Gen.Variant.Adware.Kazy.559039_6050bd32b4 – Adaware

Gen:Variant.Adware.Kazy.559039 (B) (Emsisoft), Gen:Variant.Adware.Kazy.559039 (AdAware), Trojan.Win32.Swrort.3.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)Behaviour: Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 6050bd32b4762f279017abddf83429d5

SHA1: e87de08e09f48ca793881b6eaaf3e01edc5c6686

SHA256: 8bfcaf0a452e20dfd3303a6b9f925067d32d68fb49f49de31191fbedea56cd23

SSDeep: 49152:JbzJQNMlmyHOXIIDpoA58 WNazhnwHAeVywv/6 Mo9Ere/V0:JRQNGmyHopYIZJHwv/6Ji/q

Size: 4868040 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: TODO:

Created at: 2013-07-23 00:41:56

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

tmp5.exe:464
tmp2.exe:1252

The Trojan injects its code into the following process(es):

%original file name%.exe:320

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:320 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.exe (157 bytes)
%Documents and Settings%\%current user%\Application Data\iPumper\config.xml (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6050bd32b4762f279017abddf83429d5_000320.log (29270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.exe (148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\htmlayout.dll (6388 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (0 bytes)

The process tmp2.exe:1252 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D84QQBV6\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D84QQBV6\amipb[1].js (22235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1BXCJDKW\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CA4RR9LF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ami3.tmp.ico (766 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y6R5H6KK\index[1].htm (4052 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y6R5H6KK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (14 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ami3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ami3.tmp.ico (0 bytes)

Registry activity

The process %original file name%.exe:320 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 11 A0 96 B6 37 E3 B1 30 56 7D 78 C8 FC 71 A4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"tmp5.exe" = "Installer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Escolade]
"Guid" = "3ef7641038b311e581cc000c298a8b37"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"tmp2.exe" = "Installer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process tmp5.exe:464 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp5.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\VersionIndependentProgID]
"(Default)" = "AmiBs.Installer"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\TypeLib]
"(Default)" = "{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}"

[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}]
"(Default)" = "Installer Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp5.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKCR\AmiBs.Installer.1\CLSID]
"(Default)" = "{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}"

[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp5.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\AmiBs.Installer]
"(Default)" = "Installer Class"

[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\tmp5\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}]
"(Default)" = "IBoot"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\AmiBs.Installer.1]
"(Default)" = "Installer Class"

[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\TypeLib]
"(Default)" = "{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}"

[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\ProgID]
"(Default)" = "AmiBs.Installer.1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 30 62 F1 0D 03 22 C6 8E 07 E4 0E AF 89 85 00"

[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0]
"(Default)" = "InstallerLib"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCR\AmiBs.Installer\CurVer]
"(Default)" = "AmiBs.Installer.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\TypeLib]
[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\ProxyStubClsid]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\LocalServer32]
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\Version]
[HKCR\AmiBs.Installer.1\CLSID]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\ProgID]
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\0\win32]
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\FLAGS]
[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}]
[HKCR\AmiBs.Installer.1]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\TypeLib]
[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\ProxyStubClsid32]
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0]
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\0]
[HKCR\AmiBs.Installer]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\Programmable]
[HKCR\AmiBs.Installer\CurVer]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\VersionIndependentProgID]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}]
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\HELPDIR]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\LocalServer32]
"ServerExecutable"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\tmp5\DEBUG]
"Trace Level"

The process tmp2.exe:1252 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCR\AmiBs.Boot.1]
"(Default)" = "Boot Class"

[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\ProgID]
"(Default)" = "AmiBs.Boot.1"

[HKCR\AmiBs.Boot\CurVer]
"(Default)" = "AmiBs.Boot.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp2.exe"

[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AmiBs.Boot.1\CLSID]
"(Default)" = "{F04A2CA1-9140-4553-B6C4-03E4139ECA93}"

[HKCR\AmiBs.Boot]
"(Default)" = "Boot Class"

[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\VersionIndependentProgID]
"(Default)" = "AmiBs.Boot"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\TypeLib]
"(Default)" = "{4ECB13A5-757F-472B-8E54-EE529A450220}"

[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}]
"(Default)" = "IBoot"

[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0]
"(Default)" = "BootStrapperLib"

[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\TypeLib]
"(Default)" = "{4ECB13A5-757F-472B-8E54-EE529A450220}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp2.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp2.exe"

[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "tmp2.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB B9 77 69 D0 A4 10 78 5E 50 08 DC 18 FF C7 88"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1354017460"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\tmp2\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}]
"(Default)" = "Boot Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\TypeLib]
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\LocalServer32]
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\Version]
[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\ProxyStubClsid]
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\HELPDIR]
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0]
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\ProgID]
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\VersionIndependentProgID]
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\0]
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\FLAGS]
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}]
[HKCR\AmiBs.Boot.1]
[HKCR\AmiBs.Boot\CurVer]
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}]
[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}]
[HKCR\AmiBs.Boot]
[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\ProxyStubClsid32]
[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\TypeLib]
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\Programmable]
[HKCR\AmiBs.Boot.1\CLSID]
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\0\win32]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\tmp2\DEBUG]
"Trace Level"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoConfigURL"

[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\LocalServer32]
"ServerExecutable"

Dropped PE files

MD5	File path
7222f8144a764f45b21fbc89e007c4c9	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\htmlayout.dll
b7bd4dba39f45e1cf57683cab3a6f120	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp2.exe
0bd49da3957331a9a932e8be35448de1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp5.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
tmp5.exe:464
tmp2.exe:1252
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.exe (157 bytes)
%Documents and Settings%\%current user%\Application Data\iPumper\config.xml (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6050bd32b4762f279017abddf83429d5_000320.log (29270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.exe (148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\htmlayout.dll (6388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D84QQBV6\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D84QQBV6\amipb[1].js (22235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1BXCJDKW\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CA4RR9LF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ami3.tmp.ico (766 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y6R5H6KK\index[1].htm (4052 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y6R5H6KK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (14 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 0.0.0.
Legal Copyright:
Legal Trademarks:
Original Filename: xyzeAhK3X.lnk_
Internal Name: xyzeAhK3X.lnk_
File Version: 0.0.0.
File Description: iPumpe
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: 0.0.0.Legal Copyright: Legal Trademarks: Original Filename: xyzeAhK3X.lnk_Internal Name: xyzeAhK3X.lnk_File Version: 0.0.0.File Description: iPumpeComments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	403571	403968	4.56747	ab9143413605400bbb2f6fd9535b900d
.rdata	409600	90682	91136	3.51744	519033a4b55b82f2dd933ec9cea0f213
.data	503808	36608	9216	2.81532	40fdd4ae460b41f3fdb50fdf539d7509
.rsrc	540672	4333568	4329984	3.03413	d39338c96bc2bc1410e1cd8471b43fcd
.reloc	4874240	26820	27136	3.31665	127ac5e6d488e397c238b06e29a1b995

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 4
6cb468d8e106fd18f7d79c89cde5649f
619176599c8f8188c6a04179a75b0766
633aa8736aaf2d53a59af8b2b6333c04
9e94722d253d6f8f21ad96a78f7c4320

Network Activity

URLs

URL	IP
hxxp://urlforward.topdns.com/api/cc
hxxp://unlimitedloads.com/dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/cc	78.140.166.249
hxxp://rc-aflrm.com/nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/cc	188.164.255.157
hxxp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd777ooMLeoLXOs3GIu/NdgFenPL1+kiGIS/oBRE/qBFA/RzVgO0MpYAtg4VU2YbBonzThIc8Y1SHPIJLc=	206.190.150.104
hxxp://urlforward.topdns.com/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5
hxxp://unlimitedloads.com/dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5	78.140.166.249
hxxp://rc-aflrm.com/nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5	188.164.255.157
hxxp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd777Iub7OyPX6tmTZ9uZEyDeOMPRHi2W4a68kBHe3EAgfYyAhV1M1fWdo4S1/UZ0R13zhKdcQ9T3rJPrV+ySXlNjMr6WIzK708Ohaqbj0S9gB0Tf1eJxmtU3wEhR1pV84WHQibRhYKmEMONcoOSXiPpEF7hqBAPoK7DGL7ugti/6Nwf7jiLTCqp3lS5qx0Uu6SZV0=	206.190.150.104
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php?ts=1438477824&Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&X64=N&admin=Y&browser=IEXPLORE.EXE&exe=tmp2&lang_DfltSys=0409&lang_DfltUser=0409&s=Y&screen=1276x818&ver=1.1.2.41&i=WSbing
hxxp://dyno3mlj15jgv.cloudfront.net/V26/amipb.js
hxxp://urlforward.topdns.com/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001
hxxp://unlimitedloads.com/dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001	78.140.166.249
hxxp://rc-aflrm.com/nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001	188.164.255.157
hxxp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd7778iZLepPHm6hDZwv404Vb7GaEOy2mke6cFQFr7GVgOFzFMHh55fCthiQQfUZE8gwz5Ud8U+T3rIIbJoj2DlO2QkumY0L7htMQfnJ3xAqlo2WKlbMlnsVykFkFYoApBKEQCNBVBUwh8VcIBLHn2AuwB8jw==	206.190.150.104
hxxp://cdn1.downloadsoup.com/V26/amipb.js	54.239.168.104
hxxp://www.freefilesdownloader.com/api/cc	199.59.160.184
hxxp://www.freefilesdownloader.com/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5	199.59.160.184
hxxp://www.amonetizeinstaller.com/index.php?ts=1438477824&Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&X64=N&admin=Y&browser=IEXPLORE.EXE&exe=tmp2&lang_DfltSys=0409&lang_DfltUser=0409&s=Y&screen=1276x818&ver=1.1.2.41&i=WSbing	107.21.125.212
hxxp://www.freefilesdownloader.com/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001	199.59.160.184

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /index.php?ts=1438477824&Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&X64=N&admin=Y&browser=IEXPLORE.EXE&exe=tmp2&lang_DfltSys=0409&lang_DfltUser=0409&s=Y&screen=1276x818&ver=1.1.2.41&i=WSbing HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.amonetizeinstaller.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: hXXp://VVV.somauto.com

Content-Type: text/html; charset=UTF-8

Date: Sun, 02 Aug 2015 01:10:15 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

transfer-encoding: chunked

Connection: keep-alive

159c.... .. ..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">..<html>.. <head>.. <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> .. <title>Installer</title>.. <base href="hXXp://VVV.amonetizeinstaller.com:80/index.php?ts=1438477824&Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&X64=N&admin=Y&browser=IEXPLORE.EXE&exe=tmp2&lang_DfltSys=0409&lang_DfltUser=0409&s=Y&screen=1276x818&ver=1.1.2.41&i=WSbing" />.. <script type="text/javascript" src="http://cdn1.downloadsoup.com/V26/amipb.js"></script>.. <script type="text/javascript">.. var g_amiobj = '', g_ami, g_updb = false, g_close = '0', g_additional_offer_list = '0';.. var g_finish_install_button = '0';.. var g_popup_install_all = '0';.. var g_eula = '';.. var g_post1 = '_hdn=1&_ver=1.1.2.41&_p=1&_s=0&_cc=UA&_cid=0&_psb=0&_cnt=17a44a22fad08cc0b155094444c454a2&_instid=&_brw=ie&_fc=0&_appname=&_appimageurl=&_netfs=0&_vert=0';.. var g_icon = '';.. var g_comps = [], g_pages = [], c, g_curPage = -1;.. var g_cid = '0';.. var g_tid = '';.. var g_cc = 'UA';.. var g_lang = 'en';.. var g_ip = '193.138.244.231';.. var g_browser = 'ie';.. var g_cnt = '6e3a7fadab157730fdf029b3bdb897c8';.. var g_ver = '1.1.2.41';..

<<< skipped >>>

GET /api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5 HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: VVV.freefilesdownloader.com

Connection: Close

HTTP/1.1 302 Found

Date: Sun, 02 Aug 2015 00:45:40 GMT

Server: Apache

location: hXXp://unlimitedloads.com/dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

GET /j5GDXm7V6X9pw6NTZdm1JnyTtDd777ooMLeoLXOs3GIu/NdgFenPL1+kiGIS/oBRE/qBFA/RzVgO0MpYAtg4VU2YbBonzThIc8Y1SHPIJLc= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: y.the-ad.net

Connection: Close

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Sun, 02 Aug 2015 01:10:13 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

X-Powered-By: PHP/5.4.4-14 deb7u4

Set-Cookie: __d89=jcmxaHbZpF47hfkMMozmdDaN5mFxrLAofZuzICf4xzV3vpYjfaOcOU+w0G4a6MNUGeXTAVuSih9plcApU4RkWHqDchkun2gfI4YoTQyZYeprzlPkMQ==; expires=Mon, 01-Aug-2016 01:10:13 GMT; path=/; domain=the-ad.net

Set-Cookie: PHPSESSID=58451017baeadb97183c5cc32cfd96b5; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: s=58451017baeadb97183c5cc32cfd96b5; expires=Tue, 04-Aug-2015 01:10:13 GMT; path=/; domain=the-ad.net

121..<html><head><title> </title><script type="text/javascript">function check(id){d=new Date();chk=(20-(d.getTimezoneOffset()/60))*id;s=document.createElement("script");s.src="/?nc=" chk;document.getElementsByTagName("head")[0].appendChild(s);}check(19960);</script></head><body></body></html>..0..

GET /api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001 HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: VVV.freefilesdownloader.com

Connection: Close

HTTP/1.1 302 Found

Date: Sun, 02 Aug 2015 00:45:49 GMT

Server: Apache

location: hXXp://unlimitedloads.com/dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

GET /nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001 HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: rc-aflrm.com

Connection: Close

HTTP/1.1 302 Moved Temporarily

Server: nginx/1.0.15

Date: Sun, 02 Aug 2015 01:10:18 GMT

Content-Type: text/plain

Connection: close

X-Powered-By: Express

Set-Cookie: affgrprt=ac8251773404be77214325787c0829dcf72fd158; Path=/; Expires=Mon, 01 Aug 2016 01:10:18 GMT; HttpOnly

Set-Cookie: affhstr=MMJht12R8mf5XS5H9qrguZjpYYD4lCRnnyi8GNMUlyE.; Path=/; Expires=Mon, 01 Aug 2016 01:10:18 GMT; HttpOnly

Set-Cookie: affrdrct=32dP4337c47CJ-BbY7bMp37gNSivA0NJsUbwt0O4mK3qKHK0X07glVy_nrv0HoRWssHMR7Vg_WwF0AkPt6181inzrpzZEGPL_nlC8StgvcU.; Path=/; Expires=Mon, 03 Aug 2015 01:10:18 GMT; HttpOnly

Vary: Accept

Location: hXXp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd7778iZLepPHm6hDZwv404Vb7GaEOy2mke6cFQFr7GVgOFzFMHh55fCthiQQfUZE8gwz5Ud8U+T3rIIbJoj2DlO2QkumY0L7htMQfnJ3xAqlo2WKlbMlnsVykFkFYoApBKEQCNBVBUwh8VcIBLHn2AuwB8jw==

Content-Length: 250

Moved Temporarily. Redirecting to hXXp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd7778iZLepPHm6hDZwv404Vb7GaEOy2mke6cFQFr7GVgOFzFMHh55fCthiQQfUZE8gwz5Ud8U%2BT3rIIbJoj2DlO2QkumY0L7htMQfnJ3xAqlo2WKlbMlnsVykFkFYoApBKEQCNBVBUwh8VcIBLHn2AuwB8jw%3D%3D..

GET /nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/cc HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: rc-aflrm.com

Connection: Close

HTTP/1.1 302 Moved Temporarily

Server: nginx/1.0.15

Date: Sun, 02 Aug 2015 01:10:09 GMT

Content-Type: text/plain

Connection: close

X-Powered-By: Express

Set-Cookie: affgrprt=ac8251773404be77214325787c0829dcf72fd158; Path=/; Expires=Mon, 01 Aug 2016 01:10:09 GMT; HttpOnly

Set-Cookie: affhstr=SxJUEk_TrqMsAi_i3WZIhxQxIMq3E0MVOtKtU9Smmos.; Path=/; Expires=Mon, 01 Aug 2016 01:10:09 GMT; HttpOnly

Set-Cookie: affrdrct=32dP4337c47CJ-BbY7bMp37gNSivA0NJsUbwt0O4mK3qKHK0X07glVy_nrv0HoRWVTeiHGNz3gVK4cwKuZbGnjsf8CF6j956bb8f7mbeIDY.; Path=/; Expires=Mon, 03 Aug 2015 01:10:09 GMT; HttpOnly

Vary: Accept

Location: hXXp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd777ooMLeoLXOs3GIu/NdgFenPL1+kiGIS/oBRE/qBFA/RzVgO0MpYAtg4VU2YbBonzThIc8Y1SHPIJLc=

Content-Length: 186

Moved Temporarily. Redirecting to hXXp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd777ooMLeoLXOs3GIu%2FNdgFenPL1%2BkiGIS%2FoBRE%2FqBFA%2FRzVgO0MpYAtg4VU2YbBonzThIc8Y1SHPIJLc%3D..

GET /dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/cc HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: unlimitedloads.com

Connection: Close

HTTP/1.1 301 Moved Permanently

Server: nginx/1.0.10

Date: Sun, 02 Aug 2015 01:10:13 GMT

Content-Type: text/html

Content-Length: 185

Connection: close

Location: hXXp://rc-aflrm.com/nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/cc

<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.0.10</center>..</body>..</html>....

GET /dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001 HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: unlimitedloads.com

Connection: Close

HTTP/1.1 301 Moved Permanently

Server: nginx/1.0.10

Date: Sun, 02 Aug 2015 01:10:23 GMT

Content-Type: text/html

Content-Length: 185

Connection: close

Location: hXXp://rc-aflrm.com/nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001

<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.0.10</center>..</body>..</html>....

GET /nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5 HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: rc-aflrm.com

Connection: Close

HTTP/1.1 302 Moved Temporarily

Server: nginx/1.0.15

Date: Sun, 02 Aug 2015 01:10:10 GMT

Content-Type: text/plain

Connection: close

X-Powered-By: Express

Set-Cookie: affgrprt=ac8251773404be77214325787c0829dcf72fd158; Path=/; Expires=Mon, 01 Aug 2016 01:10:10 GMT; HttpOnly

Set-Cookie: affhstr=cbUq31HdMjvKxUKaxyzjeLUlwSpdyT1Zx9780v1N9Y0.; Path=/; Expires=Mon, 01 Aug 2016 01:10:10 GMT; HttpOnly

Set-Cookie: affrdrct=32dP4337c47CJ-BbY7bMp37gNSivA0NJsUbwt0O4mK3qKHK0X07glVy_nrv0HoRW9leZcTZQbTjgMpmg0V2FEMXmYV5ORfiNeA4wKBeqGhs.; Path=/; Expires=Mon, 03 Aug 2015 01:10:10 GMT; HttpOnly

Vary: Accept

Location: hXXp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd777Iub7OyPX6tmTZ9uZEyDeOMPRHi2W4a68kBHe3EAgfYyAhV1M1fWdo4S1/UZ0R13zhKdcQ9T3rJPrV+ySXlNjMr6WIzK708Ohaqbj0S9gB0Tf1eJxmtU3wEhR1pV84WHQibRhYKmEMONcoOSXiPpEF7hqBAPoK7DGL7ugti/6Nwf7jiLTCqp3lS5qx0Uu6SZV0=

Content-Length: 294

Moved Temporarily. Redirecting to hXXp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd777Iub7OyPX6tmTZ9uZEyDeOMPRHi2W4a68kBHe3EAgfYyAhV1M1fWdo4S1%2FUZ0R13zhKdcQ9T3rJPrV%2BySXlNjMr6WIzK708Ohaqbj0S9gB0Tf1eJxmtU3wEhR1pV84WHQibRhYKmEMONcoOSXiPpEF7hqBAPoK7DGL7ugti%2F6Nwf7jiLTCqp3lS5qx0Uu6SZV0%3D..

GET /j5GDXm7V6X9pw6NTZdm1JnyTtDd7778iZLepPHm6hDZwv404Vb7GaEOy2mke6cFQFr7GVgOFzFMHh55fCthiQQfUZE8gwz5Ud8U+T3rIIbJoj2DlO2QkumY0L7htMQfnJ3xAqlo2WKlbMlnsVykFkFYoApBKEQCNBVBUwh8VcIBLHn2AuwB8jw== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: y.the-ad.net

Connection: Close

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Sun, 02 Aug 2015 01:10:23 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

X-Powered-By: PHP/5.4.4-14 deb7u4

Set-Cookie: __d89=jcmxaHbZpF47hfkMMozmdDaO5mFxrLAofZuzICf4xzV3vpYjfaOcOU+w0G4a6MNUGeXTAVuSih9plcApU4RkWHqDchkun2gfI4YoTQyZYeprzlPhO3Jq/yVnb+o/ZlL7MXtLslBWGv4AIxurWygCmwwvBJYXFQGaFUcNn0pLc4pGTX3VsQdsicAFfIy6CGHzvw==; expires=Mon, 01-Aug-2016 01:10:23 GMT; path=/; domain=the-ad.net

Set-Cookie: PHPSESSID=58451017baeadb97183c5cc32cfd96b5; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: s=58451017baeadb97183c5cc32cfd96b5; expires=Tue, 04-Aug-2015 01:10:23 GMT; path=/; domain=the-ad.net

GET /V26/amipb.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.amonetizeinstaller.com/index.php?ts=1438477824&Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&X64=N&admin=Y&browser=IEXPLORE.EXE&exe=tmp2&lang_DfltSys=0409&lang_DfltUser=0409&s=Y&screen=1276x818&ver=1.1.2.41&i=WSbing

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn1.downloadsoup.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Content-Length: 67392

Connection: keep-alive

Date: Wed, 29 Jul 2015 11:41:12 GMT

x-amz-meta-cb-modifiedtime: Wed, 29 Jul 2015 05:06:06 GMT

Last-Modified: Wed, 29 Jul 2015 11:32:50 GMT

ETag: "8f5a83ae50a0bbb833ac39d48197be0f"

Accept-Ranges: bytes

Server: AmazonS3

Age: 48527

X-Cache: Hit from cloudfront

Via: 1.1 f96185b1d69d6f85635bc2b5554da639.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 6xCzLhQycfjR-YoxJ4KTf2sLB5-FXFpguplV0KwJhbZx9SXtWhKdPQ==

..//<!-- ../* Progress bar */..var g_AmiPbs = new Array();..var g_AmiPbsEx = new Array();..var g_interval = 0;..var g_initComp = 0;..var g_possibleComps = [];..var g_reportedComps = [];..var g_removedComps = [];..function LogMessage(message) {.. try {.. g_ami.Log(message);.. }.. catch (excpt) {.. }..}..function IsDeclined(name) {.. var declined = 0;.. for (var i = 0; i < g_removedComps.length; i ) {.. if (g_removedComps[i] == name) {.. declined = 1;.. break;.. }.. }.. return declined;..}..function UpdateSkipStatus(sn) {.. if (g_testa && !ArrayContains(g_reportedComps, sn) && !ArrayContains(g_notest, sn) && !ArrayContains(g_notest1, sn)) {.. if (g_testa.constructor != Array || ArrayContains(g_testa, sn)) {.. g_ami.WriteProfileString(g_testf, '', sn, 'S');.. g_reportedComps.push(sn);.. }.. }..}..function ShortNameFromName(name) {.. for (c = 0; c < g_comps.length; c ) {.. if (g_comps[c].name == name) {.. return g_comps[c].sn;.. }.. }.. return name;..}..function UpdateComponentsStatus() {.. LogMessage('UpdateComponentsStatus function started');.. for (var j = 0; j < g_possibleComps.length; j ) {.. if (g_possibleComps[j].sn == 'updater') {.. continue;.. }.. if (g_possibleComps[j].sel !== 2 && !IsDeclined(g_possibleComps[j].sn) && !IsDeclined(g_possibleComps[j].name)) {.. var k = 0;.. try {..

<<< skipped >>>

GET /api/cc HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: VVV.freefilesdownloader.com

Connection: Close

HTTP/1.1 302 Found

Date: Sun, 02 Aug 2015 00:45:39 GMT

Server: Apache

location: hXXp://unlimitedloads.com/dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/cc

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

GET /dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5 HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: unlimitedloads.com

Connection: Close

HTTP/1.1 301 Moved Permanently

Server: nginx/1.0.10

Date: Sun, 02 Aug 2015 01:10:15 GMT

Content-Type: text/html

Content-Length: 185

Connection: close

Location: hXXp://rc-aflrm.com/nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5

<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.0.10</center>..</body>..</html>....

GET /j5GDXm7V6X9pw6NTZdm1JnyTtDd777Iub7OyPX6tmTZ9uZEyDeOMPRHi2W4a68kBHe3EAgfYyAhV1M1fWdo4S1/UZ0R13zhKdcQ9T3rJPrV+ySXlNjMr6WIzK708Ohaqbj0S9gB0Tf1eJxmtU3wEhR1pV84WHQibRhYKmEMONcoOSXiPpEF7hqBAPoK7DGL7ugti/6Nwf7jiLTCqp3lS5qx0Uu6SZV0= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: y.the-ad.net

Connection: Close

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Sun, 02 Aug 2015 01:10:14 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

X-Powered-By: PHP/5.4.4-14 deb7u4

Set-Cookie: __d89=jcmxaHbZpF47hfkMMozmdDaN4WFxrLAofZuzICf4xzV3vpYjfaOcOU+w0G4a6MNUGeXTAVuSih9plcApU4RkWHqDchkun2gfI4YoTQyZYeprzlPsN3lu5CRgePc/a1TnOykX0VF1T6xQIByvWSBTkF8tUJJKEVrIRhQNzEgRedJGTnaApwIPircHfY+6CGDmvHpj96dwO6+ldj/7rX5Ttax7XOeTZwi5wjAL55lsQ9rKaQ==; expires=Mon, 01-Aug-2016 01:10:14 GMT; path=/; domain=the-ad.net

Set-Cookie: PHPSESSID=58451017baeadb97183c5cc32cfd96b5; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: s=58451017baeadb97183c5cc32cfd96b5; expires=Tue, 04-Aug-2015 01:10:14 GMT; path=/; domain=the-ad.net

120..<html><head><title> </title><script type="text/javascript">function check(id){d=new Date();chk=(20-(d.getTimezoneOffset()/60))*id;s=document.createElement("script");s.src="/?nc=" chk;document.getElementsByTagName("head")[0].appendChild(s);}check(2350);</script></head><body></body></html>..0..

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_320:

.text

`.rdata

@.data

.rsrc

@.reloc

FTPQ

xSSSh

FTPjKS

FtPj;S

C.PjRV

PASSWORD

REPORT

RegOpenKeyTransactedW

Cannot put setting information: %x

CreateProcess failed (%d).

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

FRegDeleteKeyExW

Product version: 1.0.1.1

1,0,1,1099

HTMLayout.dll

operator

portuguese-brazilian

GetProcessWindowStation

C:\iPumper\iPumper\Installer\Build\Release\TinyInstaller.pdb

HTMLayoutCombineURL

NETAPI32.dll

dbghelp.dll

GetProcessHeap

KERNEL32.dll

USER32.dll

RegCreateKeyExW

RegDeleteKeyW

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegQueryInfoKeyW

ADVAPI32.dll

SHFileOperationW

ShellExecuteW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

COMCTL32.dll

WinHttpOpen

WinHttpCloseHandle

WinHttpSetTimeouts

WinHttpCrackUrl

WinHttpConnect

WinHttpOpenRequest

WinHttpSetOption

WinHttpSendRequest

WinHttpQueryHeaders

WinHttpReceiveResponse

WinHttpQueryDataAvailable

WinHttpReadData

WINHTTP.dll

Secur32.dll

RPCRT4.dll

PSAPI.DLL

GetCPInfo

.?AUIHttpRequestEvents@Http@CommonLib@@

.?AVCThreadCRT@System@CommonLib@@

zcÃ

Ã»JB

{gm.Tt

16.Sr

.sN0|

x%C-B

%Uz7$

i[^(.Ny

0.vqA

bQ.ta

=i%xB

B%%d%q

.fLuY

c4Ã´

6Y.wNAB

>:v4.VV

=5%fI

%F>wZ

o4 EXE5`

5.kJ{

%CtN'v1_

0.Uu3

ny&;%x:

.aZu}

ek{;%c

:.BTK!

&0%%F

{%CM

FCRt`

4H.Lb

`ck(%X

.OnEu

(.tD"

yU%X`

sqli

[%Xc@

.YCjq

B%f,{

D.or{s-

N%Sy ]

/.dZzt

d/P.ep

.4.wC

.aOrW/

.PEGS^

zq6%d

2=r.JW

.gQ^U~

1.nD5

1T6.rxY

EG.Zx

H.kg9

W?)2h%s

N_WV&.Oq

Y\.CF{

Dm.tG

kmu.qE

=.Jc#

ÃGW

EQ.lt

}%U!q'

7-2uk}o

f.wgh~

`G571.Ug

^);~.wM

>.Zc$

.sE?>-QP"9.l

O3.TS

6.qhz

'*.oZ

9\0/$6&;

;ve[%F

#'BR-3}

.sj&f

%cj3y%o-D

ysqL

.Qrw!

S7W.AU

!T.yO

)$.wG/

7]*%Ue

.vKH,&

so%Ua

B/.TP

Np.sG

lg.ex

##% pI%c

Y.FVv

.tdx^

&.AzOB O}

.XS@(V@_

w[5.VmG

.dUh[tW

%URTH

.BR`uN

z.OJY

q\%u>

msg)R,

2.Lr6

8Y3%c

'@].Pu

oxdQB%xLXH

w9.AOk9

%~.ne

Ml.dVF[|

Y*b%ua

'f%C#

A(.wb

;&%sIT

!K.lW

1.Bj=

}wJ%D

\C%D

%X:Vt

.Xq8&

2.GTi

bJ.Qs

F}.TS

.Hh!:

!v-Q}

a-A}!!Y

.^.ok]

(%4sg

`D[#%UGtE[

%xt$ME

`.UIh

j-6}0

.kvt?

-U}yu

a.ujeE

X.hqPE

UK.rN}

7f#{%S

R5cu%XO

.RU9e

32.sW

o.JpI\>6

}.eXQ\

Q.mi

3T.NI

qâ‚¬u

w2)b%F

s)9.Fb

ÃTw

6w.br

^.wry

{E.LB

.bcb

_C.wa

Af.GR

X.Na6

p%0U'{

a&3:Md-a}

`%X\[

1M%DxV

6E.Zg

.CbP>B2

[1VeV%uBYU

54444444744476

(

)#0352%:

X.WX-WX

0 0*040=0

6$6)686_6

6i6F6y6}6

>)>0>9>>>

9 9$9(9,9

9,989@9`9

4,484@4`4

Checking is %s installed

Stopped dumping amitest.txt

Started deleting amitest.txt

amitest.txt

Started dumping amitest.txt

mism.exe started

Starting mism.exe

AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}

TypeLib\{44444444-4444-4444-4444-440344264420}\1.0\0\win32

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhiteSmoke_New Toolbar

TypeLib\{EFDF368C-8DD9-4E05-87CD-16AA5CB03CB8}\1.0\0\win32

Software\Microsoft\Windows\CurrentVersion\Uninstall

Software\Microsoft\Windows\CurrentVersion\Run

VVV.products-placement.com

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

chromex

[d/d/d

d:d:d:d]

https:

http:

29-03-2013

Advapi32.dll

[ASCTaskScheduler] Error: TaskUrl value is invalid

QueryServiceStatusEx failed (%d)

[ASCTaskScheduler] Error: pExecAction->put_Path is failed

TaskUrl

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Can't delete file: %s

finish_screen.html

Key doesn't exist

Key exists

Checking does %s\%s exists

simapp_id: '%s'

"%s" --uninstall

"%s",1

Installing from: '%s' to '%s'

Mozilla\FireFox\Extensions

ntfdsaftsfdfdxx@mozilla.org

extension_firefox.xpi

Installing firefox extension

Installed: '%s'

Google\Chrome\Extensions\%s

extension_chrome.crx

Installing chrome extension

\iPumper.lnk

Starting distrib uninstaller: '%s'

Usenet.nl.exe

mediaget.exe

iPumper.exe

Uninstalling: '%s'

%s\%s

User global groups: %s

User local groups: %s

Default browser path: '%s'

http\shell\open\command

Windows version: %s

Parent process path: '%s'

Special param --config: '%s'

hXXp://%s/up/?key=%s&where=%s

%domain%

hXXp://%s/log/%s_crashlog

%s%i: %s - 0x%0X

\Updater.exe

Updater.exe was extracted

Extracting Updater.exe

Updater.exe

\extension_firefox.xpi

\extension_chrome.crx

\config.xml

Checking --auto switch: %d

Checking --silent switch: %d

Checking --uninstall switch: %d

Command line: '%s'

hXXp://%s/log/%s

Flushing log to domain: '%s'

CT3272810.startpageurl = %s

CT3272810.startpageurl

HKEY_CURRENT_USER\Software\Conduit\ChromeExtData\ocoombckbcnabpaghmokhaapnbngahck\Repository exists

Software\Conduit\ChromeExtData\ocoombckbcnabpaghmokhaapnbngahck\Repository

wstest.exe started

Starting wstest.exe

Qtrax folder was found: '%s'

\Microsoft\Silverlight\OutOfBrowser\*.portal.qtrax.com

Ping sent. Url: '%s'. Status: %d

secret_key

%s/%s

keywordinstalled

keywordexecute

hXXp://%s/api/%s/%s/%s

hXXp://%s/%s/suddendeath/

%s screen: cancel is pressed

%s screen: continue is pressed

%s screen is shown

.html

Start %s screen

Uninstalled started. Self path: '%s'

started: %d

?id_1=%s&id_2=%s&id_3=%s

zid: %s

bid: %s

visitor_id: %s

/s /i SweetImBing /u hXXp://VVV.amoninst.com/index.php /ta /x_t_b_toolbar

/u hXXp://VVV.amoninst.com/index.php /ta

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\avast

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\avast

Oxy path: %s

\Oxy\Application\Oxy.exe

transmission-daemon.exe

hXXp://download.microsoft.com/download/c/6/e/c6e88215-0178-4c6c-b5f3-158ff77b1f38/NetFx20SP2_x86.exe

dotnetfx35.exe

v2.0.50727

\iPumper\iPumper.exe

Distrib downloaded: '%s'. Size: '%d'

hXXps://

hXXp://

Generated GUID: '%s'. Last error: %d

Keyword: '%s'

Programs path: '%s'

Install path: '%s'

Configured affid: '%s'

config.xml

download_screen.html

splash_screen.html

Installer started. Self path: '%s'. Self name: '%s'

KERNEL32.DLL

Windows NT 4

Windows 2000

Windows XP

Windows Server 2003

Windows Vista

Windows 7

Windows CE

Windows NT 3.51

Windows 95

Windows 95 SP1

Windows 95 OSR2

Windows 98

Windows 98 SP1

Windows 98 SE

Windows ME

unknown Windows version

Web Server Edition

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

ADVAPI32.DLL

WUSER32.DLL

c:\%original file name%.exe

0.0.0.0

xyzeAhK3X.lnk_p

%original file name%.exe_320_rwx_10001000_0025B000:

D$.QP

%u%8H

t5Ot.Ot

t5Nt.Nt

mt.It It

t"SSh

Y9O u%f

\$ ;\$0}

u 8F%u

\$09\$,~

@t.IIt

.FG;}

tGHt.Ht&

Corrupt JPEG data: found marker 0xx instead of RST%d

Warning: unknown JFIF revision number %d.d

Corrupt JPEG data: %u extraneous bytes before marker 0xx

Inconsistent progression sequence for component %d coefficient %d

Unknown Adobe color transform code %d

Obtained XMS handle %u

Freed XMS handle %u

Unrecognized component IDs %d %d %d, assuming YCbCr

JFIF extension marker: RGB thumbnail image, length %u

JFIF extension marker: palette thumbnail image, length %u

JFIF extension marker: JPEG-compressed thumbnail image, length %u

Opened temporary file %s

Closed temporary file %s

Ss=%d, Se=%d, Ah=%d, Al=%d

Component %d: dc=%d ac=%d

Start Of Scan: %d components

Component %d: %dhx%dv q=%d

Start Of Frame 0xx: width=%u, height=%u, components=%d

Smoothing not supported with nonstandard sampling ratios

RST%d

At marker 0xx, recovery action %d

Selected %d colors for quantization

Quantizing to %d colors

Quantizing to %d = %d*%d*%d colors

%4u %4u %4u %4u %4u %4u %4u %4u

Unexpected marker 0xx

Miscellaneous marker 0xx, length %u

with %d x %d thumbnail image

JFIF extension marker: type 0xx, length %u

Warning: thumbnail image size does not match data length %u

JFIF APP0 marker: version %d.d, density %dx%d %d

= = = = = = = =

Obtained EMS handle %u

Freed EMS handle %u

Define Restart Interval %u

Define Quantization Table %d precision %d

Define Huffman Table 0xx

Define Arithmetic Table 0xx: 0xx

Unknown APP14 marker (not Adobe), length %u

Unknown APP0 marker (not JFIF), length %u

Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d

Unsupported marker type 0xx

Failed to create temporary file %s

Unsupported JPEG process: SOF type 0xx

Cannot quantize to more than %d colors

Cannot quantize to fewer than %d colors

Cannot quantize more than %d color components

Insufficient memory (case %d)

Not a JPEG file: starts with 0xx 0xx

Quantization table 0xx was not defined

Huffman table 0xx was not defined

Backing store not supported

Arithmetic table 0xx was not defined

Cannot transcode due to multiple use of quantization table %d

Maximum supported image dimension is %u pixels

Empty JPEG image (DNL not supported)

Bogus DQT index %d

Bogus DHT index %d

Bogus DAC value 0x%x

Bogus DAC index %d

Unsupported color conversion request

Too many color components: %d, max %d

Buffer passed to JPEG library is too small

JPEG parameter struct mismatch: library thinks size is %u, caller expects %u

Improper call to JPEG library in state %d

Invalid scan script at entry %d

Invalid progressive parameters at scan script entry %d

Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d

Unsupported JPEG data precision %d

Invalid memory pool code %d

Wrong JPEG library version: library is %d, caller expects %d

Component index %d: mismatching sampling ratio %d:%d, %d:%d, %c

DCT scaled block size %dx%d not supported

Invalid component ID %d in SOS

Bogus message code %d

%ld%c

NULL row buffer for row %ld, pass %d

libpng error: %s

libpng warning: %s

Buffer error in compressed datastream in %s chunk

Data error in compressed datastream in %s chunk

Incomplete compressed datastream in %s chunk

Unknown zTXt compression type %d

gamma = (%d/100000)

gx=%f, gy=%f, bx=%f, by=%f

wx=%f, wy=%f, rx=%f, ry=%f

incorrect gamma=(%d/100000)

Unknown compression type %d

zero length keyword

keyword length must be 1 - 79 characters

Zero length keyword

extra interior spaces removed from keyword

leading spaces removed from keyword

trailing spaces removed from keyword

invalid keyword character 0xX

Out of memory while procesing keyword

mscoree.dll

.mixcrt

KERNEL32.DLL

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

kernel32.dll

?#%X.y

GetProcessWindowStation

USER32.DLL

operator

accesskey

user32.dll

CSS ERROR, bad selector in select_elements_by_css: %S

uxtheme.dll

orientation-portrait

composition-supported

1.4.3

1.2.3

file://%s

Error: cannot open %s

CSSS! RUNTIME ERROR evaluating:%s

SourceUrl

Content-Type: application/x-www-form-urlencoded;charset=utf-8

https

htmlayout 3.3; %s; VVV.terrainformatica.com )

HTTP/1.0

Content-Length: %d

Content-Type: multipart/form-data; boundary=%s

key-on!

key-off!

CSS ERROR in %s at line %d: bad attribute declaration syntax:

CSS ERROR in %s at line %d: bad attribute syntax, ignored:

CSS ERROR in %s at line %d: bad combination of 'display-model' and 'display'

CSS ERROR in %s at line %d: tag %s was already defined

CSS ERROR in %s at line %d: 'display-model' without 'display' definition

CSS ERROR in %s at line %d: bad css selector, following declaration skipped:

CSS ERROR in @import statement at line %d:

CSS ERROR in @include statement at line %d:

CSS ERROR in @font-face statement at line %d, font resource %s is not available

CSS ERROR in @font-face statement at line %d, failed to install font

CSS ERROR in @font-face statement at line %d, declaration is not complete

CSS ERROR in @font-face statement at line %d:

CSS ERROR in @set statement at line %d:

CSS ERROR in @set statement at line %d, parent set %s is not found

CSS ERROR in %s at line %d: AT-rule is not acceptable here, following declaration skipped:

CSS ERROR in %s at line %d: wrong @const declaration, following statement skipped:

CSS ERROR in %s at line %d: invalid @media declaration

crosshair

url()

CSS ERROR in colorize() function: bad color value: %S

CSS ERROR, function '%s' is not supported

CSSS! ERROR in %s at line %d: %s

res:master.css

CSSS! RUNTIME ERROR:%s

ERROR: cyclic INCLUDE of url %s

http-equiv

button.plus

password

-password-char

%u-%u-%u

%u:%u:%u

comctl32.dll

.today

.other-month

u-u-u

.other-year

.other-decade

%d-
%d

image%d%s

http:*

https:*

%d(%d)

cid:%s

Windows-3.11

Windows-95

Windows-95-OSR2

Windows-98

Windows-98-SE

Windows-ME

Windows-CE

Windows-NT4

Windows-2000

Windows-2003

Windows-XP

Windows-Vista

Windows-7

above-Windows-7

%Y-%m-%dZ

%Y-%m-%d

%Y-%m-%dT%H:%MZ

%Y-%m-%dT%H:%M

%Y-%m-%dT%H:%M:%SZ

%Y-%m-%dT%H:%M:%S

%H:%M:%SZ

%H:%M:%S

/:$-_.!*'(),?&=@#%

windows-1250

windows-1253

windows-1256

windows-1255

windows-1251

windows-1252

windows-1257

windows-1258

windows-1254

windows-874

unknown bytecode=%d

attribute '%S' not found or is read only

attribute '%S' not found

function '%S' not found

state flag '%S' not found

state flag '%S' not found or is read only

event '%S' not found

constant '%S' not found

unknown character with code 0x%x

unexpected token '%S'

got '%S' but required %S

bad name token '%S'

unknown variable '%S'

Msimg32.dll

image/vnd.microsoft.icon

UXTHEME.DLL

burlywood

%1x%1x%1x

%1x%1x%1x%1x

%2x%2x%2x

%2x%2x%2x%2x

%s,%u,%d,%d:%dx%d,%d,%d,%d,%d,%d,X

,XXXXXX

url(*)

0123456789

stroke-linejoin

zcÃ

) *,*,* *-*.*.*-*4*5*5*4*

.?AUevent_key@html@@

.?AUimage_functor@?1??get_image_urls@document@html@@QAEXAAV?$array@Vstring@tool@@@tool@@@Z@

.?AUexec_env@csss@html@@

.?AUurl_edit_ctl@html@@

.?AUurl_ctl_factory@html@@

.?AUpassword_edit_ctl@html@@

.?AUpassword_ctl_factory@html@@

!"#$%&'()

c:\%original file name%.exe

.www=9Z

style="foreground-image:url(res:edit-undo.png)"

>UndoCtrl Z

style="foreground-image:url(res:edit-cut.png)"

>CutCtrl X

style="foreground-image:url(res:edit-copy.png)"

>CopyCtrl C

style="foreground-image:url(res:edit-paste.png)"

>PasteCtrl V

>Select AllCtrl A

style="foreground-image:url(res:edit-undo.png)"

>UndoCtrl Z

style="foreground-image:url(res:edit-cut.png)"

>CutCtrl X

style="foreground-image:url(res:edit-copy.png)"

>CopyCtrl C

style="foreground-image:url(res:edit-paste.png)"

>PasteCtrl V

>Select AllCtrl A

Cells:

>MergeBackspace

>Split by rowsCtrl 1

>Split by columnsCtrl 2

PADhtml { behavior: accesskeys; }

background-image:url(theme:groupbox-normal);

fieldset > legend:rtl /* see hXXp://terrainformatica.com/forums/topic.php?id=1772 */

widget[type="password"],

input[type="password"],

widget[type="url"],

input[type="url"],

background-image:url(theme:edit-normal);

context-menu:url(res:behavior-edit-menu.htm);

background-image:url(theme:edit-disabled);

:root[type="password"]

behavior:password;

:root[type="url"]

behavior:url;

context-menu:url(res:behavior-edit-menu.htm);

:root > button.minus

background-image:url(theme:v-spin-minus-normal);

:root:rtl > button.minus

:root > button.minus:hover

background-image:url(theme:v-spin-minus-hover);

:root > button.minus:active

background-image:url(theme:v-spin-minus-pressed);

:root > button.minus:disabled

background-image:url(theme:v-spin-minus-disabled);

:root > button.plus

background-image:url(theme:v-spin-plus-normal);

:root:rtl > button.plus

:root > button.plus:hover

background-image:url(theme:v-spin-plus-hover);

:root > button.plus:active

background-image:url(theme:v-spin-plus-pressed);

:root > button.plus:disabled

background-image:url(theme:v-spin-plus-disabled);

background-image:url(theme:button-normal);

background-image:url(theme:button-defaulted);

background-image:url(theme:button-hover);

background-image:url(theme:button-pressed);

background-image:url(theme:button-disabled);

background-image:url(theme:button-pressed); /* ?? */

background-image:url(theme:radio-normal);

background-image:url(theme:radio-hover);

background-image:url(theme:radio-pressed);

background-image:url(theme:radio-disabled);

background-image:url(theme:radio-checked-normal);

background-image:url(theme:radio-checked-hover);

background-image:url(theme:radio-checked-pressed);

background-image:url(theme:radio-checked-disabled);

background-image:url(theme:check-normal);

background-image:url(theme:check-hover);

background-image:url(theme:check-pressed);

background-image:url(theme:check-disabled);

background-image:url(theme:check-checked-normal);

background-image:url(theme:check-checked-hover);

background-image:url(theme:check-checked-pressed);

background-image:url(theme:check-checked-disabled);

background-image:url(theme:check-mixed-normal);

background-image:url(theme:check-mixed-hover);

background-image:url(theme:check-mixed-pressed);

background-image:url(theme:check-mixed-disabled);

foreground-image:url(stock:arrow-down); /* that arrow */

background-image:url(theme:h-progress-back);

foreground-image:url(theme:h-progress-chunk);

background-image:url(theme:edit-normal);

background-image:url(theme:edit-disabled);

foreground-image:url(theme:tree-view-glyph-closed); }

foreground-image:url(theme:tree-view-glyph-open); }

/* tree line support: */

foreground-image:url(theme:check-normal);

option:incomplete > :first-child { foreground-image:url(theme:check-mixed-normal); }

option:checked > :first-child { foreground-image:url(theme:check-checked-normal); }

background-image:url(theme:edit-normal);

background-image:url(theme:edit-disabled);

foreground-image:url(theme:check-normal);

foreground-image:url(theme:check-checked-normal);

/* caption portion of combobox */

/* caption portion of combobox when select is in focus */

:url(theme:combobox-button-normal);

background-image:url(theme:combobox-button-hover);

background-image:url(theme:combobox-button-pressed);

background-image:url(theme:combobox-button-disabled);

:root { background-image:url(theme:button-normal); }

:root:hover { background-image:url(theme:button-hover); }

:root:disabled { background-image:url(theme:button-disabled); }

:root:active { background-image:url(theme:button-pressed); }

:root > button { background: url(stock:arrow-down) center center no-repeat;}

:root > button:hover { background-image:url(stock:arrow-down); background-position: center center; background-repeat: no-repeat;}

:root > button:active { background-image:url(stock:arrow-down); background-position: center center; }

:root:disabled > button { background-image:url(stock:arrow-down); background-position: center center; }

context-menu:url(res:behavior-richtext-menu.htm);

background-image:url(theme:edit-normal);

context-menu:url(res:behavior-text-menu.htm);

background-image:url(theme:h-trackbar-back);

:root > .slider

foreground-image:url(theme:h-trackbar-thumb-normal);

:root:focus > .slider

foreground-image:url(theme:h-trackbar-thumb-focus);

:root > .slider:hover

foreground-image:url(theme:h-trackbar-thumb-hover);

:root > .slider:active

foreground-image:url(theme:h-trackbar-thumb-pressed);

:root:disabled > .slider

foreground-image:url(theme:h-trackbar-thumb-disabled);

background-image:url(theme:v-trackbar-back);

foreground-image:url(theme:v-trackbar-thumb-normal);

foreground-image:url(theme:v-trackbar-thumb-focus);

foreground-image:url(theme:v-trackbar-thumb-hover);

:root > .slider:active

foreground-image:url(theme:v-trackbar-thumb-pressed);

foreground-image:url(theme:v-trackbar-thumb-disabled);

:root > div.page

/*:root > splitter:active { background:transparent url(theme:toolbar-button-checked) stretch; }*/

background-image:url(stock:arrow-right); /* that arrow */

/* accesskey label (span) */

span.accesskey

menu > option:current span.accesskey,

li:current span.accesskey

img.hr

menu.popup,

menu.context,

div.prev-date

background-image:url(theme:h-scrollbar-minus-normal);

div.prev-date:rtl

div.prev-date:active

background-image:url(theme:h-scrollbar-minus-pressed);

div.prev-date:hover {

background-image:url(theme:h-scrollbar-minus-hover);

div.next-date

background-image:url(theme:h-scrollbar-plus-normal);

div.next-date:rtl

div.next-date:active

background-image:url(theme:h-scrollbar-plus-pressed);

div.next-date:hover {

background-image:url(theme:h-scrollbar-plus-hover);

td.month.off,

td.day.off

td.day.other-month,

td.year.other-year,

td.decade.other-decade

:root:current td.month:current,

:root:focus td.month:current,

:root:current td.day:current,

:root:focus td.day:current,

:root:current td.year:current,

:root:focus td.year:current,

:root:current td.decade:current,

:root:focus td.decade:current

td.today

div.button

div.button:hover

background-image:url(theme:toolbar-button-hover);

div.button:active

background-image:url(theme:toolbar-button-pressed);

text.statusbar

span.today

span.today:hover {

background-image:url(theme:toolbar-button-hover);

span.today:active {

background-image:url(theme:toolbar-button-pressed);

span.today-legend

background-image:url(theme:combobox-button-normal);

:root > button.minus:rtl

:root > button.plus:rtl

GetProcessHeap

GetConsoleOutputCP

GetCPInfo

SetViewportOrgEx

SetViewportExtEx

GetViewportExtEx

GetAsyncKeyState

GetKeyboardLayout

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

InternetCombineUrlA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

5.''.''.' '' $ ';~

&)-),)-))--)--

"""4.&."

$,((0(($

$$ ($(0,,$( 0($,, $$,\ $

,40000$(((($0($((

40$$$(,,,$

.text

`.rdata

@.data

.rsrc

@.reloc

%d%%%%

s*.url

[id='%S'],[name='%S']

frame[id='%s'],frame[name='%s']

#xxx

width(%d%%)

height(%d%%)

url(%S)

import

%S %S %S %S

selector(%S)

%S %S

key-code

key-on

key-off

%s %S

frame[id='%S'],frame[name='%S']

frame[name='%s'],frame#%s

[name='%s']

important

td[value='u-u-u']

div.button.month

div.button.year

tr:nth-child(%d)

All files (*.*)

%S.%s

[command='%s']

ncid:%S

7%d;

^(ftp|https?)://((\d \.\d \.\d \.\d |[_a-zA-Z0-9\-] ([\.] [_a-zA-Z0-9\-] )*))(:[0-9] )?((/[_a-zA-Z0-9\.\-]*) )*(\?[_a-zA-Z0-9\&\=\%\,\-\!\{\}] )?(\#[_a-zA-Z0-9\%] )?$

^ftp\.[_a-zA-Z0-9\-] ([\.] [_a-zA-Z0-9\-] )*((/[_a-zA-Z0-9\.\-]*) )*

hXXp://

PTF://

operand stack overflow

operator stack overflow

missing operand for

operator stack underflow

unknown _operator in evaluntil

())(>

&'()* ,-