eval/"
"DefaultServer15" = "http://u35.eset.com/eset_eval/"
"DefaultServer16" = "http://u36.eset.com/eset_eval/"
"DefaultServer17" = "http://u37.eset.com/eset_eval/"
"DefaultServer10" = "http://u30.eset.com/eset_eval/"
"DefaultServer11" = "http://u31.eset.com/eset_eval/"
"DefaultServer12" = "http://u32.eset.com/eset_eval/"
"DefaultServer13" = "http://u33.eset.com/eset_eval/"
"DefaultServer18" = "http://u38.eset.com/eset_eval/"
"DefaultServer19" = "http://u39.eset.com/eset_eval/"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000800\Profiles\@My profile]
"Active" = "@My profile"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"PackageTag" = "72029443"
The process %original file name%.exe:1920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D D6 0C 3E 59 B5 4E 86 69 7D 1B AF BB 7E A0 65"
The process NOD32.FiX.v3.0.tmp:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_99999997]
"Flags" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\999999999]
"Params" = "3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31"
"TriggerType" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"Inno Setup: App Path" = "%Program Files%\ESET\ESET NOD32 Antivirus"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"DisplayVersion" = "3.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_99999999]
"Flags" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"Inno Setup: Setup Version" = "5.2.2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"Inno Setup: Icon Group" = "ESET\ESET NOD32 Antivirus"
"NoRepair" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_99999997]
"Path" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\7zS1.tmp\NOD32.FiX.v3.0.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"NoModify" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_99999998]
"Flags" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"InstallDate" = "20160908"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\999999999]
"Enabled" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"UninstallString" = "%Program Files%\ESET\ESET NOD32 Antivirus\unins000.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"URLUpdateInfo" = "http://www.nsanedown.com/?request=140184"
"Inno Setup: User" = "%CurrentUserName%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"QuietUninstallString" = "%Program Files%\ESET\ESET NOD32 Antivirus\unins000.exe /SILENT"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\999999999]
"Name" = "NOD32 FiX"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"DisplayName" = "NOD32 FiX"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\999999999]
"ModuleID" = "16778752"
"TriggerSettings" = "120"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_99999998]
"Infiltration" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_99999997]
"Infiltration" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_99999998]
"Path" = "%Program Files%\ESET\ESET NOD32 Antivirus\nlv3mod.exe"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 67 D1 B3 6F 69 F5 A5 1F 51 71 44 5E 25 AC 46"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_99999999]
"Path" = "%Program Files%\ESET\ESET NOD32 Antivirus\Obsoletenodlogin.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"HelpLink" = "http://www.nsaneforums.com/?showforum=20"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes\Node_99999999]
"Infiltration" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"InstallLocation" = "%Program Files%\ESET\ESET NOD32 Antivirus\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1]
"URLInfoAbout" = "http://www.nsanedown.com/"
"Publisher" = "nsane.down"
The process NOD32.FiX.v3.0.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E E5 7A 2D 40 E1 2A 8B F5 CB CC 40 6A AB 94 14"
The process nlv3mod.exe:2968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 8C 49 3E 46 12 39 FF 39 A9 5C 01 06 CE 32 24"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Profiles\@My profile]
"Password"
"Username"
The process MsiExec.exe:1204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF B2 7B C5 0F 06 55 14 46 9C 57 BF FB 44 1B 3A"
The process MsiExec.exe:1328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\ESET\Setup\Drivers\{CBE608F3-7E23-433C-9126-0B720DF8C909}]
"Inf0" = "%Program Files%\ESET\ESET NOD32 Antivirus\Drivers\eamon\eamon.inf"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"LastUpdate" = "1473305886"
[HKCR\Folder\ShellEx\ContextMenuHandlers\ESET Smart Security - Context Menu Shell Extension]
"(Default)" = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
[HKLM\SOFTWARE\ESET\Setup\Drivers\{4A2B7826-D821-4E2F-9E5C-772291C3589B}]
"Inf0" = "%Program Files%\ESET\ESET NOD32 Antivirus\Drivers\easdrv\easdrv.inf"
[HKLM\SOFTWARE\ESET\Setup\Drivers\{4AB32F18-A357-46E6-827C-58F4ACB4104F}]
"DriverVer" = "12/21/2007, 3.0.621.0"
[HKCR\Drives\Shellex\ContextMenuHandlers\ESET Smart Security - Context Menu Shell Extension]
"(Default)" = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
[HKCR\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}]
"(Default)" = "Eset Smart Security - Context Menu Shell Extension"
[HKLM\SOFTWARE\ESET\Setup\Drivers\{4AB32F18-A357-46E6-827C-58F4ACB4104F}]
"Inf0" = "%Program Files%\ESET\ESET NOD32 Antivirus\Drivers\epfwtdir\epfwtdir.inf"
[HKCR\*\shellex\ContextMenuHandlers\ESET Smart Security - Context Menu Shell Extension]
"(Default)" = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"
[HKCR\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32]
"(Default)" = "%Program Files%\ESET\ESET NOD32 Antivirus\shellExt.dll"
[HKLM\SOFTWARE\Microsoft\Driver Signing]
"Policy" = "00"
[HKLM\SOFTWARE\ESET\Setup\Drivers\{CBE608F3-7E23-433C-9126-0B720DF8C909}]
"DriverVer" = "12/21/2007, 3.0.621.0"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "08 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Groups]
"Groups" = "perseus,systemstatus"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "Eset Smart Security - Context Menu Shell Extension"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.PNF" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 16 98 4E 45 33 1D 74 C0 F8 9A 30 F3 55 84 E0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"PrivateHash" = "7D 1E 6F 9D 02 2D 9D 06 A6 A6 A8 32 69 4E 54 D3"
[HKLM\SOFTWARE\ESET\Setup\Drivers\{4A2B7826-D821-4E2F-9E5C-772291C3589B}]
"DriverVer" = "12/21/2007, 3.0.621.0"
[HKLM\SOFTWARE\ESET\Setup\CurrentSession]
"PrevSystemDriversSetting" = "1"
[HKCR\Drive\shellex\ContextMenuHandlers\ESET Smart Security - Context Menu Shell Extension]
"(Default)" = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"LastUpdateAttempt" = "1473305886"
[HKCR\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32]
"ThreadingModel" = "Apartment"
[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\ESET\Setup\CurrentSession]
"PrevUserDriversSetting"
"PrevSystemDriversSetting"
Dropped PE files
MD5 | File path |
---|---|
7a25ad652a3003b8854e873a3324e672 | c:\Program Files\ESET\ESET NOD32 Antivirus\Drivers\eamon\eamon.sys |
c7c17bc80b7264322207abc31f20ea84 | c:\Program Files\ESET\ESET NOD32 Antivirus\Drivers\easdrv\easdrv.sys |
74051da749e5e89a14ddab5ba4a03a7f | c:\Program Files\ESET\ESET NOD32 Antivirus\Drivers\epfwtdir\epfwtdir.sys |
5171ce57b3a004e30ca2b4062c053085 | c:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe |
db82c7aa8cae7b86f71fa2571987bf51 | c:\Program Files\ESET\ESET NOD32 Antivirus\Obsoletenodlogin.exe |
5d830bb888cc596f225cfaa1ed0d9c84 | c:\Program Files\ESET\ESET NOD32 Antivirus\ShellExtLang.dll |
0d2f48ee77a906ec55c28f277fe08e6c | c:\Program Files\ESET\ESET NOD32 Antivirus\callmsi.exe |
4f9f8cba5e00a5e16f7bfb223eb2aba4 | c:\Program Files\ESET\ESET NOD32 Antivirus\ecls.exe |
fb274511c5e3b8984bd3210302d7fb4d | c:\Program Files\ESET\ESET NOD32 Antivirus\eclsLang.dll |
4038dc784ec33ead502c25392a945b84 | c:\Program Files\ESET\ESET NOD32 Antivirus\ecmd.exe |
96d4ecd27feef7f5f23a8518eee2f591 | c:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe |
bd502632ec4614dfebd897975ba7b651 | c:\Program Files\ESET\ESET NOD32 Antivirus\eguiAmon.dll |
fa88530c577e2a726181c373f78524e7 | c:\Program Files\ESET\ESET NOD32 Antivirus\eguiAmonLang.dll |
268dff9f4482f1ee30f9ffabc77aff4e | c:\Program Files\ESET\ESET NOD32 Antivirus\eguiEmon.dll |
03f69f843fe322a93ce9ea25f72e1f50 | c:\Program Files\ESET\ESET NOD32 Antivirus\eguiEmonLang.dll |
778f84f111c21baf767cb72aa6934026 | c:\Program Files\ESET\ESET NOD32 Antivirus\eguiEpfw.dll |
b9203e644bb7e3c253a695faaa1e654d | c:\Program Files\ESET\ESET NOD32 Antivirus\eguiEpfwLang.dll |
538ec42e08dc1de89808e57ed2d48085 | c:\Program Files\ESET\ESET NOD32 Antivirus\eguiLang.dll |
e0b1e342631450bfd1e5860919a9f78c | c:\Program Files\ESET\ESET NOD32 Antivirus\eguiMailPlugins.dll |
fb430086827f923a818f4f47ebed9114 | c:\Program Files\ESET\ESET NOD32 Antivirus\eguiMailPluginsLang.dll |
66747ce355107a115a3105218ed0ab76 | c:\Program Files\ESET\ESET NOD32 Antivirus\eguiProduct.dll |
1f34681c9142a14074de8d652d4dca61 | c:\Program Files\ESET\ESET NOD32 Antivirus\eguiScan.dll |
10ec573733f707af2ae145f523aaae9a | c:\Program Files\ESET\ESET NOD32 Antivirus\eguiScanLang.dll |
04ea6c4a7f3285fc50a2b6c4782762f9 | c:\Program Files\ESET\ESET NOD32 Antivirus\eguiSmonLang.dll |
ca7098ef64bc885530deaea533d662a1 | c:\Program Files\ESET\ESET NOD32 Antivirus\eguiUpdate.dll |
e424cd8fd812c426c37b503d84d48009 | c:\Program Files\ESET\ESET NOD32 Antivirus\eguiUpdateLang.dll |
d5d4124827086ba54f6bfe75ce330531 | c:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe |
b61cf090f99137c761ee81ec07a7086b | c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnAmon.dll |
7f29b4cd000376ccc226f1180bdc1826 | c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnEmon.dll |
bbbab58f30f6634674856085265a4e32 | c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnEpfw.dll |
7d80b7cb3eeda37b85e4d58159540eb8 | c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnEpfwLang.dll |
e9d71546989faff4856966c8fd37ae86 | c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnLang.dll |
76d9da47cfcb8f27ba1f37816b24088a | c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnMailPlugins.dll |
d1631e69c6c73354c9fe6c014a1f5647 | c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnMailPluginsLang.dll |
748c898b132d37187aace7c19849fc67 | c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnScan.dll |
0d1571323b3b8f254d2bff2916c7a02d | c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnScanLang.dll |
23c3176131fabd55e42bb930621a737d | c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnSmonLang.dll |
591c12301d2a14a7077f5b2bf774949a | c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnUpdate.dll |
621ac9d30c0317cf8b2b8de36f184a73 | c:\Program Files\ESET\ESET NOD32 Antivirus\ekrnUpdateLang.dll |
8cf8bb2c81914b786ff5eb57f2a801c0 | c:\Program Files\ESET\ESET NOD32 Antivirus\eplgHooks.dll |
77aec6e05519d29c6bf797c042ee38ab | c:\Program Files\ESET\ESET NOD32 Antivirus\eplgOE.dll |
8a5043a3850bb757ff2a1961a0f636dc | c:\Program Files\ESET\ESET NOD32 Antivirus\eplgOEEmon.dll |
616c35b74cd2f27351a598823f79c4a4 | c:\Program Files\ESET\ESET NOD32 Antivirus\eplgOELang.dll |
e35f3a6eb2baeafafa56575c45197dbf | c:\Program Files\ESET\ESET NOD32 Antivirus\eplgOESmonLang.dll |
073d3351182c00bae9663461ffb7b489 | c:\Program Files\ESET\ESET NOD32 Antivirus\eplgOutlook.dll |
cddb6b28bd5bfc09da76534b9777bb9c | c:\Program Files\ESET\ESET NOD32 Antivirus\eplgOutlookEmon.dll |
322f9e874d7261dc2ce7766c52c9fa04 | c:\Program Files\ESET\ESET NOD32 Antivirus\eplgOutlookEmonLang.dll |
dd942033f8df78e99132de535940e7d8 | c:\Program Files\ESET\ESET NOD32 Antivirus\eplgOutlookLang.dll |
a69c7b71f65ef94bb0dd6ffb1e749401 | c:\Program Files\ESET\ESET NOD32 Antivirus\eplgOutlookSmonLang.dll |
a7a06f72700e74992a7b6815e6f6c336 | c:\Program Files\ESET\ESET NOD32 Antivirus\http_dll.dll |
08a620fc7addf7e8a4c4f755a9bb8977 | c:\Program Files\ESET\ESET NOD32 Antivirus\mfc80.dll |
2624bfbd42bba3c9c54655b5b0119181 | c:\Program Files\ESET\ESET NOD32 Antivirus\mfc80u.dll |
be5902be171b540c1bc97ea014252801 | c:\Program Files\ESET\ESET NOD32 Antivirus\msvcp80.dll |
b29cfcad27488d0365c09de3f3ef04fe | c:\Program Files\ESET\ESET NOD32 Antivirus\msvcr80.dll |
04d88d5f80d7066e8ae5f8b95f34792a | c:\Program Files\ESET\ESET NOD32 Antivirus\nlv3mod.exe |
4b6ebd84217fca70a0356964c614ca4a | c:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll |
e7439480898043ec7ad8ff21ff0ead78 | c:\Program Files\ESET\ESET NOD32 Antivirus\unins000.exe |
d396ffb960be609e941df8c562683730 | c:\Program Files\ESET\ESET NOD32 Antivirus\unins001.exe |
5748f6e9a70f8d0740e82aaffc756e7e | c:\Program Files\ESET\ESET NOD32 Antivirus\updater.dll |
604e889f013dcd71dd17cd2d4bd554a2 | c:\WINDOWS\Installer\{57ECFB4D-FE11-491A-9AA0-0AF7C3ABC51D}\egui.exe |
7a25ad652a3003b8854e873a3324e672 | c:\WINDOWS\system32\drivers\eamon.sys |
c7c17bc80b7264322207abc31f20ea84 | c:\WINDOWS\system32\drivers\easdrv.sys |
74051da749e5e89a14ddab5ba4a03a7f | c:\WINDOWS\system32\drivers\epfwtdir.sys |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "%System%\DRIVERS\easdrv.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\DRIVERS\epfwtdir.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\DRIVERS\easdrv.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver " %System%\DRIVERS\eamon.sys" the Trojan attaches its filter-device object to the Volume Device Object (VDO) of the file system driver.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
trlang.exe:1932
egui.exe:1896
updatepatch.exe:456
ekrn.exe:364
is-5IC2H.tmp:1060
%original file name%.exe:1920
NOD32.FiX.v3.0.tmp:652
NOD32.FiX.v3.0.exe:228
nlv3mod.exe:2968
MsiExec.exe:1204
MsiExec.exe:1328 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\ESET\ESET NOD32 Antivirus\eplgOELang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ekrnScanLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eplgOutlookEmonLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ekrnEpfwLang.dll (1160 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eplgOutlookSmonLang.dll (1160 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ekrnUpdateLang.dll (3848 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eplgOESmonLang.dll (1160 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiUpdateLang.dll (3848 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiScanLang.dll (7832 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiLang.dll (30568 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiSmonLang.dll (1160 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ShellExtLang.dll (2312 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ekrnLang.dll (1160 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ekrnSmonLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiMailPluginsLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eclsLang.dll (1160 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiEpfwLang.dll (20648 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiEmonLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\ekrnMailPluginsLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eplgOutlookLang.dll (392 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\eguiAmonLang.dll (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-A2DMS.tmp\is-5IC2H.tmp (3746 bytes)
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat (60 bytes)
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\EpfwUser.dat (174 bytes)
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat (60 bytes)
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB (388548 bytes)
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\EHttpSrv.xml (2 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\unins001.dat (2064 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\is-VNGOU.tmp (7616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DNMVT.tmp\_isetup\_shfoldr.dll (23 bytes)
%WinDir%\is-M3T4C.tmp (360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DNMVT.tmp\_isetup\_RegDLL.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\trlang.exe (3941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\NOD32.FiX.v3.0.exe (4727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\hidcon.exe (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\updatepatch.exe (5560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\nod32.msi (118928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zS1.tmp\INSTALL.CMD (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\is-HR45C.tmp (3361 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ESET\ESET NOD32 Antivirus\Uninstall NOD32 FiX.lnk (775 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\is-QAQB8.tmp (3073 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\unins000.dat (934 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\is-5SSES.tmp (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\_isetup\_RegDLL.tmp (3 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\is-GBGIK.tmp (9223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EN3NR.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-67B5L.tmp\NOD32.FiX.v3.0.tmp (3753 bytes)
%Documents and Settings%\All Users\Application Data\ESET\ESET NOD32 Antivirus\Installer\7af7.msi (122334 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inx5.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF15.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP32.tmp (3851 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP22.tmp (3851 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF12.tmp (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP1E.tmp (301 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF59.tmp (274 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar85.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3E.tmp (4028 bytes)
%System%\drivers\SET8A.tmp (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP64.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF35.tmp (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2E.tmp (106475 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF31.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF18.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab86.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP54.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF53.tmp (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1B.tmp (267 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\em001_32.dat (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2A.tmp (3851 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF4D.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1A.tmp (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP1C.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF45.tmp (271 bytes)
%System%\drivers\SET8E.tmp (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF39.tmp (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF19.tmp (273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3F.tmp (1652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab88.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF7B.tmp (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP20.tmp (53149 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\em003_32.dat (2019 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP52.tmp (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSFE.tmp (300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF4B.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF73.tmp (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF25.tmp (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF6D.tmp (267 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\em000_32.dat (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP66.tmp (10111 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP3A.tmp (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5F.tmp (4979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP47.tmp (1652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP42.tmp (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6F.tmp (3565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7C.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF41.tmp (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSFF.tmp (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP38.tmp (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF7D.tmp (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF51.tmp (274 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6E.tmp (2990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1F.tmp (277 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\em004_32.dat (6963 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF23.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF16.tmp (274 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP72.tmp (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF13.tmp (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4F.tmp (1652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF29.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7A.tmp (30 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\em002_32.dat (180567 bytes)
%WinDir%\setupapi.log (10176 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP34.tmp (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7F.tmp (3565 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP56.tmp (10111 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP37.tmp (63073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF5D.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP40.tmp (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6C.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5A.tmp (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF49.tmp (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP28.tmp (53149 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF79.tmp (273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF10.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP27.tmp (63073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF14.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab84.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP57.tmp (4979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP24.tmp (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP60.tmp (1698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP50.tmp (1698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP62.tmp (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar89.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF17.tmp (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF11.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP58.tmp (1698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF75.tmp (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF2D.tmp (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF5B.tmp (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF3D.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar87.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4A.tmp (51 bytes)
%Program Files%\ESET\ESET NOD32 Antivirus\em005_32.dat (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF63.tmp (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP70.tmp (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF69.tmp (273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP48.tmp (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP30.tmp (53149 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF2B.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP4E.tmp (4028 bytes)
%System%\drivers\SET8C.tmp (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF3B.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5C.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF6B.tmp (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP68.tmp (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP74.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP76.tmp (2990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP5E.tmp (10111 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP26.tmp (106475 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP46.tmp (4028 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP36.tmp (106475 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP44.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF71.tmp (273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2C.tmp (74 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP2F.tmp (63073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP6A.tmp (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP77.tmp (3565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP7E.tmp (2990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF33.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF65.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF21.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF1D.tmp (300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP67.tmp (4979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF55.tmp (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF43.tmp (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NUP78.tmp (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NSF61.tmp (274 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui" = "%Program Files%\ESET\ESET NOD32 Antivirus\egui.exe /hide /waitservice" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name: www.tnctr.com
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language:
Company Name: www.tnctr.comProduct Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language:
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 94046 | 94208 | 4.54007 | 5f527761e4a62f1934404677b8f6cc31 |
.rdata | 98304 | 16690 | 16896 | 3.05806 | 134d1ad3ec02184774b2c0e4bea00903 |
.data | 118784 | 22856 | 12800 | 0.901872 | c820faaa2e85482e274c0a9283f6d130 |
.rsrc | 143360 | 203104 | 203264 | 5.26434 | d4121c9bb46ac93a7152fe478e9ab3f3 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://e6845.dscb1.akamaiedge.net/pca3.crl | |
hxxp://e6845.dscb1.akamaiedge.net/CSC3-2004.crl | |
hxxp://c-0001.c-msedge.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
hxxp://c-0001.c-msedge.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
hxxp://crl.verisign.com/pca3.crl | 23.37.37.163 |
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | 13.107.4.50 |
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt | 13.107.4.50 |
hxxp://CSC3-2004-crl.verisign.com/CSC3-2004.crl | |
csc3-2004-crl.verisign.com | 23.37.37.163 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /CSC3-2004.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: CSC3-2004-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "35e423f44c2b9b573919cef614e62f3b:1473282619"
Last-Modified: Wed, 07 Sep 2016 21:10:19 GMT
Date: Thu, 08 Sep 2016 03:38:08 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0..zV0..y=0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA..160907210001Z..160917210001Z0..xT0!.....'...._.=.t.{...060411095352Z0!........]...n.d.^...041210180734Z0!....B.38..I....Z.Z..060522202503Z0!.....V..=.&..p.K_...041223173514Z0!...$fd{........ZKI..050727182105Z0!...'..P..Tk....i ...081114114704Z0!...*m.......$.e.iw..050113162826Z0!...4..&.....(.V.bD..060717184318Z0!...>.h`a.nZM.VIP....061027222850Z0!...?..!.....Z..%....080514074106Z0!...A.*T-.NB>Ro.S.~..070627153307Z0!...Wf....0?.1.<G4...080827011731Z0!...[.}7.8.t.........070607081209Z0!...^.@.....1..v..`..061207041025Z0!...ol4....{.........080520210256Z0!.....oP...._. .a....061205224400Z0!.....}...../5.=.....041018225848Z0!.....B.w5$.h..,."...060707142917Z0!....]....d..........041217144015Z0!.........1.9.fwI.a..050926191715Z0!............*.>W....041221185802Z0!...."....J..l.......050712133504Z0!....X.r..'7hK._.....080804054612Z0!....Q)..6.....4.[...051018015040Z0!.........Y.=.U=y....060308034429Z0!....:..I.. ......Y..060912161745Z0!......t..Au...e `...060406020106Z0!........&.zR.....J..080220163354Z0!...%.&.f./....>.H...070216105424Z0!...8....n..#b.dM....090505134237Z0!...E..1..>..........070621145128Z0!...L.k'.W..!.;w0....060711202546Z0!...U.......Te.c.....080829025216Z0!...qo..b..>...C.....081214140650Z0!.......?....War.y...061019142712Z0!.......^i7.6_m..W...070122210641Z0!
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Length: 18
Content-Type: text/plain
Last-Modified: Thu, 14 Apr 2016 22:20:39 GMT
Accept-Ranges: bytes
ETag: "8095d7df9b96d11:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-CID: 7
X-CCC: RU
X-MSEdge-Ref: Ref A: 12FF7BE133744A30BF8E113B0F531FC3 Ref B: 6073D500E98A8380F3DE914AFD7C2E04 Ref C: Wed Sep 7 20:38:23 2016 PST
Date: Thu, 08 Sep 2016 03:38:22 GMT
1401D1969BE01E11A6....
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Length: 49640
Content-Type: application/octet-stream
Last-Modified: Fri, 15 Apr 2016 17:23:18 GMT
Accept-Ranges: bytes
ETag: "0c730803b97d11:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-CID: 7
X-CCC: RU
X-MSEdge-Ref: Ref A: 527BD296FE284F0381B900C25054DD32 Ref B: 19744FB6BA7F5F167D078D514142D405 Ref C: Wed Sep 7 20:38:23 2016 PST
Date: Thu, 08 Sep 2016 03:38:22 GMT
MSCF............,...................I..................HaR .authroot.stl.%.u3S8..CK...<T.......4v.e.3h.......l...kICY*7-viS.ZH{i.."QY...H.T$!..L..g......k^.w.s..y?..}....4.......d.4...0....)...0..@.......D. 0Y......#p.&;..,..L....._.....ppSf^.....\x....PSSC........4..Apw..:..*....."(..6..............".3..6#.*9..yx>.w..aX....U..:.*G?..3......wY.Z=G..^...J.......Qt.U.xiD2..o....1f.a.9...&...T..\.X<u.WU/.]=./8. .sK.......(.<.A$H.............5...y......"...\...IP..A(y....]..fc`.r)Y.$..<.V.............'....f..X.Y.<......R...zq.5nfO,..NE.....*/ud.7.=.".3..........%.. ....F.......,.e.3.e..... ..T...=x.BD.........R.0..3D.....W......v<\{...Oj>.$YT)LQ..........{.......s=.vs..........dY].<.v..<..w[.{.Z..qV.............= ......5.5........tm... ...SZ.....e-1e<.rX..K3>..~]{b#..&......b.e......;...?......7...!W......e\..a>!{....t.....r...TV...h....4...........Bx...aBp...............F....kx. V.q....g.?.q\.z.?h>V..ORz.....t...%.{w...4..(.......m.|..X\,./.4w.6?M$.q;q.............x?...Auip.... 8..".4...a}E.98T..*...N...7]p<G.&I.........7....@.Q.#.%.:..TE7....d..b. .E.V...-.=1.........j.)t...Z &.e.o..m..L.s.2.\...j4.d..............4.....9...3...03...-2c)L.."..y.7.|... !O.1.....i:....J.:.P..5...6.W...XP..J..^.....u.v....|..U..-..Q..CF.r ..........`.V~.C...=.=.m...6N.,..OV.Z...d.K.-....".D.8.V,}X.P.D..X"8.....;DD."../x.(M..O........1V6R./.3|I...9,........eh..........k...W.....t.*...K..a.....x.0#.t..F.!...7Vk ........7....X......2.t!...AB..b...1.&..S.`G...1@.f.I."...vl.g.}Rs....y.z}....}.
<<< skipped >>>
GET /pca3.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "6df834358a0bb5e934947d15c0372dc3:1466795723"
Last-Modified: Fri, 24 Jun 2016 19:15:23 GMT
Date: Thu, 08 Sep 2016 03:38:08 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..160623000000Z..160930235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H...............DA.............Q>...#........H#......;....._.....v.W..@.:k[.#..,...:...DI. ,g... ..].w.b.d.....1.p.s...];Bs..E.9>...l}....5].HTTP/1.1 200 OK..Server: Apache..ETag: "6df834358a0bb5e934947d15c0372dc3:1466795723"..Last-Modified: Fri, 24 Jun 2016 19:15:23 GMT..Date: Thu, 08 Sep 2016 03:38:08 GMT..Content-Length: 933..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..160623000000Z..160930235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
ekrn.exe_364:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
SSSSSh
SSSSSh
VWt.Pj
VWt.Pj
L$(SSh
L$(SSh
t.hp?B
t.hp?B
t.hpCB
t.hpCB
tCPh
tCPh
inflate 1.2.3 Copyright 1995-2005 Mark Adler
inflate 1.2.3 Copyright 1995-2005 Mark Adler
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
1.2.3
1.2.3
POST /%s HTTP/1.1
POST /%s HTTP/1.1
Host: %s
Host: %s
Content-Length: %d
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
chs_reply=%d
chs_reply=%d
0.0.0.0
0.0.0.0
SupportRequestXML
SupportRequestXML
SupportRequest
SupportRequest
SupportRequestAttachment
SupportRequestAttachment
/supportrequest/
/supportrequest/
RegDeleteKeyExA
RegDeleteKeyExA
RegDeleteKeyExW
RegDeleteKeyExW
%d.%d.%d.%d
%d.%d.%d.%d
Pocet: %d
Pocet: %d
RtlFormatCurrentUserKeyPath
RtlFormatCurrentUserKeyPath
NtCreatePort
NtCreatePort
NtListenPort
NtListenPort
NtConnectPort
NtConnectPort
NtAcceptConnectPort
NtAcceptConnectPort
NtCompleteConnectPort
NtCompleteConnectPort
NtRequestPort
NtRequestPort
NtRequestWaitReplyPort
NtRequestWaitReplyPort
NtReplyWaitReceivePort
NtReplyWaitReceivePort
NtReplyPort
NtReplyPort
NtImpersonateClientOfPort
NtImpersonateClientOfPort
NtCreateKey
NtCreateKey
NtDeleteKey
NtDeleteKey
NtDeleteValueKey
NtDeleteValueKey
NtEnumerateKey
NtEnumerateKey
NtEnumerateValueKey
NtEnumerateValueKey
NtOpenKey
NtOpenKey
NtQueryValueKey
NtQueryValueKey
NtSetValueKey
NtSetValueKey
EHLO %s
EHLO %s
AUTH LOGIN
AUTH LOGIN
HELO %s
HELO %s
MAIL FROM:
MAIL FROM:
%COMPUTERNAME%
%COMPUTERNAME%
RCPT TO:
RCPT TO:
From: %S
From: %S
To: %S
To: %S
Date: %s, %d %s %d d:d:d %cdd
Date: %s, %d %s %d d:d:d %cdd
boundary="%s"
boundary="%s"
Content-Type: text/plain; charset="Windows-%d"
Content-Type: text/plain; charset="Windows-%d"
Subject: %S
Subject: %S
ntdll.dll
ntdll.dll
KERNEL32.DLL
KERNEL32.DLL
"We've all heard that a million monkeys banging on a million typewriters will eventually reproduce the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true." -- Robert Wilensky
"We've all heard that a million monkeys banging on a million typewriters will eventually reproduce the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true." -- Robert Wilensky
POST %s HTTP/1.0
POST %s HTTP/1.0
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Host: %s:%d
Host: %s:%d
%s:%s
%s:%s
MS Windows
MS Windows
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegCloseKey
RegCloseKey
RegEnumKeyExW
RegEnumKeyExW
RegEnumKeyW
RegEnumKeyW
RegDeleteKeyW
RegDeleteKeyW
default_nod32ra_password
default_nod32ra_password
s=0x%p,0x%x,0x%x
s=0x%p,0x%x,0x%x
d:\installbuild\ess_3_0_600\build\apps\work\release\ekrn\winnt32\ekrn.pdb
d:\installbuild\ess_3_0_600\build\apps\work\release\ekrn\winnt32\ekrn.pdb
WS2_32.dll
WS2_32.dll
KERNEL32.dll
KERNEL32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
RegOpenKeyW
RegOpenKeyW
RegDeleteKeyA
RegDeleteKeyA
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyA
RegOpenKeyA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
MSVCP80.dll
MSVCP80.dll
MSVCR80.dll
MSVCR80.dll
_amsg_exit
_amsg_exit
_acmdln
_acmdln
_crt_debugger_hook
_crt_debugger_hook
.?AV?$CParamStructHelper@U_CCE_REPORT_EVENT_PARAMS@@@@
.?AV?$CParamStructHelper@U_CCE_REPORT_EVENT_PARAMS@@@@
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
ecmd.exe
ecmd.exe
virlog.dat
virlog.dat
warnlog.dat
warnlog.dat
EHttpSrv
EHttpSrv
shellExt.dll
shellExt.dll
{B089FE88-FB52-11D3-BDF1-0050DA34150D}
{B089FE88-FB52-11D3-BDF1-0050DA34150D}
%USERNAME%
%USERNAME%
%SCANNER%
%SCANNER%
%%BUILD="%u"%%VERSIONID="%u"%ÚTE="%u"%%TIME="%u"
%%BUILD="%u"%%VERSIONID="%u"%ÚTE="%u"%%TIME="%u"
eScan\*.dat
eScan\*.dat
*.lic
*.lic
nod32api.dll
nod32api.dll
nod32aui.dll
nod32aui.dll
Software\ESET\ESET Security\CurrentVersion\Plugins\APIx
Software\ESET\ESET Security\CurrentVersion\Plugins\APIx
Software\ESET\ESET Security\CurrentVersion\Scanners\X
Software\ESET\ESET Security\CurrentVersion\Scanners\X
SECTION;ID=#01000103\SETTINGS\PLUGINS\PLUGIN;ID=%X\PROFILES\NODE;NAME="%s";TYPE=SUBNODE
SECTION;ID=#01000103\SETTINGS\PLUGINS\PLUGIN;ID=%X\PROFILES\NODE;NAME="%s";TYPE=SUBNODE
SECTION;ID=#01000103\STATUS\RECORD;PLUGIN=#%X;UNIQUEID=#%X
SECTION;ID=#01000103\STATUS\RECORD;PLUGIN=#%X;UNIQUEID=#%X
%u.%u.%u %s
%u.%u.%u %s
%d.%d.%d
%d.%d.%d
%u MB
%u MB
egui.exe
egui.exe
RAExceptionHandlerDump [2I64x], REG: EIP=0xx EBP=0xx ESP=0xx EAX=0xx EBX=0xx ECX=0xx EDX=0xx ESI=0xx EDI=0xx EFlags=0xx
RAExceptionHandlerDump [2I64x], REG: EIP=0xx EBP=0xx ESP=0xx EAX=0xx EBX=0xx ECX=0xx EDX=0xx ESI=0xx EDI=0xx EFlags=0xx
RAExceptionHandlerDump [2I64x], ESP[%d]: %s
RAExceptionHandlerDump [2I64x], ESP[%d]: %s
RAExceptionHandlerDump [2I64x], type: %u, req_size: %u, max_rep_size: %u, rep_size: %u, procparam: 0xx
RAExceptionHandlerDump [2I64x], type: %u, req_size: %u, max_rep_size: %u, rep_size: %u, procparam: 0xx
RAExceptionHandlerDump [2I64x], req_buffer[%d]: %s
RAExceptionHandlerDump [2I64x], req_buffer[%d]: %s
RAExceptionHandlerDump [2I64x], rep_buffer[%d]: %s
RAExceptionHandlerDump [2I64x], rep_buffer[%d]: %s
SUPPORT
SUPPORT
PASSWORD
PASSWORD
${ProductType}=%s|${ProductVersion}=%s|${ProductLanguage}=%u|${UpdateTag}=%s|${Platform}=%s|${DaysToExpire}=%i|${EvalId}=%u
${ProductType}=%s|${ProductVersion}=%s|${ProductLanguage}=%u|${UpdateTag}=%s|${Platform}=%s|${DaysToExpire}=%i|${EvalId}=%u
explorer.exe
explorer.exe
${Username}=%s|${DistributorGUID}=%s|${ExpirationState}=%u|${ExpirationDate}=%s|${LicenseType}=%u|${LicenseCancelled}=%u|${PasswordChanged}=%u|${ProductType}=%s|${ProductVersion}=%s|${ProductLanguage}=%u|${UpdateTag}=%s|${Platform}=%s|${DaysToExpire}=%u|${DaysExpired}=%u
${Username}=%s|${DistributorGUID}=%s|${ExpirationState}=%u|${ExpirationDate}=%s|${LicenseType}=%u|${LicenseCancelled}=%u|${PasswordChanged}=%u|${ProductType}=%s|${ProductVersion}=%s|${ProductLanguage}=%u|${UpdateTag}=%s|${Platform}=%s|${DaysToExpire}=%u|${DaysExpired}=%u
eguiProduct.dll
eguiProduct.dll
CMDLINE
CMDLINE
ekrnLang.dll
ekrnLang.dll
UsernamePassword
UsernamePassword
LinkUrl
LinkUrl
PasswordChangedFlag
PasswordChangedFlag
%d.%d
%d.%d
A\\.\easdrv
A\\.\easdrv
d-d-d d:d:d
d-d-d d:d:d
*.dat
*.dat
A %u.%u.%u %s
A %u.%u.%u %s
AreqX.xml
AreqX.xml
*.xml
*.xml
Advapi32.dll
Advapi32.dll
ieframe.dll
ieframe.dll
IpHlpApi.dll
IpHlpApi.dll
dKernel32.dll
dKernel32.dll
mpr.dll
mpr.dll
Netapi32.dll
Netapi32.dll
Ntdll.dll
Ntdll.dll
Rasapi32.dll
Rasapi32.dll
userenv.dll
userenv.dll
kwsock32.dll
kwsock32.dll
WtsApi32.dll
WtsApi32.dll
yLockPassword
yLockPassword
ProxyPassword
ProxyPassword
ProxyPort
ProxyPort
MsgMinStatusLog
MsgMinStatusLog
MsgMinStatusSend
MsgMinStatusSend
MsgFormatError
MsgFormatError
MsgFormatVirus
MsgFormatVirus
SMTP_Password
SMTP_Password
SMTP_Username
SMTP_Username
SMTP_Address
SMTP_Address
SMTP_SenderAddress
SMTP_SenderAddress
SMTP_Server
SMTP_Server
SMTP_Flags
SMTP_Flags
SMTP_Enabled
SMTP_Enabled
*.doc|*.rtf|*.xl?|*.dbf|*.mdb|*.sxw|*.sxc
*.doc|*.rtf|*.xl?|*.dbf|*.mdb|*.sxw|*.sxc
RAClientPassword
RAClientPassword
RAClientPort
RAClientPort
SupportCountry
SupportCountry
SupportCompany
SupportCompany
SupportMail
SupportMail
Node_d
Node_d
LastExec
LastExec
Software\ESET\ESET Security\CurrentVersion\Scheduler\%u
Software\ESET\ESET Security\CurrentVersion\Scheduler\%u
SupportRequests\
SupportRequests\
\\%s\mailslot\messngr
\\%s\mailslot\messngr
\BaseNamedObjects\NODCOMMXToXCommPort
\BaseNamedObjects\NODCOMMXToXCommPort
CNODCOMMXToXReceiverMutex
CNODCOMMXToXReceiverMutex
NODCOMMXToXCommMutex
NODCOMMXToXCommMutex
NODCOMMXToXSendEvent
NODCOMMXToXSendEvent
NODCOMMXToXAckEvent
NODCOMMXToXAckEvent
NODCOMMXToXSection
NODCOMMXToXSection
%sNODCOMMXToXBroadcastMutex
%sNODCOMMXToXBroadcastMutex
%sNODCOMMXToXBroadcast
%sNODCOMMXToXBroadcast
\Device\LanmanRedirector\;%c:
\Device\LanmanRedirector\;%c:
FirewallProduct.instanceGuid="{E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}"
FirewallProduct.instanceGuid="{E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}"
AntiSpywareProduct.instanceGuid="{E5E70D32-0101-4B98-A4D6-D1D15C3BB448}"
AntiSpywareProduct.instanceGuid="{E5E70D32-0101-4B98-A4D6-D1D15C3BB448}"
AntiVirusProduct.instanceGuid="{E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}"
AntiVirusProduct.instanceGuid="{E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}"
{E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
{E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
{E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
{E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
{E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
{E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
\\.\root\SecurityCenter
\\.\root\SecurityCenter
pathToSignedProductExe
pathToSignedProductExe
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
Windows
Windows
(%u MHz)
(%u MHz)
comctl32.dll
comctl32.dll
NODX.lic
NODX.lic
D\\.\%c:
D\\.\%c:
\\.\PHYSICALDRIVE%d
\\.\PHYSICALDRIVE%d
SERVER;NAME=X_X
SERVER;NAME=X_X
OPTION;OPTNAME=ListeningPort
OPTION;OPTNAME=ListeningPort
GLOBAL\OPTION;OPTNAME=ListeningPort
GLOBAL\OPTION;OPTNAME=ListeningPort
SYSTEM\CurrentControlSet\Services\%s\Parameters
SYSTEM\CurrentControlSet\Services\%s\Parameters
4Error submitting ThreatSense.Net data to RA: TimeoutIError submitting ThreatSense.Net data to RA: Synchronization lost on exitKError submitting ThreatSense.Net data to RA: Synchronization lost on submit
4Error submitting ThreatSense.Net data to RA: TimeoutIError submitting ThreatSense.Net data to RA: Synchronization lost on exitKError submitting ThreatSense.Net data to RA: Synchronization lost on submit
Could not retrieve MAC address.:Authentication to ESET Remote Administrator Server failed.GAuthentication to ESET Remote Administrator Server ended up with error.6Connection to ESET Remote Administrator Server failed.
Could not retrieve MAC address.:Authentication to ESET Remote Administrator Server failed.GAuthentication to ESET Remote Administrator Server ended up with error.6Connection to ESET Remote Administrator Server failed.
%s*Antivirus protection is currently disabled
%s*Antivirus protection is currently disabled
Enable email protection Web access protection is currently disabled
Enable email protection Web access protection is currently disabled
Web access protection was disabled by the user. Enable web access protection
Web access protection was disabled by the user. Enable web access protection
Enable web access protection
Enable web access protection
A computer restart is requiredr%PRODUCTNAME% has been updated to a newer version. For the changes to take effect, a computer restart is required.2I64x], Exception in %s, Code: 0xx, LastError: ÛRAExceptionHandlerDump [2I64x], Flags: 0xx, Address: 0x6x
A computer restart is requiredr%PRODUCTNAME% has been updated to a newer version. For the changes to take effect, a computer restart is required.2I64x], Exception in %s, Code: 0xx, LastError: ÛRAExceptionHandlerDump [2I64x], Flags: 0xx, Address: 0x6x
%s!Remaining trial period:
%s!Remaining trial period:
%s day(s)
%s day(s)
%s!Your license will run out shortly
%s!Your license will run out shortly
The lifetime of this beta version will run out in ${DaysToExpire} day(s). We recommend that you download a newer version from here.
The lifetime of this beta version will run out in ${DaysToExpire} day(s). We recommend that you download a newer version from here.
The lifetime of this version has run out. We recommend that you download a newer version from here.$Automatic startup file scanner setup!Your license will run out shortly
The lifetime of this version has run out. We recommend that you download a newer version from here.$Automatic startup file scanner setup!Your license will run out shortly
Your license with Username ${Username} will run out in ${DaysToExpire} days. Click here to open the purchase page and renew your license. If you have already obtained a new Username and Password, you can change it here.
Your license with Username ${Username} will run out in ${DaysToExpire} days. Click here to open the purchase page and renew your license. If you have already obtained a new Username and Password, you can change it here.
Your license with Username ${Username} has expired ${DaysExpired} days ago. Click here to open the purchase page and renew your license. If you have already obtained a new Username and Password, you can change it here.
Your license with Username ${Username} has expired ${DaysExpired} days ago. Click here to open the purchase page and renew your license. If you have already obtained a new Username and Password, you can change it here.
Your license with Username ${Username} will run out shortly. Click here to open the purchase page and renew your license. If you have already obtained a new Username and Password, you can change it here.
Your license with Username ${Username} will run out shortly. Click here to open the purchase page and renew your license. If you have already obtained a new Username and Password, you can change it here.
Your license with Username ${Username} has expired. Click here to open the purchase page and renew your license. If you have already obtained a new Username and Password, you can change it here.
Your license with Username ${Username} has expired. Click here to open the purchase page and renew your license. If you have already obtained a new Username and Password, you can change it here.
The lifetime of this trial version will run out in ${DaysToExpire} day(s). To purchase the full version of the program, visit our website. If you have already acquired a license, you can upgrade the program to the full version.
The lifetime of this trial version will run out in ${DaysToExpire} day(s). To purchase the full version of the program, visit our website. If you have already acquired a license, you can upgrade the program to the full version.
The lifetime of this trial version has run out. To purchase the full version of the program, visit our website. If you have already acquired a license, you can upgrade the program to the full version.
The lifetime of this trial version has run out. To purchase the full version of the program, visit our website. If you have already acquired a license, you can upgrade the program to the full version.
{%TimeStamp% - Module %Scanner% - Threat Alert triggered on computer %ComputerName%: %InfectedObject% contains %VirusName%.
{%TimeStamp% - Module %Scanner% - Threat Alert triggered on computer %ComputerName%: %InfectedObject% contains %VirusName%.
%TimeStamp% - During execution of %ProgramName% on the computer %ComputerName%, the following warning occurred: %ErrorDescription%
%TimeStamp% - During execution of %ProgramName% on the computer %ComputerName%, the following warning occurred: %ErrorDescription%
Information on operating system
Information on operating system
Operating system:
Operating system:
%s: Warning
%s: Warning
%s: Error
%s: Error
%s: Threat alert
%s: Threat alert
Operating system version:
Operating system version:
Operating system type:
Operating system type:
%s(Version of common control components:
%s(Version of common control components:
once, %s.
once, %s.
repeatedly, every minutes.
repeatedly, every minutes.
Every day at %s.
Every day at %s.
at %s on the following days:
at %s on the following days:
at .
at .
Task will not be run.%Task will be run as soon as possible.LTask will be run if it has not completed within the last hours.
Task will not be run.%Task will be run as soon as possible.LTask will be run if it has not completed within the last hours.
& (At maximum every hours)
& (At maximum every hours)
%s %s
%s %s
dUser does not have administrator privileges. The Anti-Stealth technology is working in limited mode.qAnti-Stealth initialization could not be fully completed. The Anti-Stealth technology is working in limited mode.
dUser does not have administrator privileges. The Anti-Stealth technology is working in limited mode.qAnti-Stealth initialization could not be fully completed. The Anti-Stealth technology is working in limited mode.
Antivirus protection is disabledbVirus scanner initialization failed. Most of the %ProductName% modules will not function properly.cThe files have been qurantined successfully,
Antivirus protection is disabledbVirus scanner initialization failed. Most of the %ProductName% modules will not function properly.cThe files have been qurantined successfully,
but could not be removed from their original location! File %s is too long to submit for analysis!-%d files are too long to submit for analysis!
but could not be removed from their original location! File %s is too long to submit for analysis!-%d files are too long to submit for analysis!
3.0.621
3.0.621
ekrn.exe
ekrn.exe
egui.exe_1896:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
FtPh
FtPh
FtPhL
FtPhL
FtPhG
FtPhG
FtPhK
FtPhK
FtPh,
FtPh,
FtPj
FtPj
FxSSh
FxSSh
NxSSh
NxSSh
VxSSh
VxSSh
F SSh
F SSh
%3xz|8x
%3xz|8x
3xm%1x
3xm%1x
%Program Files%\Microsoft Visual Studio 8\VC\atlmfc\include\afxwin1.inl
%Program Files%\Microsoft Visual Studio 8\VC\atlmfc\include\afxwin1.inl
%Program Files%\Microsoft Visual Studio 8\VC\atlmfc\include\afxwin2.inl
%Program Files%\Microsoft Visual Studio 8\VC\atlmfc\include\afxwin2.inl
CImportExportConfigDlg
CImportExportConfigDlg
CPassword2Dlg
CPassword2Dlg
CPassword1Dlg
CPassword1Dlg
RegDeleteKeyExA
RegDeleteKeyExA
RegDeleteKeyExW
RegDeleteKeyExW
RtlFormatCurrentUserKeyPath
RtlFormatCurrentUserKeyPath
NtCreatePort
NtCreatePort
NtListenPort
NtListenPort
NtConnectPort
NtConnectPort
NtAcceptConnectPort
NtAcceptConnectPort
NtCompleteConnectPort
NtCompleteConnectPort
NtRequestPort
NtRequestPort
NtRequestWaitReplyPort
NtRequestWaitReplyPort
NtReplyWaitReceivePort
NtReplyWaitReceivePort
NtReplyPort
NtReplyPort
NtImpersonateClientOfPort
NtImpersonateClientOfPort
NtCreateKey
NtCreateKey
NtDeleteKey
NtDeleteKey
NtDeleteValueKey
NtDeleteValueKey
NtEnumerateKey
NtEnumerateKey
NtEnumerateValueKey
NtEnumerateValueKey
NtOpenKey
NtOpenKey
NtQueryValueKey
NtQueryValueKey
NtSetValueKey
NtSetValueKey
KERNEL32.DLL
KERNEL32.DLL
ntdll.dll
ntdll.dll
MS Windows
MS Windows
d:\installbuild\ess_3_0_600\build\apps\work\release\egui\winnt32\egui.pdb
d:\installbuild\ess_3_0_600\build\apps\work\release\egui\winnt32\egui.pdb
MFC80U.DLL
MFC80U.DLL
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
MSVCR80.dll
MSVCR80.dll
_crt_debugger_hook
_crt_debugger_hook
KERNEL32.dll
KERNEL32.dll
GetAsyncKeyState
GetAsyncKeyState
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegEnumKeyW
RegEnumKeyW
RegDeleteKeyA
RegDeleteKeyA
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
RegOpenKeyA
RegOpenKeyA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
.PAVCException@@
.PAVCException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@AAV12@@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@AAV12@@@
.?AVCConfigViewPassword@@
.?AVCConfigViewPassword@@
.?AVCConfigViewWeb@@
.?AVCConfigViewWeb@@
.?AVCExecAppDlg@@
.?AVCExecAppDlg@@
.?AVCImportExportConfigDlg@@
.?AVCImportExportConfigDlg@@
.?AVCPanelHelpSupport@@
.?AVCPanelHelpSupport@@
.?AVCPassword1Dlg@@
.?AVCPassword1Dlg@@
.?AVCPassword2Dlg@@
.?AVCPassword2Dlg@@
.?AVCSupportPPDetect@@
.?AVCSupportPPDetect@@
.?AVCSupportPPFinish@@
.?AVCSupportPPFinish@@
.?AVCSupportPPReport@@
.?AVCSupportPPReport@@
.?AVCSupportPPRequest@@
.?AVCSupportPPRequest@@
.?AVCSupportPPSend@@
.?AVCSupportPPSend@@
.?AVCSupportSheet@@
.?AVCSupportSheet@@
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.?AV?$CMap@PAU_TREEITEM@@AAPAU1@V?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@AAV23@@@
.?AV?$CMap@PAU_TREEITEM@@AAPAU1@V?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@AAV23@@@
J%5xh
J%5xh
4jbc.qx
4jbc.qx
???@@@ %%%///
???@@@ %%%///
@ @@ @` @
@ @@ @` @
`@ `@@`@``@
`@ `@@`@``@
) .."$''!
) .."$''!
&lG*mIA}]*kG.kII
&lG*mIA}]*kG.kII
*mG.nIi
*mG.nIi
|.kG9wR?{We
|.kG9wR?{We
.qH.nF4sLv
.qH.nF4sLv
%dJ)R
%dJ)R
(0%xr$
(0%xr$
IbL.OD
IbL.OD
.leK[
.leK[
:CRt|
:CRt|
~~~999]]]
~~~999]]]
;BF.ht
;BF.ht
Q%US-H
Q%US-H
^W.vi0sgA
^W.vi0sgA
z)O%dV
z)O%dV
!'''&&$&&''&
!'''&&$&&''&
==?.jGJJ
==?.jGJJ
" " ,,000,,"
" " ,,000,,"
"*,022333221,,"
"*,022333221,,"
%&*-....---*&!
%&*-....---*&!
S#%%(.FJQ
S#%%(.FJQ
:!%uFm
:!%uFm
h-F},
h-F},
( E
( E
"!-.///0
"!-.///0
$$0%'
$$0%'
E%s (%s:%d)
E%s (%s:%d)
%s (%s:%d)
%s (%s:%d)
${UrlWeb}=hXXp://go.eset.eu|${LangID}=%d|${VersionID}=%d
${UrlWeb}=hXXp://go.eset.eu|${LangID}=%d|${VersionID}=%d
${UrlWeb}/knowledgebase?lng=${LangID}
${UrlWeb}/knowledgebase?lng=${LangID}
${UrlWeb}/virusinfo?lng=${LangID}
${UrlWeb}/virusinfo?lng=${LangID}
${UrlWeb}/virusradar?lng=${LangID}
${UrlWeb}/virusradar?lng=${LangID}
${UrlWeb}/home?lng=${LangID}
${UrlWeb}/home?lng=${LangID}
CMDLINE
CMDLINE
SupportCountry
SupportCountry
SupportCompany
SupportCompany
SupportMail
SupportMail
SupportLastName
SupportLastName
SupportFirstName
SupportFirstName
shell32.dll
shell32.dll
A*.lic
A*.lic
I%d %%
I%d %%
${ScannerID}=X|${ProfileName}=%s
${ScannerID}=X|${ProfileName}=%s
${ScannerID}=X|${ScannerPath}=%s
${ScannerID}=X|${ScannerPath}=%s
I${UrlWeb}/renew?lng=${LangID}&lid=%u&users=%u&dguid=%s&pid=%u&customer=%s
I${UrlWeb}/renew?lng=${LangID}&lid=%u&users=%u&dguid=%s&pid=%u&customer=%s
IFilters/Web
IFilters/Web
Ieset.chm
Ieset.chm
ecls.exe
ecls.exe
eguiProduct.dll
eguiProduct.dll
eguiLang.dll
eguiLang.dll
${UrlWeb}/supportform?lng=${LangID}
${UrlWeb}/supportform?lng=${LangID}
*.dat
*.dat
${UrlWeb}/versioninfo?lng=${LangID}&version=%d
${UrlWeb}/versioninfo?lng=${LangID}&version=%d
Eset System Keyboad Command
Eset System Keyboad Command
#xxx
#xxx
${UrlWeb}/renew?lng=${LangID}&dguid=%s&user=%s
${UrlWeb}/renew?lng=${LangID}&dguid=%s&user=%s
SUPPORT
SUPPORT
Advapi32.dll
Advapi32.dll
ieframe.dll
ieframe.dll
Kernel32.dll
Kernel32.dll
mpr.dll
mpr.dll
Ntdll.dll
Ntdll.dll
user32.dll
user32.dll
tuxtheme.dll
tuxtheme.dll
\BaseNamedObjects\NODCOMMXToXCommPort
\BaseNamedObjects\NODCOMMXToXCommPort
HNODCOMMXToXAckEvent
HNODCOMMXToXAckEvent
NODCOMMXToXSendEvent
NODCOMMXToXSendEvent
NODCOMMXToXCommMutex
NODCOMMXToXCommMutex
NODCOMMXToXReceiverMutex
NODCOMMXToXReceiverMutex
NODCOMMXToXSection
NODCOMMXToXSection
%sNODCOMMXToXBroadcast
%sNODCOMMXToXBroadcast
%sNODCOMMXToXBroadcastMutex
%sNODCOMMXToXBroadcastMutex
Http_Proxy_Port
Http_Proxy_Port
hXXp://
hXXp://
Http_Proxy_Server
Http_Proxy_Server
ÚContents%\system\net\cnetcfg\cnetcfg.ini
ÚContents%\system\net\cnetcfg\cnetcfg.ini
http=
http=
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
comctl32.dll
comctl32.dll
NOD32 for Linux FTP Gateway
NOD32 for Linux FTP Gateway
NOD32 for Linux HTTP Gateway
NOD32 for Linux HTTP Gateway
LockPassword
LockPassword
ProxyPassword
ProxyPassword
ProxyPort
ProxyPort
MsgMinStatusLog
MsgMinStatusLog
MsgMinStatusSend
MsgMinStatusSend
MsgFormatError
MsgFormatError
MsgFormatVirus
MsgFormatVirus
SMTP_Password
SMTP_Password
SMTP_Username
SMTP_Username
SMTP_Address
SMTP_Address
SMTP_SenderAddress
SMTP_SenderAddress
SMTP_Server
SMTP_Server
SMTP_Flags
SMTP_Flags
SMTP_Enabled
SMTP_Enabled
*.doc|*.rtf|*.xl?|*.dbf|*.mdb|*.sxw|*.sxc
*.doc|*.rtf|*.xl?|*.dbf|*.mdb|*.sxw|*.sxc
RAClientPassword
RAClientPassword
RAClientPort
RAClientPort
LastExec
LastExec
I%s%s.
I%s%s.
&Export...
&Export...
&Username and Password setup...
&Username and Password setup...
&Import/export settings...
&Import/export settings...
&Knowledgebase on the web
&Knowledgebase on the web
ESET on the &web
ESET on the &web
Settings can be protected with a password in order to prevent them from unauthorized modification by users.
Settings can be protected with a password in order to prevent them from unauthorized modification by users.
&Password protect settings
&Password protect settings
&Enter password...
&Enter password...
Operating &memory
Operating &memory
Alert windows
Alert windows
Alert windows are displayed if a threat is detected, or if user intervention is required.
Alert windows are displayed if a threat is detected, or if user intervention is required.
Notification windows
Notification windows
&Password:
&Password:
Password setup
Password setup
O&ld password:
O&ld password:
&New password:
&New password:
Con&firm new password:
Con&firm new password:
Import and export settings
Import and export settings
Import and export
Import and export
&Import settings
&Import settings
&Export settings
&Export settings
SMTP server requires &authentication
SMTP server requires &authentication
Web access protection
Web access protection
Enable &web access protection
Enable &web access protection
ThreatSense.Net
ThreatSense.Net
Enable &ThreatSense.Net Early Warning System
Enable &ThreatSense.Net Early Warning System
More information on ThreatSense.Net Early Warning System.
More information on ThreatSense.Net Early Warning System.
An asterisk (*) denotes any number of any characters whereas ? denotes a single character. E.g. *.TXT means you are selecting all text files of any name.
An asterisk (*) denotes any number of any characters whereas ? denotes a single character. E.g. *.TXT means you are selecting all text files of any name.
&Executable file:
&Executable file:
%s (%s)
%s (%s)
Version %s
Version %s
%s, %s RAM
%s, %s RAM
&Revert only "%s" settings to defaults
&Revert only "%s" settings to defaults
To advance to a Customer care support request, click Next.
To advance to a Customer care support request, click Next.
Your support request is ready for submission.
Your support request is ready for submission.
&Interval between task execution (min.):
&Interval between task execution (min.):
&Time of task execution:
&Time of task execution:
T&ime of task execution:
T&ime of task execution:
R&un task immediately if the time since its last execution exceeds specified interval
R&un task immediately if the time since its last execution exceeds specified interval
&Date of task execution:
&Date of task execution:
mailto:support@eset.us
mailto:support@eset.us
Confirm old password
Confirm old password
%s`
%s`
We recommend that you submit your support queries using the following forms:
We recommend that you submit your support queries using the following forms:
Customer Care support request...
Customer Care support request...
Customer Care support request (web form)
Customer Care support request (web form)
Latest news: VVV.eset.comP
Latest news: VVV.eset.comP
Web access protection
Web access protection
Open ESET's websiteT
Open ESET's websiteT
%s;Antivirus and antispyware
%s;Antivirus and antispyware
Opens Personal firewall settings Open website with update detailsY
Opens Personal firewall settings Open website with update detailsY
User interface or in the lower part of the left-hand menu.
User interface or in the lower part of the left-hand menu.
Toggle Advanced mode?)Submit file for analysis...%Displays information about menu items
Toggle Advanced mode?)Submit file for analysis...%Displays information about menu items
The Tools section lets you maintain log files, configure sending of event notifications and alerts by email or over a local network, configure ThreatSense.Net Early Warning System as well as other system tools.
The Tools section lets you maintain log files, configure sending of event notifications and alerts by email or over a local network, configure ThreatSense.Net Early Warning System as well as other system tools.
Path=1001License files (*.lic)|*.lic|All files (*.*)|*.*||
Path=1001License files (*.lic)|*.lic|All files (*.*)|*.*||
Incorrect password!
Incorrect password!
Invalid old password!
Invalid old password!
Passwords do not match!
Passwords do not match!
&Old password:
&Old password:
0XML file (*.xml)|*.xml|Text file (*.txt)|*.txt||
0XML file (*.xml)|*.xml|Text file (*.txt)|*.txt||
seconds7Configuration files (*.xml)|*.xml|All files (*.*)|*.*||
seconds7Configuration files (*.xml)|*.xml|All files (*.*)|*.*||
Password protection setup
Password protection setup
Help and support1Help, troubleshooting, Customer Care and contacts
Help and support1Help, troubleshooting, Customer Care and contacts
Log files$Event logs related to %ProductName%.&Adjust your computer's security level.ASpecial tools designed to increase user comfort and productivity.
Log files$Event logs related to %ProductName%.&Adjust your computer's security level.ASpecial tools designed to increase user comfort and productivity.
Opens a web form with incident specification
Opens a web form with incident specification
Opens ESET's website
Opens ESET's website
"The program license expired on %s.
"The program license expired on %s.
License valid until %s.
License valid until %s.
3Username and Password setup... RChange the protection mode of your computer in the network...
3Username and Password setup... RChange the protection mode of your computer in the network...
Files run before user logon|Files run after user logon|Only the most frequently used files|Frequently used files|Commonly used files|Rarely used files|All registered files8Are you sure you want to remove the scheduled task "%s"? Failed to remove scheduled task. Are you sure you want to run the task "%s"?
Files run before user logon|Files run after user logon|Only the most frequently used files|Frequently used files|Commonly used files|Rarely used files|All registered files8Are you sure you want to remove the scheduled task "%s"? Failed to remove scheduled task. Are you sure you want to run the task "%s"?
Email messages (*.msg,*.eml)|*.msg;*.eml|Programs (*.com,*.exe,*.dll)|*.com;*.exe;*.dll|Scripts (*.bat,*.vbs,*.js)|*.bat;*.vbs;*.js|Documents (*.doc,*.xls)|*.doc;*.xls|All files (*.*)|*.*||
Email messages (*.msg,*.eml)|*.msg;*.eml|Programs (*.com,*.exe,*.dll)|*.com;*.exe;*.dll|Scripts (*.bat,*.vbs,*.js)|*.bat;*.vbs;*.js|Documents (*.doc,*.xls)|*.doc;*.xls|All files (*.*)|*.*||
Email messages (*.msg,*.eml)|*.msg;*.eml|Programs (*.com,*.exe,*.dll)|*.com;*.exe;*.dll|Scripts (*.bat,*.vbs,*.js)|*.bat;*.vbs;*.js|Documents (*.doc,*.xls)|*.doc;*.xls|All files (*.*)|*.*||$Submitting file for analysis failed.
Email messages (*.msg,*.eml)|*.msg;*.eml|Programs (*.com,*.exe,*.dll)|*.com;*.exe;*.dll|Scripts (*.bat,*.vbs,*.js)|*.bat;*.vbs;*.js|Documents (*.doc,*.xls)|*.doc;*.xls|All files (*.*)|*.*||$Submitting file for analysis failed.
Display warning windows
Display warning windows
Set up Username and Password for update...
Set up Username and Password for update...
Enter entire advanced setup tree.../Antivirus and antispyware/Web access protection
Enter entire advanced setup tree.../Antivirus and antispyware/Web access protection
Some of the suspicious files suitable for analysis have not been approved for submission yet. To open an approval window, click on this message. The added license expired on %s.
Some of the suspicious files suitable for analysis have not been approved for submission yet. To open an approval window, click on this message. The added license expired on %s.
Antispam module(Confirm file submission...4Submission of a suspicious file to ESET for analysis.Confirm submission of pending suspicious files*Antivirus and antispyware/Email protection
Antispam module(Confirm file submission...4Submission of a suspicious file to ESET for analysis.Confirm submission of pending suspicious files*Antivirus and antispyware/Email protection
Web access protection setup
Web access protection setup
Enter your Username and Password here for update
Enter your Username and Password here for update
Import or export settings
Import or export settings
%d
%d
%d (%d%%)
%d (%d%%)
Web access protection
Web access protection
Import settings
Import settings
An error occurred during the import process. Import was not completed successfully. For more information about import, click here.
An error occurred during the import process. Import was not completed successfully. For more information about import, click here.
&Show information about settings import
&Show information about settings import
Export settings
Export settings
An error occurred while exporting settings. Export was not completed properly. For more information about exporting settings, click here.&Show information about settings export
An error occurred while exporting settings. Export was not completed properly. For more information about exporting settings, click here.&Show information about settings export
Upgrade to the full version after entering a valid Username and Password
Upgrade to the full version after entering a valid Username and Password
5Are you sure you want to delete selected log records?3Are you sure you want to delete selected log files?.Are you sure you want to delete the whole log?.Are you sure you want to delete all log files?
5Are you sure you want to delete selected log records?3Are you sure you want to delete selected log files?.Are you sure you want to delete the whole log?.Are you sure you want to delete all log files?
Choose quarantine folder.0Applications (*.exe)|*.exe|All files (*.*)|*.*||.Add a work folder for running the application.
Choose quarantine folder.0Applications (*.exe)|*.exe|All files (*.*)|*.*||.Add a work folder for running the application.
Configure...}Web access protection
Configure...}Web access protection
Web access protection
Web access protection
Configure email protection parametersGEnable web access protection
Configure email protection parametersGEnable web access protection
Configure Web access protection parameters
Configure Web access protection parameters
Configure email protectionHDisable web access protection
Configure email protectionHDisable web access protection
Configure web access protection parameters
Configure web access protection parameters
@Enable Antivirus and antispyware protection GEnter your Username and Password for update of virus signature database:Change the protection mode of your computer in the network Enable Antivirus and antispyware protection
@Enable Antivirus and antispyware protection GEnter your Username and Password for update of virus signature database:Change the protection mode of your computer in the network Enable Antivirus and antispyware protection
(Advance to Customer care support request
(Advance to Customer care support request
Your license expired on %s. To renew your license, click here.
Your license expired on %s. To renew your license, click here.
Your computer is running in safe mode. Do you want to run an antivirus and antispyware scan of your computer? For more information about the antivirus and antispyware scan in safe mode, click here.BShow information about antivirus and antispyware scan in safe modeFDiagnostic records|Informative records|Warnings|Errors|Critical errors1Never|To infected email only|To all scanned email
Your computer is running in safe mode. Do you want to run an antivirus and antispyware scan of your computer? For more information about the antivirus and antispyware scan in safe mode, click here.BShow information about antivirus and antispyware scan in safe modeFDiagnostic records|Informative records|Warnings|Errors|Critical errors1Never|To infected email only|To all scanned email
ZAllows you to enter the Username and Password you received after purchase or registration.QAllows you to change the sharing mode of your folders and printer in the network.
ZAllows you to enter the Username and Password you received after purchase or registration.QAllows you to change the sharing mode of your folders and printer in the network.
Temporarily disables the antivirus and antispyware protection of files, email and access to the web. All modules will be enabled automatically after the next restart. Use this option carefully!6Enables deactivated antivirus and antispyware modules.
Temporarily disables the antivirus and antispyware protection of files, email and access to the web. All modules will be enabled automatically after the next restart. Use this option carefully!6Enables deactivated antivirus and antispyware modules.
Disables filtering of network traffic. The Personal firewall will be enabled automatically after the next computer restart. Please use this option carefully!BEnables filtering of the network traffic by the Personal firewall.KPermanent protection of files used by applications or the operating system.(Scanning of incoming and outgoing email.TProtection against attacks incoming from web pages and scanning of downloaded files.
Disables filtering of network traffic. The Personal firewall will be enabled automatically after the next computer restart. Please use this option carefully!BEnables filtering of the network traffic by the Personal firewall.KPermanent protection of files used by applications or the operating system.(Scanning of incoming and outgoing email.TProtection against attacks incoming from web pages and scanning of downloaded files.
All files (*.*)|*.*||
All files (*.*)|*.*||
The window will close automatically in %d %s.
The window will close automatically in %d %s.
Virus signature database: %ScannerVersion%
Virus signature database: %ScannerVersion%
Tools/ThreatSense.Net
Tools/ThreatSense.Net
*ThreatSense.Net Early Warning System setup
*ThreatSense.Net Early Warning System setup
The ThreatSense.Net Early Warning System is the best way to help ESET protect you as well as keep you informed about new and evolving threats. This system can submit new threats to ESET's lab and provides feedback that can help protect your computer.
The ThreatSense.Net Early Warning System is the best way to help ESET protect you as well as keep you informed about new and evolving threats. This system can submit new threats to ESET's lab and provides feedback that can help protect your computer.
$ThreatSense.Net Early Warning System
$ThreatSense.Net Early Warning System
ESettings are not password protected.
ESettings are not password protected.
CShow help with information on ThreatSense.Net Early Warning System.ASettings are password protected.
CShow help with information on ThreatSense.Net Early Warning System.ASettings are password protected.
Create new taskX%ProductName% requires your attention. For more information, click on this notification.QYour system is exposed to risk. For more information, click on this notification.1For more information, click on this notification.k@My profile=My profile|@Shellext scan=Context menu scan|@In-depth scan=In-depth scan|@Smart scan=Smart scan
Create new taskX%ProductName% requires your attention. For more information, click on this notification.QYour system is exposed to risk. For more information, click on this notification.1For more information, click on this notification.k@My profile=My profile|@Shellext scan=Context menu scan|@In-depth scan=In-depth scan|@Smart scan=Smart scan
Every time computer starts|The first time the computer starts each day|Dial-up connection to the Internet/VPN|Successful update of the virus signature database|Successful update of the program components|User logon'Task will be run only once on %s at %s.
Every time computer starts|The first time the computer starts each day|Dial-up connection to the Internet/VPN|Successful update of the virus signature database|Successful update of the program components|User logon'Task will be run only once on %s at %s.
Task will be run repeatedly %s.!Task will be run every day at %s..Task will be run at %s on the following days:
Task will be run repeatedly %s.!Task will be run every day at %s..Task will be run at %s on the following days:
Task will not be run.%Task will be run as soon as possible.ATask will be run if it has not been completed within the last %s.
Task will not be run.%Task will be run as soon as possible.ATask will be run if it has not been completed within the last %s.
(once per %s at maximum)
(once per %s at maximum)
Edit task.every minute|every %d minutes|every %d minutes%last hour|last %d hours|last %d hours
Edit task.every minute|every %d minutes|every %d minutes%last hour|last %d hours|last %d hours
hour|%d hour|%d hours
hour|%d hour|%d hours
3.0.621
3.0.621
egui.exe
egui.exe