not-a-virus:AdWare.Win32.OutBrowse.bzb (Kaspersky), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 2c328ed34b295e5905a9684374cf95dd
SHA1: 924a68fcdfea14a664a20eb7a5aeddd4853d0e87
SHA256: f2999d031e3dca3fe8b3f2ccc2d8e296dd840555ed9bc91c69b77d44694fb7a8
SSDeep: 98304:EwIjOp0hKqLhn6O8hp w1djHxhKnL4qUUql3Oxl1VBImEQ/2c39Ol6MYKA/BKede:EwU0HDjKEhml1VBIQ Qwl6MYKA/Bzde
Size: 6337148 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC50, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2007-04-19 03:08:20
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
setup.exe:880
%original file name%.exe:188
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process setup.exe:880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\Offer2.zip (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\inner.png (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\DSS_Unq_IMapplication_mon_remote_dcmd[1].htm (620 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\OfferScreen_12.html (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\Offer1.zip (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\FirstResult.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\SecondResult.txt (620 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsCBHTML5.dll (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\serlib.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FCL_htiw_qinu[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\OfferScreen_422.html (1969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\header.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsDialogs.dll (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040920140410 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040920140410\index.dat (0 bytes)
The process %original file name%.exe:188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\dotn1ba3.rra (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DigiAqua_7598[1].exe (66929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\DIFx1bd2.rra (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\isrt1c10.rra (7316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\difx1c5f.rra (10582 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\setup.ini (498 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\setup.ini (498 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Delta Tail Betta Wallpaper\UninstallDeltaTailBetta.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\setu1b74.rra (7348 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setu294f.rra (4984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\Stri1bd2.rra (791 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\layout.bin (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\defa1c20.rra (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\Font1bc2.rra (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\_Setup.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\data1.hdr (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\_Setup.dll (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\_IsR1c3f.rra (4314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\core1ba3.rra (2334 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\data1.cab (27704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\ISSetup.dll (18424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\setup.exe (12536 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\DigiAqua_7598[1].exe (0 bytes)
Registry activity
The process setup.exe:880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015112420151125]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015112420151125\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015112420151125]
"CachePrefix" = ":2015112420151125:"
"CacheRepair" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015112420151125]
"CacheLimit" = "8192"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF FC DF B1 80 F8 81 0A C7 8C 9C B4 FB 04 5E A6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015112420151125]
"CacheOptions" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014040920140410]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 A9 C4 7D 44 44 46 BC 91 CD C6 A1 1F 96 8F 27"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
5264f7d6d89d1dc04955cfb391798446 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\GetVersion.dll |
b140459077c7c39be4bef249c2f84535 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\Math.dll |
c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\System.dll |
7579ade7ae1747a31960a228ce02e666 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\UserInfo.dll |
5afd4a9b7e69e7c6e312b2ce4040394a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\blowfish.dll |
94ba775c8a1f4d6c9bb1966eddce22b5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\manlib.dll |
fe3f848e2a306d586ab8f5433738d8db | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\nsCBHTML5.dll |
c10e04dd4ad4277d5adc951bb331c777 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\nsDialogs.dll |
5f13dbc378792f23e598079fc1e4422b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\nsisunz.dll |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\registry.dll |
febff2c363c7f7664687eefe8253087e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\serlib.dll |
d061c9eea5e041658028c32aa739984f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\setup.exe |
69348c7c4260e37c1c72edf236995be1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\dotnetinstaller.exe |
898515a4ae2fb9d74ae2a905cf82b074 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\_IsRes.dll |
1bd976dd77b31fe0f25708ad5c1351ae | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\difxapi.dll |
77a3125a2059f39a9bef961953a8db8d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\isrt.dll |
6c48e05107eb494620ab0dc96d3c5b80 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\ISSetup.dll |
6fd5033f836dbc81fda60620d9c0ba52 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\_Setup.dll |
6f58a1d8e7b031c6f2a60ba04d1a0b7d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\setup.exe |
6fd5033f836dbc81fda60620d9c0ba52 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\_Setup.dll |
d061c9eea5e041658028c32aa739984f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DigiAqua_7598[1].exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\Offer2.zip (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\inner.png (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\DSS_Unq_IMapplication_mon_remote_dcmd[1].htm (620 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\OfferScreen_12.html (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\Offer1.zip (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\FirstResult.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\SecondResult.txt (620 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsCBHTML5.dll (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\serlib.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FCL_htiw_qinu[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\OfferScreen_422.html (1969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\header.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\dotn1ba3.rra (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DigiAqua_7598[1].exe (66929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\DIFx1bd2.rra (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\isrt1c10.rra (7316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\difx1c5f.rra (10582 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\setup.ini (498 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\setup.ini (498 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Delta Tail Betta Wallpaper\UninstallDeltaTailBetta.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\setu1b74.rra (7348 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setu294f.rra (4984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\Stri1bd2.rra (791 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\layout.bin (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\defa1c20.rra (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\Font1bc2.rra (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\_Setup.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\data1.hdr (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\_Setup.dll (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\_IsR1c3f.rra (4314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\core1ba3.rra (2334 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\data1.cab (27704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\ISSetup.dll (18424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\setup.exe (12536 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Macrovision Corporation
Product Name: InstallShield
Product Version: 14.0
Legal Copyright: Copyright (C) 2007 Macrovision Corporation
Legal Trademarks:
Original Filename: Setup.exe
Internal Name: Setup
File Version: 14.0.162
File Description: Setup.exe
Comments:
Language: English (United States)
Company Name: Macrovision CorporationProduct Name: InstallShieldProduct Version: 14.0Legal Copyright: Copyright (C) 2007 Macrovision CorporationLegal Trademarks: Original Filename: Setup.exeInternal Name: SetupFile Version: 14.0.162File Description: Setup.exeComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 293442 | 294912 | 4.56241 | 246bc04c9934d94ae3e5085c0fbab939 |
.rdata | 299008 | 39536 | 40960 | 3.16332 | 16f2af57c4910be773837ffdb7fbde59 |
.data | 339968 | 29740 | 24576 | 2.27004 | ed1e754e7b6303e212e660e942089261 |
.rsrc | 372736 | 7000 | 8192 | 4.25048 | 1fc89bcfdfcdf5c08b6e2805b4bd1040 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 70
9f3bbfb0a47d9c012654272549fda218
2ac6615b7144be7a6a2d94ab58738ea6
57181c9d8165e1507093cbd199c4d015
e70c170501c13c28f9750ab0cf808401
d85279e52df89787e7854bf52d90c607
5ab5635d2adc78ac8c0d636f86c7da0f
7d22e3ee9479856a8a820ba57df28071
08c8509565ddbf2142d64d60bf2a652e
2a7a046094c7f23fd6acca8dc84f0c18
3bed5ffc49e8235c62f7a378f6b0d0f0
444a9d48bff192a5f833c92c658c4553
5c0ea759d8b417daeb10ca9e4d728140
c16bf52916e583f1c1c7a6c72ba5e61a
9e0bf77e0d7df1d1fbf7f662b191d22c
34a89f9eee56c73c66a5d3e1e155a11b
0a654e158291e5348f4ac4e279667444
476c1d505f16968b45924180f308be8d
aaee75b85e93d14c4a0cd820703b0632
76e105dec3ae6fd038f0c364d8ca2012
194927b379cd0c708c781e4aea915045
651672182f69923a157c03bd188ef6bb
29ddbe4fe594cb083bf81c3f35454d13
2d6d79284cb3ed4138065c98564bf48c
7fef913c1fb871385192068db6dc75e8
22da7f202dc2a0a7be52ef468961f2be
Network Activity
URLs
URL | IP |
---|---|
hxxp://cds.u6k4e8n6.hwcdn.net/DigiAqua_7598.exe | |
hxxp://23.22.255.164/download.php?ln6GeA== | |
hxxp://fcesneim.us/FCL_htiw_qinu.php | |
hxxp://stsunsetwest.com/DSS_Unq_IMapplication_mon_remote_dcmd.php | |
hxxp://cds.u6k4e8n6.hwcdn.net/os/rm/OfferScreen_12_HD.zip | |
hxxp://cds.u6k4e8n6.hwcdn.net/os/rm/OfferScreen_422.zip | |
hxxp://secured.cdnpmmm.us/DigiAqua_7598.exe | 69.16.175.42 |
hxxp://www.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote_dcmd.php | 50.97.62.154 |
hxxp://www.fcesneim.us/FCL_htiw_qinu.php | 50.19.102.217 |
hxxp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip | 69.16.175.42 |
hxxp://secured.cdnpmmm.us/os/rm/OfferScreen_422.zip | 69.16.175.42 |
hxxp://www.comar13west.com/download.php?ln6GeA== |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /DSS_Unq_IMapplication_mon_remote_dcmd.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.stsunsetwest.com
Content-Length: 288
Connection: Keep-Alive
Cache-Control: no-cache
from=nsis&type=Reg&mode=checker&utid=37.57.16.189_2015-11-23_23:57:47&pubid=11660&CbId=7598&BundleVersionID=IM_240914@01&subid=&mid=qGKynuZ0mun81YJHk71SsLj1y8vIIG48&DB=IE&arc=32&skexist=NO&avsexist=NO&advDetails=12~YES~0/419~NO~4/422~YES~0/430~NO~15/460~YES~0/575~NO~4/576~NO~4/689~YES~0/
HTTP/1.1 200 OK
Date: Tue, 24 Nov 2015 04:57:49 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 620
Connection: close
Content-Type: text/html; charset=UTF-8
422~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0..422#RE3|mystartsearchSoftware\mystartsearchhp#RCMD|-pub_id=314 -adv_id=76#SLP|30^6#PKG|NO#INT|Mntz_Installer.exe..12#RE2|Systweak\RegClean Pro\Version 6.1#RCMD|/verysilent#SLP|10^3#FNV|WriteINI^hXXps://d24u51ac8ybaqu.cloudfront.net/inst/setup_38a77a.exe#PKG|NO#INT|rcpsetup_17970.exe..
GET /os/rm/OfferScreen_422.zip HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: secured.cdnpmmm.us
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Tue, 24 Nov 2015 04:57:49 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1426709167"
Last-Modified: Wed, 18 Mar 2015 20:06:07 GMT
Cache-Control: max-age=53850
Content-Length: 7218
Content-Type: application/octet-stream
X-HW: 1448341070.dop007.fr7.t,1448341069.cds026.fr7.c
PK........Q~.B...._...........inner.png.V.P.i..da.QP...h.......$.!$ G.`........4$...UP.Ee8,..%.(.............u5..."r8r8......).j_U.....wW.......V. ...~.4.f5.<yz..w...].b..f.X.@&.H ...s!.O...........#.H.0.-c3.$.,Bs.u..Q<b^.=...^,$..P.PLF.k....|2*...2..P..7E..R..y).<"....pW.4."H....8... .>..4..k....".%.~s.........h.#.K...3.t........b1 ..uq..$....._...&..HL...[....#...0..\..;.aI4.$...,...9j4...b.G.(.Z/0. )O"...a10..p.D...Z.A..`.N,.~I.&e..'.........-.1!..........I.D.OS......:..|....D.).'....E.X.G#.4_.|!.D.P..>T.......5..\])x...........aAgW"..s.r%.@..G.i>T".......A....X*..y..V....U,.*.82X...q......`i...PYx4....|X../..O!.0...H`..9.$.....q....?9.h...W.,\i:p~.{.o....H....f4>}...@.t..(...oB.......h3A.g.....o..i)L...1:m..s.I..e.['/.p..U~..n..X..qzYd{./...Z...^..>..\..>w....!.PY44...a?.;%x....%..........kU....y.B_a.( ....,T#*.M..2iLI..C.. .FX....c.%:.s....F.@..wN}.i.....lb..&.........uV_.m.J....S3U.N. ..Y>f6f.t.....F...d....tBf..z....t..E.......u....m_u...77.vI.jVEn.00.....Z<[2....OZj].....n.0.Q. ....H..8.L62.zJ.'...X..d.......>...T......(.X....i.|...>L*ub......l.o..qe.>f6........{'e....z..p.wM...'....d!.-J.fn.K8".WD...... .ld>Rrb..........K...gz.....5l......4}...e2Q~9,..!...2..K....}.W.._....eM...Et\...|S. .1#/..82rkH....n..O.\m.b.........g.t~E....gN...q.%...;'"..^4m.............w.e......38..V.L......^.u..j.e.......Cvi.......vq$k'.....S.N..op.9.WV<g.. wmS............b.z$.9.>.7.T.....u.>.....-.<ps......K.v. .<.H...F.F....w.9................G.%..u......w.{....LB..
<<< skipped >>>
GET /os/rm/OfferScreen_12_HD.zip HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: secured.cdnpmmm.us
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Tue, 24 Nov 2015 04:57:49 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1411022125"
Last-Modified: Thu, 18 Sep 2014 06:35:25 GMT
Cache-Control: max-age=53813
Content-Length: 10048
Content-Type: application/octet-stream
X-HW: 1448341070.dop008.fr7.t,1448341069.cds002.fr7.c
PK.........l$Etbj.....=-......OfferScreen_12.html.:kS#7..C..A.......G.6P.0.....;x6...5%w.m............#...s..!.#...S...w..../.....v.....S.t...vN..w.w._?.?~`.......tR ^..g..... ...b..-vz.L....[.5...c..N.2.%..k.D.v^({.......?......\8... ~...Qr....u..R$,...%N..>...t.....ryw?a......e.......(.x5...8...;9).........Q..6i.$.W........8s........{..j.,..i.!.[...w.....`....&:[.;6.....Je.Wb..F.....`k..T.....<.....h.....f.j...`.W......n..q...,..g\t..kU....irm...,.I....y......BpsG.#.W.f..0..Bfn6...)oG3.$.;...C.{h.........(..-..A.p..Ay..f.(..`o{ow....D......`.N..L.y..](q.?-.....|.(J ..h....Iy......<...,U.=b..6 Ww....!.cV.2c...~.}...f..QI. ......U.F...\E.................Zdn^.....~...I...{d{.4..H...h.&...j..2..u....*..z...M.t..Rp....'..%b.......W...... <.[......4.88.......r..wmPr.....0...APy......;.l..=.u....3....R......z..#$R..._...(Ig".........e..._..*1js......v..(..l5.K...z@...w[..0m..a.....V.&......q.;.....xs`>.j.6..&.U.W...!L.!r.._1~...Z......HH..8....7....!...=e..P....g2....p...D...:B..^..$3..'.@....c.....q..f..l6)tz.by.5....{.m..]u.I.L({.t....Az...P..|....;1...{.f...g..J.^...p......M.....'....=... ....Q.'V...#.~.u ....YJ*(^.R...-...~......XP6..W.....gHx.]...`.5.......7.....#..A...d.~we1.......G... ..g."-....Q....P.n.."wOAb."C.. `g...r`t....i......q......^.>............. S.. !|..9D.6..r.}....n&-.. Y2{-KF....[...{......... ...g.ELH.!....pz&v......@........N~;...jP.....?........ZQ.;......;x.x.....{ C....vq'.7LfGI..}6c........J.......<...h5m.C.~..7)@c....8>......;.....L..%.. .).=o8....b&........-..h..
<<< skipped >>>
POST /FCL_htiw_qinu.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.fcesneim.us
Content-Length: 106
Connection: Keep-Alive
Cache-Control: no-cache
from=nsis&type=Reg&pubid=11660&CbId=7598&BundleVersionID=IM_240914@01&mid=qGKynuZ0mun81YJHk71SsLj1y8vIIG48
HTTP/1.1 200 OK
Date: Tue, 24 Nov 2015 04:57:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.14
Content-Length: 1943
Connection: close
Content-Type: text/html; charset=UTF-8
hXXp://VVV.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote_dcmd.php..hXXp://VVV.stsunsetwest.com/DS_Unq_trackstats_mon.php..UA..hXXp://www.stsunsetwest.com/DS_AdvAffiliateId.php..37.57.16.189_2015-11-23_23:57:47..NULL..12#RE2|Systweak\RegClean Pro\Version 6.1..419#O|V^0*S^0*E^0*EV1^0*T^0,B1|C*F*I,F1|Mail.Ru\MailRuUpdater.exe,F1|Amigo\Application\amigo.exe,RE2|Amigo,RR2|IM^330,RE3|Clients\StartMenuInternet\amigo.exe,RE3|Microsoft\MediaPlayer\ShimInclusionList\amigo.exe,RE3|Microsoft\Windows\CurrentVersion\App Paths\amigo.exe..422#D|2A^0,RE3|webssearchesSoftware\webssearcheshp,RE3|qone8Software\qone8hp,RE3|awesomehpSoftware\awesomehphp,RE3|aartemisSoftware\aartemishp,RE3|sweet-pageSoftware\sweet-pagehp,RE3|omiga-plusSoftware\omiga-plushp,RE3|vi-viewSoftware\vi-viewhp,RE3|istartsurfSoftware\istartsurfhp,RE3|mystartsearchSoftware\mystartsearchhp,RE3|AVAST Software,RE3|AVAST,RE3|Microsoft\Windows\CurrentVersion\Uninstall\avast..430#O|X^0*V^0*S^0*E^0*EV1^0*T^0,D|3.5A^0,B2|I^7TU*F^29TU,WBCS|WebbionBrowserChecks,RV3|Lavasoft\Web Companion^Installed^1..460#RE2|InstalledBrowserExtensions\32846,RE2|ESET,RE2|Malwarebytes' Anti-Malware,RE2|Malwarebytes,RE2|Avira,RE2|Fortinet\FortiClient,RE2|AVG,RE2|Classes\CLSID\{9563BC59-9556-4805-8CD4-886781779D8D},RE3|AVAST Software,RE3|AVAST,RE3|Microsoft\Windows\CurrentVersion\Uninstall\avast,RE3|VIPRE Antivirus,RE3|ESET,RE3|Malwarebytes' Anti-Malware,RE3|Avira,RE3|KasperskyLab,RE3|Norton,RE3|Fortinet\FortiClient,RE3|AVG,RE3S|Avira..575#O|V^0*S^0*E^0*EV1^0*T^0,B1|I,ER|HKLM^Software\M
<<< skipped >>>
GET /DigiAqua_7598.exe HTTP/1.1
User-Agent: toys::file
Host: secured.cdnpmmm.us
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Tue, 24 Nov 2015 04:57:44 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1448307590"
Last-Modified: Mon, 23 Nov 2015 19:39:50 GMT
Cache-Control: max-age=86399
Content-Length: 232450
Content-Type: application/octet-stream
X-HW: 1448341064.dop014.fr7.t,1448341064.cds029.fr7.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^....... ...0.......p....@...........................4..............................................t........4..?...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X............v..............@....ndata..../.. ...........................rsrc....?....4..@...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.E..H.P.u..u..u...Hr@..B...SV.5p.E..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.D.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....E...Si.. ..VW.T.....tO.q.3.;5..E.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5..E.r._^[...U..QQ.U.SV..i.. .
<<< skipped >>>
GET /download.php?ln6GeA== HTTP/1.1
User-Agent: toys::file
Host: VVV.comar13west.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Found
Date: Tue, 24 Nov 2015 04:57:42 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Cache-Control: no-cache, must-revalidate
Content-Disposition: attachment; filename="InstallMonetizer.exe"
Location: hXXp://secured.cdnpmmm.us/DigiAqua_7598.exe
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET /DigiAqua_7598.exe HTTP/1.1
User-Agent: toys::file
Host: secured.cdnpmmm.us
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Tue, 24 Nov 2015 04:57:43 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1448307590"
Last-Modified: Mon, 23 Nov 2015 19:39:50 GMT
Cache-Control: max-age=86400
Content-Length: 232450
Content-Type: application/octet-stream
X-HW: 1448341063.dop011.fr7.t,1448341063.cds029.fr7.p
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^....... ...0.......p....@...........................4..............................................t........4..?...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X............v..............@....ndata..../.. ...........................rsrc....?....4..@...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.E..H.P.u..u..u...Hr@..B...SV.5p.E..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.D.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....E...Si.. ..VW.T.....tO.q.3.;5..E.sB..i.. ...D.....
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_188:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
SSSh88E
SSSh88E
SSSh(8E
SSSh(8E
SSSSh0u
SSSSh0u
PSSh RE
PSSh RE
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
COMCTL32.dll
COMCTL32.dll
VERSION.dll
VERSION.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
CreateDialogIndirectParamA
CreateDialogIndirectParamA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegEnumKeyA
RegEnumKeyA
RegOpenKeyA
RegOpenKeyA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteExA
ShellExecuteExA
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
LZ32.dll
LZ32.dll
RPCRT4.dll
RPCRT4.dll
GetCPInfo
GetCPInfo
EnumChildWindows
EnumChildWindows
SetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
Folder=%s
Folder=%s
File=%s
File=%s
explorer.exe
explorer.exe
ErrorInformation=%s
ErrorInformation=%s
setup.log
setup.log
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
KERNEL32.DLL
KERNEL32.DLL
EXE=%s
EXE=%s
ISSetup.dll
ISSetup.dll
_Setup2k.dll
_Setup2k.dll
_Setup7.dll
_Setup7.dll
setup.isn
setup.isn
_Setup.dll
_Setup.dll
C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp
setup.exe
setup.exe
hXXp://VVV.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d : 0x%x&ErrorInfo=%s
hXXp://VVV.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d : 0x%x&ErrorInfo=%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
data1.hdr
data1.hdr
=Result=%s
=Result=%s
HeaderPathFile=%s
HeaderPathFile=%s
User=%s
User=%s
Password=%s
Password=%s
ProxyUser=%s
ProxyUser=%s
ProxyPassword=%s
ProxyPassword=%s
Result=%s
Result=%s
-sel_langx
-sel_langx
setup.inx
setup.inx
layout.bin
layout.bin
SourceFile=%s
SourceFile=%s
TargetFile=%s
TargetFile=%s
data1.cab
data1.cab
.?AVhttp_file@is@@
.?AVhttp_file@is@@
d.d %s%s
d.d %s%s
%s %ld %s
%s %ld %s
%ld %s
%ld %s
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
.Default\Control Panel\desktop\ResourceLocale
.Default\Control Panel\desktop\ResourceLocale
Kernel32.dll
Kernel32.dll
kernel32.dll
kernel32.dll
Ntdll.dll
Ntdll.dll
psapi.dll
psapi.dll
SetupExeVersion: %ld.%ld.%ld.%ld
SetupExeVersion: %ld.%ld.%ld.%ld
SetupExe: %s
SetupExe: %s
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
%s|%s|
%s|%s|
%s%s%s
%s%s%s
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
HttpEndRequestA
HttpEndRequestA
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FtpFindFirstFileA
FtpFindFirstFileA
HttpQueryInfoA
HttpQueryInfoA
InternetCreateUrlA
InternetCreateUrlA
InternetCrackUrlA
InternetCrackUrlA
InternetOpenUrlA
InternetOpenUrlA
wininet.dll
wininet.dll
RPAWINET.DLL
RPAWINET.DLL
Mozilla
Mozilla
AutoConfigURL
AutoConfigURL
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
%d.%d
%d.%d
%d.%d.%d.%d
%d.%d.%d.%d
iexplore.exe
iexplore.exe
\mozver.dat
\mozver.dat
netscp6.exe
netscp6.exe
netscape.exe
netscape.exe
FTP_ProxyPort
FTP_ProxyPort
FTP_Proxy
FTP_Proxy
HTTPS_ProxyPort
HTTPS_ProxyPort
HTTPS_Proxy
HTTPS_Proxy
https=
https=
HTTP_ProxyPort
HTTP_ProxyPort
HTTP_Proxy
HTTP_Proxy
http=
http=
\prefs.js
\prefs.js
\nsreg.dat
\nsreg.dat
\registry.dat
\registry.dat
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"network.proxy.autoconfig_url"
"network.proxy.autoconfig_url"
"network.proxy.no_proxies_on"
"network.proxy.no_proxies_on"
"network.proxy.ftp_port"
"network.proxy.ftp_port"
"network.proxy.ftp"
"network.proxy.ftp"
"network.proxy.ssl_port"
"network.proxy.ssl_port"
"network.proxy.ssl"
"network.proxy.ssl"
"network.proxy.http_port"
"network.proxy.http_port"
"network.proxy.http"
"network.proxy.http"
network.proxy.type
network.proxy.type
Range: bytes=%d-
Range: bytes=%d-
source%d
source%d
dest%d
dest%d
InstallShieldPendingOperation
InstallShieldPendingOperation
MPR.DLL
MPR.DLL
.rdata
.rdata
.debug
.debug
zcÃ
zcÃ
uxtheme.dll
uxtheme.dll
%hx.rra
%hx.rra
skin.ini
skin.ini
-x
-x
%d,%d,%d
%d,%d,%d
%d,%d
%d,%d
c:\%original file name%.exe
c:\%original file name%.exe
!"#$%&'()* ,
!"#$%&'()* ,
version="1.0.0.0"
version="1.0.0.0"
name="InstallShield.Setup"
name="InstallShield.Setup"
InstallShield.Setup
InstallShield.Setup
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
PAPP:%s
PAPP:%s
PVENDOR:%s
PVENDOR:%s
PGUID:%s
PGUID:%s
>%s (%d)
>%s (%d)
123.tmp
123.tmp
hXXp://
hXXp://
%ld : 0x%x
%ld : 0x%x
%*.*f
%*.*f
lISSetup.dll
lISSetup.dll
setup.ini
setup.ini
pinstallfromweb:
pinstallfromweb:
key%d
key%d
cmdline
cmdline
ErrorReportURL
ErrorReportURL
CompanyURL
CompanyURL
PasswordDialog
PasswordDialog
hXXps://
hXXps://
\Engine\Log
\Engine\Log
SUPPORTDIR
SUPPORTDIR
SHOW_PASSWORD_DIALOG
SHOW_PASSWORD_DIALOG
PTF://
PTF://
setup.gif
setup.gif
setup.bmp
setup.bmp
setupdir\x
setupdir\x
%d%s%d%s%d%s%d
%d%s%d%s%d%s%d
Windows XP
Windows XP
Windows Server2003
Windows Server2003
Windows Vista
Windows Vista
Windows 2000
Windows 2000
Windows 95
Windows 95
Windows 98
Windows 98
Windows Me
Windows Me
Windows NT 4.0
Windows NT 4.0
EXPLORER.EXE
EXPLORER.EXE
PSTORES.EXE
PSTORES.EXE
%s%s%d.%s
%s%s%d.%s
Setup.exe
Setup.exe
14.0.162
14.0.162
%original file name%.exe_188_rwx_003C0000_00002000:
The procedure %s could not be located in the DLL %s.
The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.
%original file name%.exe_188_rwx_00A41000_00137000:
t.OOt
t.OOt
SSSSh0u
SSSSh0u
SSSSh
SSSSh
u#SSSSh
u#SSSSh
SSSSh$O
SSSSh$O
WSSh|Z
WSSh|Z
WSShlZ
WSShlZ
SSSh Z
SSSh Z
SSShlZ
SSShlZ
PSSht
PSSht
PSShd
PSShd
PSSh\
PSSh\
PSShT
PSShT
^}•x
^}•x
AUTPRX32.DLL
AUTPRX32.DLL
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
CreateDialogIndirectParamA
CreateDialogIndirectParamA
EnumChildWindows
EnumChildWindows
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
RPCRT4.dll
RPCRT4.dll
WINMM.dll
WINMM.dll
VERSION.dll
VERSION.dll
GetCPInfo
GetCPInfo
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_IsIIDSupported
ISSetup.dll
ISSetup.dll
C:\CodeBases\isdev\src\Shared\LogServices2\ComVariantEx2.cpp
C:\CodeBases\isdev\src\Shared\LogServices2\ComVariantEx2.cpp
C:\CodeBases\isdev\src\Shared\LogServices2\FeatureLog.cpp
C:\CodeBases\isdev\src\Shared\LogServices2\FeatureLog.cpp
C:\CodeBases\isdev\src\Shared\LogServices2\LogDB.cpp
C:\CodeBases\isdev\src\Shared\LogServices2\LogDB.cpp
sC:\CodeBases\isdev\src\Shared\LogServices2\LogServices.cpp
sC:\CodeBases\isdev\src\Shared\LogServices2\LogServices.cpp
_hk%d
_hk%d
C:\CodeBases\isdev\src\Shared\LogServices2\OpTypes.cpp
C:\CodeBases\isdev\src\Shared\LogServices2\OpTypes.cpp
C:\CodeBases\isdev\src\Shared\LogServices2\OpTypeClsFactory.h
C:\CodeBases\isdev\src\Shared\LogServices2\OpTypeClsFactory.h
C:\CodeBases\isdev\src\Shared\LogServices2\OpTypeTuple.cpp
C:\CodeBases\isdev\src\Shared\LogServices2\OpTypeTuple.cpp
Result=%s
Result=%s
%s=%s
%s=%s
C:\CodeBases\isdev\src\Shared\LogServices2\persist.h
C:\CodeBases\isdev\src\Shared\LogServices2\persist.h
ID_%d
ID_%d
oC:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\CABFile.cpp
oC:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\CABFile.cpp
setup.ini
setup.ini
xj%s\%s
xj%s\%s
%s %s:%s
%s %s:%s
AE7D33AA-6C76-4FC5-A151-633472AD6A94
AE7D33AA-6C76-4FC5-A151-633472AD6A94
layout.bin
layout.bin
Data1.cab
Data1.cab
Data1.hdr
Data1.hdr
QC:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\Component.cpp
QC:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\Component.cpp
%d.%d.%d.%d
%d.%d.%d.%d
%d.%d
%d.%d
UnresolvedTarget=%s
UnresolvedTarget=%s
ResolvedTarget=%s
ResolvedTarget=%s
Feature=%s
Feature=%s
Target=%s
Target=%s
Source=%s
Source=%s
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\TargetFile.h
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\TargetFile.h
'`.exe
'`.exe
File=%s
File=%s
OverwriteDetails=%s
OverwriteDetails=%s
wC:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\DriverWrapper.cpp
wC:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\DriverWrapper.cpp
\AppHelp.dll
\AppHelp.dll
ISBEW64.exe
ISBEW64.exe
Component=%s
Component=%s
RegExe=%s
RegExe=%s
RegCmdLine=%s
RegCmdLine=%s
DotNetInstaller.exe
DotNetInstaller.exe
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\FileGroup.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\FileGroup.cpp
OSFlavors4SingleOperation=0xlx
OSFlavors4SingleOperation=0xlx
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
KERNEL32.DLL
KERNEL32.DLL
%hx.rra
%hx.rra
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\FileRegistrar.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\FileRegistrar.cpp
aSResult=%s
aSResult=%s
oleaut32.dll
oleaut32.dll
RegisterFile%d
RegisterFile%d
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
ZBC:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\FileService.cpp
ZBC:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\FileService.cpp
ShowPasswordDialog
ShowPasswordDialog
CmdLine
CmdLine
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\IScriptWrapper.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\IScriptWrapper.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\KernelMedia.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\KernelMedia.cpp
setup.inx
setup.inx
_Setup.dll
_Setup.dll
data2.cab
data2.cab
data1.cab
data1.cab
data1.hdr
data1.hdr
setup.exe
setup.exe
CF3DC1C0-3C9A-11D3-88ED-00C04F72F303
CF3DC1C0-3C9A-11D3-88ED-00C04F72F303
MediaFile=%s
MediaFile=%s
User=%s
User=%s
Password=%s
Password=%s
ProxyUser=%s
ProxyUser=%s
ProxyPassword=%s
ProxyPassword=%s
SetupLauncherName=%s
SetupLauncherName=%s
TempDisk1Folder=%s
TempDisk1Folder=%s
Script
Script
PUBLICKEY
PUBLICKEY
Name=Name=%s
Name=Name=%s
Name=%s
Name=%s
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\ObjectHolder.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\ObjectHolder.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\ObjectWrapper.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\ObjectWrapper.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\PropertyBag.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\PropertyBag.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\Reboot.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\Reboot.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\Registry.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\Registry.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\RegistrySet.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\RegistrySet.cpp
RootKey=0xlx
RootKey=0xlx
Key=%s
Key=%s
Data=%s
Data=%s
CreateKeyEnd
CreateKeyEnd
CreateKeyBegin
CreateKeyBegin
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\ServiceProvider.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\ServiceProvider.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\SetupType.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\SetupType.cpp
SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\SharedFiles.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\SharedFiles.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\Shell.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\Shell.cpp
ISShellObjOp
ISShellObjOp
Folder=%s
Folder=%s
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\ShellLink.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\ShellLink.cpp
FType=%s
FType=%s
ProgramFolder=%s
ProgramFolder=%s
ItemName=%s
ItemName=%s
CommandLine= %s
CommandLine= %s
WorkingDir=%s
WorkingDir=%s
IconFile=%s
IconFile=%s
ShortcutKey=%s
ShortcutKey=%s
Hotkey
Hotkey
Type=%s
Type=%s
PendingFileRenameOperations
PendingFileRenameOperations
WININIT.INI
WININIT.INI
Value=%s
Value=%s
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\TextSubstitution.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\TextSubstitution.cpp
TextSub=%s
TextSub=%s
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\TransferEventsListener.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\TransferEventsListener.cpp
agent.exe
agent.exe
Library=%s
Library=%s
C:\CodeBases\isdev\src\Runtime\InstallScript\iScript\ErrorObj.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\iScript\ErrorObj.cpp
Type=%S
Type=%S
Description=%S
Description=%S
Source=%S
Source=%S
HelpFile=%S
HelpFile=%S
ISRT.dll
ISRT.dll
(string)%s
(string)%s
(stringw)%S
(stringw)%S
Function=%s
Function=%s
ReturnType=%s
ReturnType=%s
C:\CodeBases\isdev\src\Runtime\InstallScript\iScript\IScriptDebug.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\iScript\IScriptDebug.cpp
InstallShield.SetupScriptDebugger.14
InstallShield.SetupScriptDebugger.14
C:\CodeBases\isdev\src\Runtime\InstallScript\iScript\IScriptEngine.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\iScript\IScriptEngine.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\iScript\IScriptImpl.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\iScript\IScriptImpl.cpp
ExportedFuncEnd
ExportedFuncEnd
ExportedFuncBegin
ExportedFuncBegin
Method=%s
Method=%s
hC:\CodeBases\isdev\src\Runtime\InstallScript\iScript\struct.cpp
hC:\CodeBases\isdev\src\Runtime\InstallScript\iScript\struct.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\User\BillBoads.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\User\BillBoads.cpp
DH%s\bbrd%d.bmp
DH%s\bbrd%d.bmp
%s\bbrd%d.wmf
%s\bbrd%d.wmf
C:\CodeBases\isdev\src\Runtime\InstallScript\User\MainWindow.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\User\MainWindow.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\User\UserInterface.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\User\UserInterface.cpp
%d,%d,%d
%d,%d,%d
%d,%d
%d,%d
d.d %s%s
d.d %s%s
%s %ld %s
%s %ld %s
%ld %s
%ld %s
.rdata
.rdata
.debug
.debug
BetaMarker.dat
BetaMarker.dat
EvalMarker.dat
EvalMarker.dat
InstallShield.SetupKernel.14
InstallShield.SetupKernel.14
InstallShield.SetupKernel
InstallShield.SetupKernel
InstallShield.SetupLogServices.14
InstallShield.SetupLogServices.14
InstallShield.SetupLogServices
InstallShield.SetupLogServices
InstallShield.SetupScriptDriverWrapper.14
InstallShield.SetupScriptDriverWrapper.14
InstallShield.SetupScriptDriverWrapper
InstallShield.SetupScriptDriverWrapper
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\ObjectWrapper.h
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\ObjectWrapper.h
>%s (%d)
>%s (%d)
SetupExeVersion: %ld.%ld.%ld.%ld
SetupExeVersion: %ld.%ld.%ld.%ld
SetupExe: %s
SetupExe: %s
%s|%s|
%s|%s|
.?AVhttp_file@is@@
.?AVhttp_file@is@@
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
HttpEndRequestA
HttpEndRequestA
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FtpFindFirstFileA
FtpFindFirstFileA
HttpQueryInfoA
HttpQueryInfoA
InternetCreateUrlA
InternetCreateUrlA
InternetCrackUrlA
InternetCrackUrlA
InternetOpenUrlA
InternetOpenUrlA
wininet.dll
wininet.dll
RPAWINET.DLL
RPAWINET.DLL
Mozilla
Mozilla
AutoConfigURL
AutoConfigURL
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
iexplore.exe
iexplore.exe
\mozver.dat
\mozver.dat
netscp6.exe
netscp6.exe
netscape.exe
netscape.exe
FTP_ProxyPort
FTP_ProxyPort
FTP_Proxy
FTP_Proxy
HTTPS_ProxyPort
HTTPS_ProxyPort
HTTPS_Proxy
HTTPS_Proxy
https=
https=
HTTP_ProxyPort
HTTP_ProxyPort
HTTP_Proxy
HTTP_Proxy
http=
http=
\prefs.js
\prefs.js
\nsreg.dat
\nsreg.dat
\registry.dat
\registry.dat
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"network.proxy.autoconfig_url"
"network.proxy.autoconfig_url"
"network.proxy.no_proxies_on"
"network.proxy.no_proxies_on"
"network.proxy.ftp_port"
"network.proxy.ftp_port"
"network.proxy.ftp"
"network.proxy.ftp"
"network.proxy.ssl_port"
"network.proxy.ssl_port"
"network.proxy.ssl"
"network.proxy.ssl"
"network.proxy.http_port"
"network.proxy.http_port"
"network.proxy.http"
"network.proxy.http"
network.proxy.type
network.proxy.type
Range: bytes=%d-
Range: bytes=%d-
.text
.text
source%d
source%d
dest%d
dest%d
Software\InstallShieldPendingOperation
Software\InstallShieldPendingOperation
WinTrust.dll
WinTrust.dll
CertFreeCertificateChain
CertFreeCertificateChain
CertGetCertificateChain
CertGetCertificateChain
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertFindCertificateInStore
CertFindCertificateInStore
CertCloseStore
CertCloseStore
CertNameToStrA
CertNameToStrA
CertOpenSystemStoreA
CertOpenSystemStoreA
CertSaveStore
CertSaveStore
CertOpenStore
CertOpenStore
CertGetIssuerCertificateFromStore
CertGetIssuerCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertFreeCertificateContext
CertFreeCertificateContext
CryptImportPublicKeyInfo
CryptImportPublicKeyInfo
CertCompareCertificate
CertCompareCertificate
CryptMsgClose
CryptMsgClose
CryptMsgGetParam
CryptMsgGetParam
Crypt32.dll
Crypt32.dll
CryptDestroyKey
CryptDestroyKey
CryptExportKey
CryptExportKey
CryptImportKey
CryptImportKey
CryptDeriveKey
CryptDeriveKey
Advapi32.dll
Advapi32.dll
%s%s%s
%s%s%s
zcÃ
zcÃ
0*%UP
0*%UP
q.ya!
q.ya!
%u X`i@
%u X`i@
_$,ZS.db
_$,ZS.db
o7.6.3
o7.6.3
c:\%original file name%.exe
c:\%original file name%.exe
OPERATION
OPERATION
*.hdr
*.hdr
DISK1SETUPEXENAME
DISK1SETUPEXENAME
corecomp.ini
corecomp.ini
SUPPORTDIR
SUPPORTDIR
p{92D2CF18-2F36-11d3-A901-00105A088FAC}
p{92D2CF18-2F36-11d3-A901-00105A088FAC}
portuguese-brazil
portuguese-brazil
portuguese
portuguese
Software\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield Uninstall Information\
Software\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield Uninstall Information\
Software\Microsoft\Windows\CurrentVersion\Uninstall\
Software\Microsoft\Windows\CurrentVersion\Uninstall\
UNINSTALLKEY
UNINSTALLKEY
UninstallKey
UninstallKey
hXXp://
hXXp://
hXXps://
hXXps://
PTF://
PTF://
eSHAREDSUPPORTDIR
eSHAREDSUPPORTDIR
123.tmp
123.tmp
r\ilog.dll
r\ilog.dll
installfromweb:
installfromweb:
1234567890
1234567890
dBenderC.Cab
dBenderC.Cab
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
reboot.ini
reboot.ini
*.lnk
*.lnk
explorer.exe
explorer.exe
HotKeyCode=
HotKeyCode=
xvalue.shl
xvalue.shl
*.ips
*.ips
*%.4lx*.ips
*%.4lx*.ips
%*.*f
%*.*f
IWININIT.INI
IWININIT.INI
_isuser.dll
_isuser.dll
_isres.dll
_isres.dll
\Microsoft.NET\Framework\v3.0
\Microsoft.NET\Framework\v3.0
\Microsoft.NET\Framework\v2.0.50727
\Microsoft.NET\Framework\v2.0.50727
\Microsoft.NET\Framework\v1.1.4322
\Microsoft.NET\Framework\v1.1.4322
\Microsoft.NET\Framework\v1.0.3705
\Microsoft.NET\Framework\v1.0.3705
InstallShield\UpdateService\agent.exe
InstallShield\UpdateService\agent.exe
dispatch_execption
dispatch_execption
%s%s%d.%s
%s%s%d.%s
6.0.100.1228
6.0.100.1228
1-800-809-5659
1-800-809-5659
InstallShield Runtime Installer
InstallShield Runtime Installer
%original file name%.exe_188_rwx_00B98000_00014000:
?* -,-30
?* -,-30
>MN92>a.kS.
>MN92>a.kS.
.%8%8%8%
.%8%8%8%
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0
0.0.0.0.0
0.0.0.0.0
3h%UH
3h%UH
%original file name%.exe_188_rwx_00BCF000_00001000:
kernel32.dll
kernel32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
RPCRT4.dll
RPCRT4.dll
WINMM.dll
WINMM.dll
VERSION.dll
VERSION.dll
%original file name%.exe_188_rwx_018D1000_00080000:
SSSSh0u
SSSSh0u
uwSSh
uwSSh
PSShx@
PSShx@
PSShh@
PSShh@
PSSh`B
PSSh`B
PSShXB
PSShXB
.tTPV
.tTPV
FTPjK
FTPjK
FtPj;
FtPj;
F.PjRWj
F.PjRWj
u.hPX
u.hPX
u.WWj
u.WWj
u.VVj
u.VVj
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
portuguese-brazilian
portuguese-brazilian
user32.dll
user32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
EnumChildWindows
EnumChildWindows
CreateDialogIndirectParamA
CreateDialogIndirectParamA
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
EnumPortsA
EnumPortsA
WINSPOOL.DRV
WINSPOOL.DRV
ShellExecuteExA
ShellExecuteExA
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
COMCTL32.dll
COMCTL32.dll
RPCRT4.dll
RPCRT4.dll
VERSION.dll
VERSION.dll
GetCPInfo
GetCPInfo
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ISRT.dll
ISRT.dll
Result=%s
Result=%s
RegistrySet=%s
RegistrySet=%s
Media=%s
Media=%s
)Result=%s
)Result=%s
Name=%s
Name=%s
%s\%s
%s\%s
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
KERNEL32.DLL
KERNEL32.DLL
%hx.rra
%hx.rra
Dll=%s
Dll=%s
Function=%s
Function=%s
Param01=%s
Param01=%s
Dir=%s
Dir=%s
Source=%s
Source=%s
Target=%s
Target=%s
InstallFromTheWeb
InstallFromTheWeb
Library=%s
Library=%s
RICHED32.DLL
RICHED32.DLL
uxtheme.dll
uxtheme.dll
File=%s
File=%s
ProgId=%s
ProgId=%s
AssemblyPathFile=%s
AssemblyPathFile=%s
AssemblyNameAndClass=%s
AssemblyNameAndClass=%s
AppDomain=%s
AppDomain=%s
mscoree.dll
mscoree.dll
PrintFileWithShellExecute
PrintFileWithShellExecute
ShellExecute failed.
ShellExecute failed.
An unhandled exception occurred in 'CPrintRuntime::%s'.
An unhandled exception occurred in 'CPrintRuntime::%s'.
ShellExecute returned:
ShellExecute returned:
RootKey=%ld
RootKey=%ld
Key=%s
Key=%s
Class=%s
Class=%s
RegDBCreateKeyEx
RegDBCreateKeyEx
RegDBDeleteKey
RegDBDeleteKey
Value=%s
Value=%s
ValueName=%s
ValueName=%s
RegDBSetKeyValueEx
RegDBSetKeyValueEx
%d,%d,%d
%d,%d,%d
%d,%d
%d,%d
ProgramFolder=%s
ProgramFolder=%s
ItemName=%s
ItemName=%s
CommandLine= %s
CommandLine= %s
WorkingDir=%s
WorkingDir=%s
IconFile=%s
IconFile=%s
ShortcutKey=%s
ShortcutKey=%s
Folder=%s
Folder=%s
Icon=%s
Icon=%s
NewItemName=%s
NewItemName=%s
CommandLine=%s
CommandLine=%s
IconPath=%s
IconPath=%s
view.bmp
view.bmp
FileName=%s
FileName=%s
FileVersion=%s
FileVersion=%s
%d.%d.%d.%d
%d.%d.%d.%d
4194303.9
4194303.9
4194303
4194303
%s%s%s
%s%s%s
SetupExeVersion: %ld.%ld.%ld.%ld
SetupExeVersion: %ld.%ld.%ld.%ld
SetupExe: %s
SetupExe: %s
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
%s|%s|
%s|%s|
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
HttpEndRequestA
HttpEndRequestA
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FtpFindFirstFileA
FtpFindFirstFileA
HttpQueryInfoA
HttpQueryInfoA
InternetCreateUrlA
InternetCreateUrlA
InternetCrackUrlA
InternetCrackUrlA
InternetOpenUrlA
InternetOpenUrlA
wininet.dll
wininet.dll
RPAWINET.DLL
RPAWINET.DLL
Mozilla
Mozilla
AutoConfigURL
AutoConfigURL
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
iexplore.exe
iexplore.exe
\mozver.dat
\mozver.dat
netscp6.exe
netscp6.exe
netscape.exe
netscape.exe
FTP_ProxyPort
FTP_ProxyPort
FTP_Proxy
FTP_Proxy
HTTPS_ProxyPort
HTTPS_ProxyPort
HTTPS_Proxy
HTTPS_Proxy
https=
https=
HTTP_ProxyPort
HTTP_ProxyPort
HTTP_Proxy
HTTP_Proxy
http=
http=
\prefs.js
\prefs.js
\nsreg.dat
\nsreg.dat
\registry.dat
\registry.dat
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"network.proxy.autoconfig_url"
"network.proxy.autoconfig_url"
"network.proxy.no_proxies_on"
"network.proxy.no_proxies_on"
"network.proxy.ftp_port"
"network.proxy.ftp_port"
"network.proxy.ftp"
"network.proxy.ftp"
"network.proxy.ssl_port"
"network.proxy.ssl_port"
"network.proxy.ssl"
"network.proxy.ssl"
"network.proxy.http_port"
"network.proxy.http_port"
"network.proxy.http"
"network.proxy.http"
network.proxy.type
network.proxy.type
Range: bytes=%d-
Range: bytes=%d-
.?AVhttp_file@is@@
.?AVhttp_file@is@@
MPR.DLL
MPR.DLL
Kernel32.dll
Kernel32.dll
kernel32.dll
kernel32.dll
Ntdll.dll
Ntdll.dll
psapi.dll
psapi.dll
skin.ini
skin.ini
-x
-x
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
a.hdr
a.hdr
hXXp://
hXXp://
123.tmp
123.tmp
hXXps://
hXXps://
PTF://
PTF://
difxapi.dll
difxapi.dll
1234567890
1234567890
_isuser.dll
_isuser.dll
_isres.dll
_isres.dll
_ISRes.dll
_ISRes.dll
_ISUser.dll
_ISUser.dll
%s%s%d.%s
%s%s%d.%s
@%*.*f
@%*.*f
EXPLORER.EXE
EXPLORER.EXE
PSTORES.EXE
PSTORES.EXE
>MN92>a.kS.
>MN92>a.kS.
42%,,2%>
42%,,2%>
setup.exe_880:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
\"%CurrentUserName%"\LOCALS~1\Temp\nsy2.tmp\nsCBHTML5.dll
\"%CurrentUserName%"\LOCALS~1\Temp\nsy2.tmp\nsCBHTML5.dll
hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe
hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe
~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy2.tmp\nsCBHTML5.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy2.tmp\nsCBHTML5.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy2.tmp
tware\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,DBNI|OtherthanIEDefault,RE2|Opera Software,RE3|Opera Software
tware\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,DBNI|OtherthanIEDefault,RE2|Opera Software,RE3|Opera Software
VAST,RE3|Microsoft\Windows\CurrentVersion\Uninstall\avast,RE3|VIPRE Antivirus,RE3|ESET,RE3|Malwarebytes' Anti-Malware,RE3|Avira,RE3|KasperskyLab,RE3|Norton,RE3|Fortinet\FortiClient,RE3|AVG,RE3S|Avira
VAST,RE3|Microsoft\Windows\CurrentVersion\Uninstall\avast,RE3|VIPRE Antivirus,RE3|ESET,RE3|Malwarebytes' Anti-Malware,RE3|Avira,RE3|KasperskyLab,RE3|Norton,RE3|Fortinet\FortiClient,RE3|AVG,RE3S|Avira
Nullsoft Install System v11-Jul-2014.cvs
Nullsoft Install System v11-Jul-2014.cvs
GetProcessHeap
GetProcessHeap
OLEAUT32.dll
OLEAUT32.dll
WININET.dll
WININET.dll
MSVCRT.dll
MSVCRT.dll
nsWeb.dll
nsWeb.dll
6(7.767;7
6(7.767;7
4<.pd>
4<.pd>
q.ya!
q.ya!
%u X`i@
%u X`i@
_$,ZS.db
_$,ZS.db
o7.6.3
o7.6.3
0*%UP
0*%UP
nsy2.tmp
nsy2.tmp
2.html?
2.html?
://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe
://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe
2~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
2~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
12~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
12~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
1905696
1905696
ments and Settings\"%CurrentUserName%"\Local Settings\Temp\setup.exe"
ments and Settings\"%CurrentUserName%"\Local Settings\Temp\setup.exe"
{E1070104-F404-44CE-B556-0622F9D63EE5}
{E1070104-F404-44CE-B556-0622F9D63EE5}
AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
ft Windows XP
ft Windows XP
"%Documents and Settings%\%current user%\Local Settings\Temp\setup.exe"
"%Documents and Settings%\%current user%\Local Settings\Temp\setup.exe"
%Documents and Settings%\%current user%\Local Settings\Temp
%Documents and Settings%\%current user%\Local Settings\Temp
setup.exe
setup.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Documents and Settings%\%current user%\Local Settings\Temp\setup.exe
%Documents and Settings%\%current user%\Local Settings\Temp\setup.exe
1048838
1048838
940180580
940180580
1179874
1179874
1376514
1376514
1048880
1048880
1245524
1245524
1179950
1179950
37.57.16.189_2015-11-23_23:57:47
37.57.16.189_2015-11-23_23:57:47
422~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
422~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
ttp://secured.cdnpmmm.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
ttp://secured.cdnpmmm.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
1245444
1245444
-1945828744
-1945828744
hXXp://VVV.fcesneim.us/FCL_htiw_qinu.php
hXXp://VVV.fcesneim.us/FCL_htiw_qinu.php
hXXp://VVV.stsunsetwest.com/DS_Unq_trackstats_mon.php
hXXp://VVV.stsunsetwest.com/DS_Unq_trackstats_mon.php
hXXp://VVV.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote_dcmd.php
hXXp://VVV.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote_dcmd.php
\Program Files\Internet Explorer\iexplore.exe" -nohome
\Program Files\Internet Explorer\iexplore.exe" -nohome
hXXp://VVV.stsunsetwest.com/DS_AdvAffiliateId.php
hXXp://VVV.stsunsetwest.com/DS_AdvAffiliateId.php
hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_422.zip
hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_422.zip
hXXp://VVV.djapp.info/?file=bundle
hXXp://VVV.djapp.info/?file=bundle
hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip
hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip
B1|C*F*I,F4|Mail.Ru\Sputnik
B1|C*F*I,F4|Mail.Ru\Sputnik
KLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,DBNI|OtherthanIEDefault,RE2|Opera Software,RE3|Opera Software
KLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,DBNI|OtherthanIEDefault,RE2|Opera Software,RE3|Opera Software
689#B1|C*F*I,F4|Mail.Ru\Sputnik
689#B1|C*F*I,F4|Mail.Ru\Sputnik
ST,RE3|Microsoft\Windows\CurrentVersion\Uninstall\avast,RE3|VIPRE Antivirus,RE3|ESET,RE3|Malwarebytes' Anti-Malware,RE3|Avira,RE3|KasperskyLab,RE3|Norton,RE3|Fortinet\FortiClient,RE3|AVG,RE3S|Avira
ST,RE3|Microsoft\Windows\CurrentVersion\Uninstall\avast,RE3|VIPRE Antivirus,RE3|ESET,RE3|Malwarebytes' Anti-Malware,RE3|Avira,RE3|KasperskyLab,RE3|Norton,RE3|Fortinet\FortiClient,RE3|AVG,RE3S|Avira
Mail.Ru\Sputnik
Mail.Ru\Sputnik
F4|Mail.Ru\Sputnik
F4|Mail.Ru\Sputnik
ft\Windows\CurrentVersion\Uninstall^Opera
ft\Windows\CurrentVersion\Uninstall^Opera
6.189_2015-11-23_23:57:47
6.189_2015-11-23_23:57:47
ffiliateId.php
ffiliateId.php
mote_dcmd.php
mote_dcmd.php
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy2.tmp\FirstResult.txt
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy2.tmp\FirstResult.txt
89#B1|C*F*I,F4|Mail.Ru\Sputnik
89#B1|C*F*I,F4|Mail.Ru\Sputnik
tp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip
tp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip
17970.exe
17970.exe
w.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01
w.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01
systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
re,RE3|Opera Software
re,RE3|Opera Software
cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
)-.Yln
)-.Yln
Nullsoft Install System v11-Jul-2014.cvs
Nullsoft Install System v11-Jul-2014.cvs
hXXp://VVV.microsoft.com
hXXp://VVV.microsoft.com
%original file name%.exe_188_rwx_01955000_00001000:
kernel32.dll
kernel32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
WINSPOOL.DRV
WINSPOOL.DRV
EnumPortsA
EnumPortsA
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
COMCTL32.dll
COMCTL32.dll
VERSION.dll
VERSION.dll
ADVAPI32.dll
ADVAPI32.dll
%original file name%.exe_188_rwx_01970000_00002000:
The procedure %s could not be located in the DLL %s.
The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.
%original file name%.exe_188_rwx_01B31000_00075000:
Invalid allocation size: %u bytes.
Invalid allocation size: %u bytes.
Client hook allocation failure at file %hs line %d.
Client hook allocation failure at file %hs line %d.
_CrtCheckMemory()
_CrtCheckMemory()
_CrtIsValidHeapPointer(pUserData)
_CrtIsValidHeapPointer(pUserData)
Allocation too large or negative: %u bytes.
Allocation too large or negative: %u bytes.
Client hook re-allocation failure at file %hs line %d.
Client hook re-allocation failure at file %hs line %d.
DAMAGE: after %hs block (#%d) at 0xX.
DAMAGE: after %hs block (#%d) at 0xX.
DAMAGE: before %hs block (#%d) at 0xX.
DAMAGE: before %hs block (#%d) at 0xX.
memory check error at 0xX = 0xX, should be 0xX.
memory check error at 0xX = 0xX, should be 0xX.
%hs located at 0xX is %u bytes long.
%hs located at 0xX is %u bytes long.
%hs allocated at file %hs(%d).
%hs allocated at file %hs(%d).
DAMAGE: on top of Free block at 0xX.
DAMAGE: on top of Free block at 0xX.
Bad memory block found at 0xX.
Bad memory block found at 0xX.
_CrtMemCheckPoint: NULL state pointer.
_CrtMemCheckPoint: NULL state pointer.
_CrtMemDifference: NULL state pointer.
_CrtMemDifference: NULL state pointer.
crt block at 0xX, subtype %x, %u bytes long.
crt block at 0xX, subtype %x, %u bytes long.
normal block at 0xX, %u bytes long.
normal block at 0xX, %u bytes long.
client block at 0xX, subtype %x, %u bytes long.
client block at 0xX, subtype %x, %u bytes long.
%hs(%d) :
%hs(%d) :
#File Error#(%d) :
#File Error#(%d) :
Data: %s
Data: %s
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
%s(%d) : %s
%s(%d) : %s
_CrtDbgReport: String too long or IO Error
_CrtDbgReport: String too long or IO Error
Second Chance Assertion Failed: File %s, Line %d
Second Chance Assertion Failed: File %s, Line %d
user32.dll
user32.dll
Debug %s!
Debug %s!
Program: %s%s%s%s%s%s%s%s%s%s%s
Program: %s%s%s%s%s%s%s%s%s%s%s
portuguese-brazilian
portuguese-brazilian
c:\%original file name%.exe
c:\%original file name%.exe
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
11111118
11111118
222222222
222222222
7777@@@@
7777@@@@
2222222
2222222
222222222222
222222222222
22222222222
22222222222
2222222222
2222222222
''''~~~~
''''~~~~
777@7@@@
777@7@@@
--$$#!!!!
--$$#!!!!
7777777
7777777
111118111
111118111
22222222
22222222
FFFrCrTrTTTTTTTTTTTTTTTTTrTrTrrrrrrrFrrbFbbbFbbbbbbbbbbbbbbbbbooooooooooooooooo
FFFrCrTrTTTTTTTTTTTTTTTTTrTrTrrrrrrrFrrbFbbbFbbbbbbbbbbbbbbbbbooooooooooooooooo
!!##$$$$#
!!##$$$$#
.....zzbF
.....zzbF
...zzbFF)
...zzbFF)
0000000
0000000
11111111
11111111
1111111
1111111
|||:||||
|||:||||
,6,6,666
,6,6,666
))):||||
))):||||
2222222222222
2222222222222
222222222222222
222222222222222
):::||||
):::||||
;{;{;;3;
;{;{;;3;
{;{{;;{;
{;{{;;{;
6,66,,,,
6,66,,,,
6,,666,,,
6,,666,,,
>>>///>///>>>
>>>///>///>>>
,6,,6,,,
,6,,6,,,
>>/>//>/
>>/>//>/
>//>/>>>
>//>/>>>
///>>/>/>
///>>/>/>
#$)))'--'-..1/..1...,,. ', (& &(,&&(,&,&(&,& ',&,(,&,,, ,046782
#$)))'--'-..1/..1...,,. ', (& &(,&&(,&,&(&,& ',&,(,&,,, ,046782
#!#&))-&--1'... ,,,&&(,&&(& (,&'(,&'(&,&'&(&(&'&'&(&&',&,,0465
#!#&))-&--1'... ,,,&&(,&&(& (,&'(,&'(&,&'&(&(&'&'&(&&',&,,0465
$#!)))'&--'*. (,(,,(,&(,&'(,&&(&',&&'&,'&',&,&,& (,&,& (,&,& &.5.
$#!)))'&--'*. (,(,,(,&(,&'(,&&(&',&&'&,'&',&,&,& (,&,& (,&,& &.5.
#$!)))-)-*-,& & &'& (&&,&(',&&,&&',&'&,&(&'(&&(&&&'&(&(&(&'(,&,,
#$!)))-)-*-,& & &'& (&&,&(',&&,&&',&'&,&(&'(&&(&&&'&(&(&(&'(,&,,
$$!#&)&&'& ,&&(&(,(,&& (&,& &',&',&',&'& ',&,&,&,(,&,&,& &,&,',&
$$!#&)&&'& ,&&(&(,(,&& (&,& &',&',&',&'& ',&,&,&,(,&,&,& &,&,',&
#$)!))&',&,&,',&,&'& (,&& &'&''&'&'&'&&&''&'&&'(&'&'&'(&'(&&'&&',&
#$)!))&',&,&,',&,&'& (,&& &'&''&'&'&'&&&''&'&&'(&'&'&'(&'(&&'&&',&
$$!#*'*'* ,&&',&&'&&&&'"&&&&!&
$$!#*'*'* ,&&',&&'&&&&'"&&&&!&
!&&'&'(&(&&&'(&'&&'&'&((& &
!&&'&'(&(&&&'(&'&&'&'&((& &
#&&'&'&'&'&&&!&&!&
#&&'&'&'&'&&&!&&!&
&&&',& &,(,&,&,(,&,&,& &(&
&&&',& &,(,&,&,(,&,&,& &(&
#!&&''!&&!&
#!&&''!&&!&
!& (&(&(&'&'&&&'&'&((&'(& &
!& (&(&(&'&'&&&'&'&((&'(& &
!)&,&&&!&
!)&,&&&!&
&'& &',&(,&,(,&,&,& &,&,(&
&'& &',&(,&,(,&,&,& &,&,(&
#!&&',&&&&!!
#!&&',&&&&!!
&&' ',&& &'&'&'(&'(&(&&'&'&
&&' ',&& &'&'&'(&'(&(&&'&'&
!& ,', (,&(,&,&,&,&,& (,&,&,
!& ,', (,&(,&,&,&,&,& (,&,&,
$!!)&& &',&''&&"!
$!!)&& &',&''&&"!
!!)&!''.,//,/',&&'(&'(&&&'&(&(&'&'
!!)&!''.,//,/',&&'(&'(&&&'&(&(&'&'
!$!)'&- /,///.01021//,',&,&,&,',(,&,&,&,&&
!$!)'&- /,///.01021//,',&,&,&,',(,&,&,&,&&
'&&&&!&!$
'&&&&!&!$
$#!&))&.'./10/4222442420/, &'(&&'&(&'&&'&'&'(,&
$#!&))&.'./10/4222442420/, &'(&&'&(&'&&'&'&'(,&
&&'&'&/#
&&'&'&/#
&&'"%"%!!
&&'"%"%!!
!&&"&&&"%&!%!$!$!))&'-. 1/22244447474442//'&,&,&,&,& (,&,&,&&'&'
!&&"&&&"%&!%!$!$!))&'-. 1/22244447474442//'&,&,&,&,& (,&,&,&&'&'
)"&"&"&"'&"&&"&!&&&&---.//2224447464474420, (&'(&&'&(&&'&'(&',&,&
)"&"&"&"'&"&&"&!&&&&---.//2224447464474420, (&'(&&'&(&&'&'(&',&,&
!&"'&&&,& &',06878787440 ,&,& &,(,& (,& (,&,& (,&
!&"'&&&,& &',06878787440 ,&,& &,(,& (,& (,&,& (,&
!&&&'(,&(&(&& 478878470.,'&(&(&&'&(&(&('(&&&'(&'&(
!&&&'(,&(&(&& 478878470.,'&(&(&&'&(&(&('(&&&'(&'&(
&"'&(&(& &'&&/47787745 ',&,& (,&,&,& &,& (,&,&,&'
&"'&(&(& &'&&/47787745 ',&,& (,&,&,& &,& (,&,&,&'
$'&&(&&&,&(&&&&.7877460 (&'&(&&'(&&'&(&&'(&'&&'&,&
$'&&(&&&,&(&&&&.7877460 (&'&(&&'(&&'&(&&'(&'&&'&,&
&&'&&'(&&(&'&& .478854,,&,&,& (,& (,& (,&,&,(,&,&(
&&'&&'(&&(&'&& .478854,,&,&,& (,& (,& (,&,&,(,&,&(
&'&,(& (,& &'&&,,68764,,&&'(&(&'&(&(&&(&(&&'&'(&'&
&'&,(& (,& &'&&,,68764,,&&'(&(&'&(&(&&(&(&&'&'(&'&
!)&'. /.,/ &(,&& &&',,0744.('(&'&&'&(&&'&'&(&(&&'&'(&'&
!)&'. /.,/ &(,&& &&',,0744.('(&'&&'&(&&'&'&(&(&&'&'(&'&
$!)&&- .,//2/// ,&&'(&,& &(,.40.,&'(&&'&'(&'(&(&&'&(&'(&'(&&'
$!)&&- .,//2/// ,&&'(&,& &(,.40.,&'(&&'&'(&'(&(&&'&(&'(&'(&&'
#!&)'*. ../2//2, & (& &'&(& &,45 ((,& (,&,&,&,& (,&,&,&,&,& (&
#!&)'*. ../2//2, & (& &'&(& &,45 ((,& (,&,&,&,& (,&,&,&,&,& (&
#$!)&- . /10/2///'(&&&'(,&,&(,,.., '&(&(&(&'&(&'(&'(&'&(&&'(&,&
#$!)&- . /10/2///'(&&&'(,&,&(,,.., '&(&(&(&'&(&'(&'(&'&(&&'(&,&
!#&)'. //1/02300, &&(,&&&'&',&,,,,&(,&,& &,',&,&,&,&,&,& (,&&'&
!#&)'. //1/02300, &&(,&&&'&',&,,,,&(,&,& &,',&,&,&,&,&,& (,&&'&
!)&- .,/010202/ '(&&&,(,&,&&',,&,&&&'&(&(&&&'&&'(&&'&'(&&& (,&
!)&- .,/010202/ '(&&&,(,&,&&',,&,&&&'&(&(&&&'&&'(&&'&'(&&& (,&
! ! !!&'- .0/102240.'(&&(&'&'(&(,&,',& (,&,& &,(,&,&,& (,&,& (,&&&'
! ! !!&'- .0/102240.'(&&(&'&'(&(,&,',& (,&,& &,(,&,&,& (,&,& (,&&&'
! "!!&& //.202440.,,'(&&&(,& &'&(&'&(&&'&(&'(&''((&(&(&'(&('(&'(,&
! "!!&& //.202440.,,'(&&&(,& &'&(&'&(&&'&(&'(&''((&(&(&'(&('(&'(,&
" ! "!&& /.2024.440'&&&'&,&(&(,&,&,&,& (,&,&,&,&,& & &,&,&,& &,',&'
" ! "!&& /.2024.440'&&&'&,&(&(,&,&,&,& (,&,&,&,&,& & &,&,&,& &,',&'
! "!"! !'/1244420,'&'&&&'(&&',&,&,& (,& (,&,&,&,& & &,(,&,&,& (,&,
! "!"! !'/1244420,'&'&&&'(&&',&,&,& (,& (,&,&,&,& & &,(,&,&,& (,&,
'.42442, (&&(&(&(&,&&'&(&'(&'&(&&&'&&(&'(&(&&&'&&(&'(&'(&
'.42442, (&&(&(&(&,&&'&(&'(&'&(&&&'&&(&'(&(&&&'&&(&'(&'(&
"! !!!&/24445 &&'&&&'&&'(,&,&,&,&,&,& (,&,&,&,&,& (,&,&,&,&,& &
"! !!!&/24445 &&'&&&'&&'(,&,&,&,&,&,& (,&,&,&,&,& (,&,&,&,&,& &
"! ! ! &,0472.'(&&&'(&(&(&'(&(&'&&&'&((&'((&'&&'&((&'((&'&&'&((&
"! ! ! &,0472.'(&&&'(&(&(&'(&(&'&&&'&((&'((&'&&'&((&'((&'&&'&((&
! " "!"! " 0440,'&&&'&&&&(&',& &,',(,&,& &,& &,(,&,& &,& &,(,&,& &
! " "!"! " 0440,'&&&'&&&&(&',& &,',(,&,& &,& &,(,&,& &,& &,(,&,& &
"! " !&'.445''&'"&'(&&&&(&&(&(&&'&(&'((&'(&&'&(&'((&'(&&'&(&'(&
"! " !&'.445''&'"&'(&&&&(&&(&(&&'&(&'((&'(&&'&(&'((&'(&&'&(&'(&
!! "! "!&"&,24.(&&&&'&'&(&(&(,& & (,& &,& &,& (,& &,& &,& (,& &,&
!! "! "!&"&,24.(&&&&'&'&(&(&(,& & (,& &,& &,& (,& &,& &,& (,& &,&
!" ! ""& .5,'&"'"&&&'&'& &(&((&((&((&((&((&((&((&((&((&((&((&('
!" ! ""& .5,'&"'"&&&'&'& &(&((&((&((&((&((&((&((&((&((&((&((&('
!"!&"&"'..,'&&&''&'&&'&',& & & & & & & & & & & & & & & & & & &
!"!&"&"'..,'&&&''&'&&'&',& & & & & & & & & & & & & & & & & & &
! &" "&& &&'&&'&&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'
! &" "&& &&'&&'&&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'
&[[[[FKEEEC?953).ILSPPRRPSTVVWYYZZZ[[[[[[Q&
&[[[[FKEEEC?953).ILSPPRRPSTVVWYYZZZ[[[[[[Q&
####'"""!
####'"""!
7
7
##''((,-6!
##''((,-6!
33333333333330
33333333333330
@10550,10551;1;0;;0,128,128
@10550,10551;1;0;;0,128,128
Please insert the next disk, Disk %d. If the files on this disk can be found in another location, for example, in another drive, enter its full path or click the Browse button to select its path.
Please insert the next disk, Disk %d. If the files on this disk can be found in another location, for example, in another drive, enter its full path or click the Browse button to select its path.
Enter the password required to run this setup. Please note that passwords are case sensitive. Click Next to continue.
Enter the password required to run this setup. Please note that passwords are case sensitive. Click Next to continue.
Password
Password
This setup has been password protected.
This setup has been password protected.
Enter the user name and password that should be used to log on.
Enter the user name and password that should be used to log on.
&Password:
&Password:
Specify a SQL Login ID and Password.
Specify a SQL Login ID and Password.
Database Server Login
Database Server Login
Database server requires login credentials to continue.
Database server requires login credentials to continue.
&Login ID:
&Login ID:
&Windows authentication
&Windows authentication
S&QL Server authentication using the Login ID and password below
S&QL Server authentication using the Login ID and password below
@10550,10551;1;0;;0,128,128
@10550,10551;1;0;;0,128,128
c:\path\company\product\suite\version
c:\path\company\product\suite\version
@10553,10553;1;0;;0,128,128
@10553,10553;1;0;;0,128,128
Restarting Windows
Restarting Windows
c:\folder\company\product
c:\folder\company\product
A read only file, %s, was found while attempting to copy files to the destination location. To overwrite the file, click the Yes button, otherwise click the No button.
A read only file, %s, was found while attempting to copy files to the destination location. To overwrite the file, click the Yes button, otherwise click the No button.
c:\path\company\product
c:\path\company\product
&Let Setup modify the %s file.
&Let Setup modify the %s file.
&Save the required changes to %s file.
&Save the required changes to %s file.
This text is modifed by the 'szMsg' parameter. You can reposition controls in this dialog and add static text fields.
This text is modifed by the 'szMsg' parameter. You can reposition controls in this dialog and add static text fields.
Press the PAGE DOWN key to see the rest of the agreement.
Press the PAGE DOWN key to see the rest of the agreement.
%s of space required on the %s drive
%s of space required on the %s drive
%s of space available on the %s drive
%s of space available on the %s drive
Specify a user account and password.
Specify a user account and password.
Con&firm password:
Con&firm password:
YAn internal read error has occurred on %s. Unable to load setup instructions.
YAn internal read error has occurred on %s. Unable to load setup instructions.
Error 703.L%s file has become corrupted. Unable to load setup instructions.
Error 703.L%s file has become corrupted. Unable to load setup instructions.
Setup has detected a possible infinite loop in the script with function %s. Make sure you are handling the error return codes properly.
Setup has detected a possible infinite loop in the script with function %s. Make sure you are handling the error return codes properly.
Error 425.ESetup is unable to find the installation script file: %s
Error 425.ESetup is unable to find the installation script file: %s
Error 426.ASetup is unable to load the installation script file.
Error 426.ASetup is unable to load the installation script file.
]Setup is unable to copy the installation support file %s to a temporary location.
]Setup is unable to copy the installation support file %s to a temporary location.
Setup is unable to copy the installation support file _SETUP.LIB to a temporary location. Make more space available and try again.
Setup is unable to copy the installation support file _SETUP.LIB to a temporary location. Make more space available and try again.
Error 421.GSetup is unable to expand the installation support file %s.
Error 421.GSetup is unable to expand the installation support file %s.
Setup is unable to load the installation script file: %s
Setup is unable to load the installation script file: %s
%d %%oSetup has detected that unInstallShield is in use. Please close unInstallShield and restart setup.
%d %%oSetup has detected that unInstallShield is in use. Please close unInstallShield and restart setup.
Error 432.iAn attempt was made to access a structure with an invalid pointer. The setup will terminate.
Error 432.iAn attempt was made to access a structure with an invalid pointer. The setup will terminate.
SSetup is unable to initialize the installation program ( INSTALL.EXE ).
SSetup is unable to initialize the installation program ( INSTALL.EXE ).
Error 201.CSetup is unable to initialize the installation program.
Error 201.CSetup is unable to initialize the installation program.
Error %d.
Error %d.
qUnable to write to response file '%s' during recording. Please ensure enough space is available on target drive.
qUnable to write to response file '%s' during recording. Please ensure enough space is available on target drive.
Invalid mode..Required data not found in the Setup.iss file.
Invalid mode..Required data not found in the Setup.iss file.
Please free up some disk space or modify your selections.gSetup is complete. You may run the installed program by double-clicking on the installed program icon.
Please free up some disk space or modify your selections.gSetup is complete. You may run the installed program by double-clicking on the installed program icon.
Installing...0There is not enough space available on the disk.LPlease free up some space or change the target location to a different disk./This program requires VGA or better resolution.(Do you want to view the ReadMe file now?MGeneral file transfer error. Please check your target location and try again.
Installing...0There is not enough space available on the disk.LPlease free up some space or change the target location to a different disk./This program requires VGA or better resolution.(Do you want to view the ReadMe file now?MGeneral file transfer error. Please check your target location and try again.
Copying program files...#Creating Program Group and Icons...$Setup program cannot modify file %s."Unable to create target folder %s. Please check write access to %s.
Copying program files...#Creating Program Group and Icons...$Setup program cannot modify file %s."Unable to create target folder %s. Please check write access to %s.
Unable to locate file %s.!Please select a different folder.
Unable to locate file %s.!Please select a different folder.
Keep the older version.?You may run setup at a later time to complete the installation.*Do you want to quit the setup program now?#Do you want to continue this setup?QIf you choose to continue, the setup program will overwrite the existing version.)The setup program failed to load file %s.dSetup program has successfully modified the %s file, and the old version of the file is saved as %s.$A version of %s is currently in use.2Please close all applications and run setup again.&Please select the installation folder.
Keep the older version.?You may run setup at a later time to complete the installation.*Do you want to quit the setup program now?#Do you want to continue this setup?QIf you choose to continue, the setup program will overwrite the existing version.)The setup program failed to load file %s.dSetup program has successfully modified the %s file, and the old version of the file is saved as %s.$A version of %s is currently in use.2Please close all applications and run setup again.&Please select the installation folder.
Select the type of setup.RYou must quit all programs and restart your computer before using the application.
Select the type of setup.RYou must quit all programs and restart your computer before using the application.
Error NumberFThe setup program cannot save the newly modified %s file back to disk.=A folder name cannot contain any of the following characters:
Error NumberFThe setup program cannot save the newly modified %s file back to disk.=A folder name cannot contain any of the following characters:
You may run the setup program at a later time to complete the operations.
You may run the setup program at a later time to complete the operations.
Your system has not been modified. To install this program at a later time, please run the setup again.&Click Finish to exit the Setup wizard.YSelect the features you want to install, and deselect the features you want to uninstall.
Your system has not been modified. To install this program at a later time, please run the setup again.&Click Finish to exit the Setup wizard.YSelect the features you want to install, and deselect the features you want to uninstall.
CRC error: The file %s doesn't match the file in the setup's .cab file. The medium from which you are running the setup may be corrupted; contact your software vendor.9The following error occurred on the file '%s'.
CRC error: The file %s doesn't match the file in the setup's .cab file. The medium from which you are running the setup may be corrupted; contact your software vendor.9The following error occurred on the file '%s'.
%s (0x%x)
%s (0x%x)
Locked file: %s
Locked file: %s
Click Postpone to change this file the next time you restart your computer; click Skip to leave this file unchanged.EUnable to locate the file %s on disk %d. Please select an operation.0Please insert disk %d that contains the file %s.
Click Postpone to change this file the next time you restart your computer; click Skip to leave this file unchanged.EUnable to locate the file %s on disk %d. Please select an operation.0Please insert disk %d that contains the file %s.
Read-only file: %s
Read-only file: %s
Do you want InstallShield to modify this read-only file?bCannot add feature. FeatureAddItem was unable to add a feature to the script-created feature set.lSpecified feature already exists.
Do you want InstallShield to modify this read-only file?bCannot add feature. FeatureAddItem was unable to add a feature to the script-created feature set.lSpecified feature already exists.
Specified feature cannot be deselected. FeatureSelectItem was called to deselect a feature required by a currently selected feature.pSpecified feature name is not valid.
Specified feature cannot be deselected. FeatureSelectItem was called to deselect a feature required by a currently selected feature.pSpecified feature name is not valid.
The value passed in the second parameter of FeatureInitialize is not valid.
The value passed in the second parameter of FeatureInitialize is not valid.
Attempted operation not allowed with script-created feature sets.
Attempted operation not allowed with script-created feature sets.
A script-created feature set name was passed to a feature function (for example, FeatureFileInfo) that operates only on file media.
A script-created feature set name was passed to a feature function (for example, FeatureFileInfo) that operates only on file media.
When calling FeatureFileEnum, FeatureFileInfo, FeatureListItems, or FeatureSetupTypeEnum, verify that the list you are passing to the function is valid.
When calling FeatureFileEnum, FeatureFileInfo, FeatureListItems, or FeatureSetupTypeEnum, verify that the list you are passing to the function is valid.
Attempted operation not allowed with file media library. A file media name was passed to a feature function (for example, FeatureAddItem) that operates only on script-created feature sets.nMedia is already initialized.
Attempted operation not allowed with file media library. A file media name was passed to a feature function (for example, FeatureAddItem) that operates only on script-created feature sets.nMedia is already initialized.
The file Data1.cab is corrupt, or the file specified in a call to FeatureInitialize is not an InstallShield-generated cabinet file.
The file Data1.cab is corrupt, or the file specified in a call to FeatureInitialize is not an InstallShield-generated cabinet file.
Specified password does not match.
Specified password does not match.
The specified password does not match the password stored in the specified file media library or feature.
The specified password does not match the password stored in the specified file media library or feature.
Specified password cannot be found.
Specified password cannot be found.
FeatureValidate was called to validate a feature or a file media library for which no password has been set.
FeatureValidate was called to validate a feature or a file media library for which no password has been set.
The media or the feature password was not validated.
The media or the feature password was not validated.
Invalid value passed to a feature-related function.
Invalid value passed to a feature-related function.
One of the values passed to a feature function is invalid. This error can be caused, for example, by passing an empty string in the second parameter of FeatureAddItem.xData cannot be read from the Internet.
One of the values passed to a feature function is invalid. This error can be caused, for example, by passing an empty string in the second parameter of FeatureAddItem.xData cannot be read from the Internet.
This error occurs when using InstallFromTheWeb in conjunction with InstallShield.
This error occurs when using InstallFromTheWeb in conjunction with InstallShield.
This error occurs when using InstallFromTheWeb in conjunction with InstallShield. The Internet connection has been lost and cannot be reestablished by InstallFromTheWeb.
This error occurs when using InstallFromTheWeb in conjunction with InstallShield. The Internet connection has been lost and cannot be reestablished by InstallFromTheWeb.
Cabinet file generated by an older version of InstallShield. Verify that the project was built with your most recent version of InstallShield. Verify that you are not using mismatched cabinet files generated by different versions of InstallShield.TUnable to decompress a file. An internal error occurred. Contact technical support.
Cabinet file generated by an older version of InstallShield. Verify that the project was built with your most recent version of InstallShield. Verify that you are not using mismatched cabinet files generated by different versions of InstallShield.TUnable to decompress a file. An internal error occurred. Contact technical support.
The target disk or directory has insufficient free space; the disk space can not be determined because TARGETDIR is invalid; or a script-defined folder of a feature has not been set.VEnterDisk function called failed. Internal error occurred. Contact technical support.
The target disk or directory has insufficient free space; the disk space can not be determined because TARGETDIR is invalid; or a script-defined folder of a feature has not been set.VEnterDisk function called failed. Internal error occurred. Contact technical support.
Specified file cannot be opened as read-only. The file Data1.cab (or one of the other data cab files) is missing or corrupted; or an uncompressed data file is missing from a CD-ROM, Data As Files build.jSpecified file cannot be opened as read/write. Unable to append to split file. Contact technical support.
Specified file cannot be opened as read-only. The file Data1.cab (or one of the other data cab files) is missing or corrupted; or an uncompressed data file is missing from a CD-ROM, Data As Files build.jSpecified file cannot be opened as read/write. Unable to append to split file. Contact technical support.
Unable to self-register a file properly. This error has many possible causes. For details, refer to article Q101538 in the InstallShield Knowledge Base.^Unable to update a shared file in FeatureMoveData. Internal error. Contact technical support.EUnable to write to a file.
Unable to self-register a file properly. This error has many possible causes. For details, refer to article Q101538 in the InstallShield Knowledge Base.^Unable to update a shared file in FeatureMoveData. Internal error. Contact technical support.EUnable to write to a file.
Internal error. Contact technical support.
Internal error. Contact technical support.
Error renaming a file. An attempt was made to transfer an executable file (an .exe or .com file) over a locked file without setting the Potentially Locked property to Yes.
Error renaming a file. An attempt was made to transfer an executable file (an .exe or .com file) over a locked file without setting the Potentially Locked property to Yes.
Unknown Error.RDo you want to completely remove the selected application and all of its features?.Feature:
Unknown Error.RDo you want to completely remove the selected application and all of its features?.Feature:
Shared file: %s
Shared file: %s
%d$Read-Only File Found - InstallShield
%d$Read-Only File Found - InstallShield
&Try AgainJResolution is equal to %d, this program requires VGA or better resolution.:The following files did not self-register or unregister:
&Try AgainJResolution is equal to %d, this program requires VGA or better resolution.:The following files did not self-register or unregister:
Error : 0x%x
Error : 0x%x
Unhandled Exception"Error Number: 0x%X
Unhandled Exception"Error Number: 0x%X
Description: %s
Description: %s
Removed0Specify the location of the file %s to continue.
Removed0Specify the location of the file %s to continue.
Setup needs the file %s
Setup needs the file %s
Internal Failure"Error Number: 0x%X
Internal Failure"Error Number: 0x%X
KInstallShield Wizard has finished performing maintenance operations on %p.
KInstallShield Wizard has finished performing maintenance operations on %p.
DifferenceshThe InstallShield Patch Wizard will install the patch for %P on your computer. To continue, click Next.0Welcome to the InstallShield Patch Wizard for %PHAre you sure you want to completely remove '%s' and all of its features?CThe wizard was interrupted before %P could be completely installed.
DifferenceshThe InstallShield Patch Wizard will install the patch for %P on your computer. To continue, click Next.0Welcome to the InstallShield Patch Wizard for %PHAre you sure you want to completely remove '%s' and all of its features?CThe wizard was interrupted before %P could be completely installed.
InstallShield Wizard Completed.PNetwork Location
InstallShield Wizard Completed.PNetwork Location
Enter the network location or browse to a location. Click Install to create a server image of %P or click Cancel to exit the wizard. Fatal error during installation.FConsult Windows Installer Help (Msi.chm) or MSDN for more information.(Resuming the InstallShield Wizard for %PVWizard will complete the installation of %P on your computer. To continue, click Next.
Enter the network location or browse to a location. Click Install to create a server image of %P or click Cancel to exit the wizard. Fatal error during installation.FConsult Windows Installer Help (Msi.chm) or MSDN for more information.(Resuming the InstallShield Wizard for %PVWizard will complete the installation of %P on your computer. To continue, click Next.
%s - InstallShield Wizard_The installed version of the application could not be determined. The setup will now terminate.]The current version of the application could not be determined. The setup will now terminate.
%s - InstallShield Wizard_The installed version of the application could not be determined. The setup will now terminate.]The current version of the application could not be determined. The setup will now terminate.
]The password you have entered is incorrect. You must enter the correct password to continue.
]The password you have entered is incorrect. You must enter the correct password to continue.
This setup requires Internet Information Server 4.0 or higher for configuring IIS Virtual Roots. Please make sure that you have IIS 4.0 or higher.uThe version of %s present does not meet this setup's minimum requirements. This installation requires %s %s or later..There was an error logging in to %s.
This setup requires Internet Information Server 4.0 or higher for configuring IIS Virtual Roots. Please make sure that you have IIS 4.0 or higher.uThe version of %s present does not meet this setup's minimum requirements. This installation requires %s %s or later..There was an error logging in to %s.
Error: %sZThere was an error running the SQL script %s. Setup will now terminate.
Error: %sZThere was an error running the SQL script %s. Setup will now terminate.
Line: %d
Line: %d
Error: %spThe SQL script '%s' could not be run because no valid connection to the server exists. Setup will now terminate.5SQL script support has not been properly initialized.HSupport for database server failed to initialize. Setup will terminate./There was an error detecting the version of %s.gBrowsing or connecting for database servers requires that MDAC be installed. Setup will now terminate.
Error: %spThe SQL script '%s' could not be run because no valid connection to the server exists. Setup will now terminate.5SQL script support has not been properly initialized.HSupport for database server failed to initialize. Setup will terminate./There was an error detecting the version of %s.gBrowsing or connecting for database servers requires that MDAC be installed. Setup will now terminate.
This installation requires a Microsoft SQL Server. The specified server '%s' is a Microsoft SQL Server Desktop Engine or SQL Server Express.)The InstallShield Wizard is installing %P(The InstallShield Wizard is modifying %P(The InstallShield Wizard is repairing %P'The InstallShield Wizard is removing %P
This installation requires a Microsoft SQL Server. The specified server '%s' is a Microsoft SQL Server Desktop Engine or SQL Server Express.)The InstallShield Wizard is installing %P(The InstallShield Wizard is modifying %P(The InstallShield Wizard is repairing %P'The InstallShield Wizard is removing %P
(String %s was not found in string table.
(String %s was not found in string table.
Error loading NetApi32.DLL. The ISNetApi.dll needs to have NetApi32.DLL properly loaded and requires an NT based operating system.\Server not found. Verify that the specified server exists. The server name can not be empty.&Unspecified error from ISNetApiRT.dll.
Error loading NetApi32.DLL. The ISNetApi.dll needs to have NetApi32.DLL properly loaded and requires an NT based operating system.\Server not found. Verify that the specified server exists. The server name can not be empty.&Unspecified error from ISNetApiRT.dll.
Unhandled exception.,Invalid user name for this server or domain.*The case-sensitive passwords do not match.
Unhandled exception.,Invalid user name for this server or domain.*The case-sensitive passwords do not match.
Error getting group.SError adding user to group. Verify that the group exists for this domain or server.
Error getting group.SError adding user to group. Verify that the group exists for this domain or server.
Error creating user.
Error creating user.
Invalid group.IThe user name can not be empty and must be in the format DOMAIN\Username.>Error loading or creating INI file in the user TEMP directory.
Invalid group.IThe user name can not be empty and must be in the format DOMAIN\Username.>Error loading or creating INI file in the user TEMP directory.
ISNetApiRT.dll is not loaded or there was an error loading the dll. This dll needs to be loaded for this operation. Verify that the dll is in the SUPPORTDIR directory.WError deleting INI file containing new user information from the user's TEMP directory.
ISNetApiRT.dll is not loaded or there was an error loading the dll. This dll needs to be loaded for this operation. Verify that the dll is in the SUPPORTDIR directory.WError deleting INI file containing new user information from the user's TEMP directory.
2Error getting the primary domain controller (PDC).8Every field must have a value in order to create a user.QODBC driver for %s not found. This is required to connect to %s database servers.%Unable to initialize XML runtime .dll/Unexpected error updating XML files. Error: %dxThis setup requires MSXML 3.0 or higher for configuring XML files. Please make sure that you have version 3.0 or higher.%Error updating XML file %s. Error: %d$Error opening XML file %s. Error: %d
2Error getting the primary domain controller (PDC).8Every field must have a value in order to create a user.QODBC driver for %s not found. This is required to connect to %s database servers.%Unable to initialize XML runtime .dll/Unexpected error updating XML files. Error: %dxThis setup requires MSXML 3.0 or higher for configuring XML files. Please make sure that you have version 3.0 or higher.%Error updating XML file %s. Error: %d$Error opening XML file %s. Error: %d
There was an error attempting to open connection %s. No valid database metadata associated with this connection. Setup will now terminate.ZThere was an error creating database %s. Setup will now terminate.
There was an error attempting to open connection %s. No valid database metadata associated with this connection. Setup will now terminate.ZThere was an error creating database %s. Setup will now terminate.
Server: %s %s
Server: %s %s
Error:%s`There was an error connecting to database %s. Setup will now terminate.
Error:%s`There was an error connecting to database %s. Setup will now terminate.
Error: %sjThere was an error retrieving schema version from %s %s. Setup will now terminate.
Error: %sjThere was an error retrieving schema version from %s %s. Setup will now terminate.
Database: %s
Database: %s
Error: %seThere was an error writing schema version to %s %s. Setup will now terminate.
Error: %seThere was an error writing schema version to %s %s. Setup will now terminate.
Error: %szThere was an error attempting to run the SQL script %s. The SQL script file could not be opened. Setup will now terminate.LThere was an unexpected error running SQL scripts. Setup will now terminate.
Error: %szThere was an error attempting to run the SQL script %s. The SQL script file could not be opened. Setup will now terminate.LThere was an unexpected error running SQL scripts. Setup will now terminate.
There was an error loading %s. This file needs to be loaded for InstallShield SQL operation. Verify that the file is in the SUPPORTDIR directory. Setup will now terminate.UFrom the list of catalog names below, select the database catalog you like to target.
There was an error loading %s. This file needs to be loaded for InstallShield SQL operation. Verify that the file is in the SUPPORTDIR directory. Setup will now terminate.UFrom the list of catalog names below, select the database catalog you like to target.
%original file name%.exe_188_rwx_01BBC000_00002000:
kernel32.dll
kernel32.dll
14.0.162
14.0.162
_IsRes.dll
_IsRes.dll
%original file name%.exe_188_rwx_01BC0000_00002000:
The procedure %s could not be located in the DLL %s.
The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.
setup.exe_880_rwx_10004000_00001000:
callback%d
callback%d