Gen.Variant.Adware.Kazy.281894_718e9f2f2d

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The PUP creates the following process(es):

MicroProProc.exe:1924
MicroProProc.exe:316
%original file name%.exe:1756
MicroProCon.exe:340
WinCtrCon.exe:596
WinCtrProc.exe:1348
irsetup.exe:1628

The PUP injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process MicroProProc.exe:1924 makes changes in the file system.

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF29CB.tmp (0 bytes)

The process MicroProProc.exe:316 makes changes in the file system.

The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SE4AC4HR\WinCtrCon[1].exe (52969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JITBKDNL\StakePsList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe (52969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SE4AC4HR\FormLocation[1].htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KV4N2T4V\UCg_LPrMLab[1].htm (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEBQZWF\FcPimSLab[1].htm (157 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JITBKDNL\TransSiteString[1].htm (12 bytes)

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DFC67.tmp (0 bytes)

The process %original file name%.exe:1756 makes changes in the file system.

The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (1861 bytes)

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)

The process MicroProCon.exe:340 makes changes in the file system.

The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JITBKDNL\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KV4N2T4V\MicroProProc[1].exe (409017 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEBQZWF\ProgramUpdateLab[1].htm (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEBQZWF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KV4N2T4V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JITBKDNL\sTakeList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SE4AC4HR\FcTimeLab[1].htm (157 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SE4AC4HR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\MicroProProc.exe (409017 bytes)

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF830D.tmp (0 bytes)

The process WinCtrCon.exe:596 makes changes in the file system.

The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SE4AC4HR\WinCtrProc[1].exe (418761 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe (418761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JITBKDNL\ProgramUpdateLab[1].htm (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KV4N2T4V\FcTimeLab[1].htm (157 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEBQZWF\sTakeList[1].htm (917 bytes)

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF5742.tmp (0 bytes)

The process WinCtrProc.exe:1348 makes changes in the file system.

The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEBQZWF\TransSiteString[1].htm (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JITBKDNL\FcPimSLab[1].htm (157 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEBQZWF\StakePsList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SE4AC4HR\UCg_LPrMLab[1].htm (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEBQZWF\Uninstall_Ctr[1].exe (89729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KV4N2T4V\keyword_platinum[1].htm (4 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\Uninstall\Uninstaller.exe (89729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KV4N2T4V\FormLocation[1].htm (5 bytes)

The process irsetup.exe:1628 makes changes in the file system.

The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\MicroProCon.exe (2712 bytes)
%System%\VB6KO.DLL (2712 bytes)
%System%\MSINET.OCX (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (2 bytes)

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)

Registry activity

The process MicroProProc.exe:1924 makes changes in the system registry.

The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 9E F3 FA F5 F5 90 B2 0F 15 7E D5 5F 13 3E 03"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process MicroProProc.exe:316 makes changes in the system registry.

The PUP creates and/or sets the following values in system registry:

[HKCU\Software\WinCtrView]
"PDR" = "asdfaeiqwerh"
"Commit" = "N"
"USER_NO" = "3196"
"SUBNAME" = "MAIN"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\WinCtrView]
"AdFlag" = "Y"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\WinCtrView]
"Upmom" = "N"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\WinCtrView]
"firstTime" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\WinCtrView]
"ver" = "sup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\WinCtrView]
"Intro_No" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\WinCtrView]
"Version" = "1347"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 FF 66 C3 0F 8B 48 B1 2C FF B6 40 EF 2F 0A C9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -SndUi"

The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The PUP modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -SndUi"

The PUP deletes the following registry key(s):

[HKCU\Software\MicroName]

The PUP deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

"AutoConfigURL"

The PUP disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

"MicroProProc"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

"MicroProProc"

The process %original file name%.exe:1756 makes changes in the system registry.

The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 3B E3 E8 4C A3 1A 51 AD 9F 14 9D 3E 15 3A 1B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The PUP modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process MicroProCon.exe:340 makes changes in the system registry.

The PUP creates and/or sets the following values in system registry:

[HKCR\InetCtls.Inet.1]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\InetCtls.Inet\CurVer]
"(Default)" = "InetCtls.Inet.1"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}]
"(Default)" = "DInetEvents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\MicroName]
"Upmom" = "N"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\MicroName]
"Commit" = "N"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCR\InetCtls.Inet.1\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS]
"(Default)" = "2"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1]
"(Default)" = "132497"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\InetCtls.Inet\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\InetCtls.Inet]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}]
"(Default)" = "IInet"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "%System%\MSINET.OCX"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "%System%\MSINET.OCX"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\MicroName]
"firstTime" = "0"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID]
"(Default)" = "InetCtls.Inet.1"

[HKCU\Software\MicroName]
"MomDate" = "1/24/2015"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32]
"(Default)" = "%System%\MSINET.OCX"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control General Property Page Object"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID]
"(Default)" = "InetCtls.Inet"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 63 D1 4D 81 99 10 4A 6D E4 DD 65 96 9F A4 3C"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "%System%\MSINET.OCX"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control URL Property Page Object"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\MicroName]
"Version" = "1347"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32]
"(Default)" = "%System%\MSINET.OCX, 1"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroProProc" = "%Documents and Settings%\%current user%\Application Data\MiCroLab\MyEngin\Common\MicroProProc.exe -iCtjxI"

The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The PUP modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon" = "%Documents and Settings%\%current user%\Application Data\MiCroLab\MyEngin\Common\MicroProCon.exe -iCtjxI"

The PUP deletes the following registry key(s):

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]

The PUP deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

The process WinCtrCon.exe:596 makes changes in the system registry.

The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\WinCtrView]
"Commit" = "Y"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\WinCtrView]
"Upmom" = "Y"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\WinCtrView]
"Version" = "1704"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 17 D2 22 0E C0 0F E8 49 9E C4 CF AF 15 1A 15"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\WinCtrView]
"MomDate" = "1/24/2015"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -jEulzJ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -jEulzJ"

The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The PUP modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The PUP deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

"AutoConfigURL"
"ProxyOverride"

The PUP disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroProProc"

The process WinCtrProc.exe:1348 makes changes in the system registry.

The PUP creates and/or sets the following values in system registry:

[HKCU\Software\WinCtrView]
"USER_NO" = "3196"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\WinCtrView]
"Commit" = "Y"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\WinCtrView]
"ver" = "sup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\WinCtrView]
"firstTime" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\WinCtrView]
"Actdate" = "1/24/2015"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 15 3E ED 82 42 89 38 56 53 06 6D 64 76 3E 2D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -HcSJXhQPD"

The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The PUP modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -HcSJXhQPD"

The PUP deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

"AutoConfigURL"

The PUP disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

"MicroProProc"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

"MicroProProc"

The process irsetup.exe:1628 makes changes in the system registry.

The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\MicroName]
"Commit" = "Y"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\MicroName]
"Version" = "0000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\MicroName]
"SUBNAME" = "MAIN"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\MicroName]
"CURDIR" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\MicroName]
"S_NO" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\MicroName]
"ver" = "sup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D C7 B1 0C 57 F8 16 78 E4 6B ED F1 31 D0 45 14"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\MicroName]
"Upmom" = "Y"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\MicroName]
"PDR" = "asdfaeiqwerh"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\MicroName]
"USER_NO" = "3196"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\MicroName]
"Owner" = "admin"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroLabCon" = "%ApplicationDataFolder%\MicroLab\MyEngin\Common\MicroProCon.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroLabProc" = "%ApplicationDataFolder%\MicroLab\MyEngin\Common\MicroProProc.exe"

Dropped PE files

MD5	File path
dcab9c0938b7c455c7c547126196db3a	c:\Documents and Settings\"%CurrentUserName%"\Application Data\MicroLab\MyEngin\Common\MicroProCon.exe
fa1a41b05a5029cb2a500b1dbe2d17e8	c:\Documents and Settings\"%CurrentUserName%"\Application Data\MicroLab\MyEngin\Common\MicroProProc.exe
c3a2676fd2bec4903dea49c7e31f890b	c:\Documents and Settings\"%CurrentUserName%"\Application Data\WinCtrView\Engin\ProVersion\Uninstall\Uninstaller.exe
fe0d087b51d352296438d0d5b97f2e86	c:\Documents and Settings\"%CurrentUserName%"\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe
09abf0299cdc3dc2548cacd26070a60f	c:\Documents and Settings\"%CurrentUserName%"\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe
3fe7c92dba5c9240b4ab0d6a87e6166a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe
c3a2676fd2bec4903dea49c7e31f890b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\CHEBQZWF\Uninstall_Ctr[1].exe
fa1a41b05a5029cb2a500b1dbe2d17e8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\KV4N2T4V\MicroProProc[1].exe
fe0d087b51d352296438d0d5b97f2e86	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\SE4AC4HR\WinCtrCon[1].exe
09abf0299cdc3dc2548cacd26070a60f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\SE4AC4HR\WinCtrProc[1].exe
90a39346e9b67f132ef133725c487ff6	c:\WINDOWS\system32\MSINET.OCX
84742b5754690ed667372be561cf518d	c:\WINDOWS\system32\VB6KO.DLL

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   MicroProProc.exe:1924
   MicroProProc.exe:316
   %original file name%.exe:1756
   MicroProCon.exe:340
   WinCtrCon.exe:596
   WinCtrProc.exe:1348
   irsetup.exe:1628

2. Delete the original PUP file.
   
3. Delete or disinfect the following files created/modified by the PUP:

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SE4AC4HR\WinCtrCon[1].exe (52969 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JITBKDNL\StakePsList[1].htm (917 bytes)
   %Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe (52969 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SE4AC4HR\FormLocation[1].htm (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KV4N2T4V\UCg_LPrMLab[1].htm (396 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEBQZWF\FcPimSLab[1].htm (157 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JITBKDNL\TransSiteString[1].htm (12 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (1861 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JITBKDNL\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KV4N2T4V\MicroProProc[1].exe (409017 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEBQZWF\ProgramUpdateLab[1].htm (21 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEBQZWF\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KV4N2T4V\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JITBKDNL\sTakeList[1].htm (917 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SE4AC4HR\FcTimeLab[1].htm (157 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SE4AC4HR\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\MicroProProc.exe (409017 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SE4AC4HR\WinCtrProc[1].exe (418761 bytes)
   %Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe (418761 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JITBKDNL\ProgramUpdateLab[1].htm (19 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KV4N2T4V\FcTimeLab[1].htm (157 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEBQZWF\sTakeList[1].htm (917 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEBQZWF\TransSiteString[1].htm (12 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JITBKDNL\FcPimSLab[1].htm (157 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEBQZWF\StakePsList[1].htm (917 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SE4AC4HR\UCg_LPrMLab[1].htm (396 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEBQZWF\Uninstall_Ctr[1].exe (89729 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KV4N2T4V\keyword_platinum[1].htm (4 bytes)
   %Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\Uninstall\Uninstaller.exe (89729 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KV4N2T4V\FormLocation[1].htm (5 bytes)
   %Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\MicroProCon.exe (2712 bytes)
   %System%\VB6KO.DLL (2712 bytes)
   %System%\MSINET.OCX (2784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (2784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (2 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -SndUi"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -SndUi"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "MicroProProc" = "%Documents and Settings%\%current user%\Application Data\MiCroLab\MyEngin\Common\MicroProProc.exe -iCtjxI"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "MicroProCon" = "%Documents and Settings%\%current user%\Application Data\MiCroLab\MyEngin\Common\MicroProCon.exe -iCtjxI"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -jEulzJ"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -jEulzJ"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -HcSJXhQPD"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -HcSJXhQPD"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "MicroLabCon" = "%ApplicationDataFolder%\MicroLab\MyEngin\Common\MicroProCon.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "MicroLabProc" = "%ApplicationDataFolder%\MicroLab\MyEngin\Common\MicroProProc.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: Setup Factory 8.0 Runtime
Product Version: 8.2.1.0
Legal Copyright: Setup Engine Copyright (c) 2004-2009 Indigo Rose Corporation
Legal Trademarks: Setup Factory is a trademark of Indigo Rose Corporation.
Original Filename: suf80_launch.exe
Internal Name: suf80_launch
File Version: 8.2.1.0
File Description: Setup Application
Comments: Created with Setup Factory 8.0
Language: English (United States)

Company Name: Product Name: Setup Factory 8.0 RuntimeProduct Version: 8.2.1.0Legal Copyright: Setup Engine Copyright (c) 2004-2009 Indigo Rose CorporationLegal Trademarks: Setup Factory is a trademark of Indigo Rose Corporation.Original Filename: suf80_launch.exeInternal Name: suf80_launchFile Version: 8.2.1.0File Description: Setup ApplicationComments: Created with Setup Factory 8.0Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	28836	32768	4.26507	a8dbcac095aef6f1ff0f56e91c5abc15
.rdata	36864	10370	12288	3.44532	efb6029b9a5f70171975f6b5a16c78ce
.data	49152	6440	4096	1.54728	cf8d7dd9f4b828868db85743b8601f51
.rsrc	57344	28040	28672	4.06487	05962a2c16ea40395e7b662814eba9fd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 62
0e1bf09cea8e7cf2d8ff215b54ccc3ff
02adc8c2d1b9d35456648d00b2e113cd
670c94280fdc3b0cb140feae731d4c0d
0c98a0bbf155499f661f9197ebe6f911
e0c73ec709eb023aa74b3ab3e34cec8c
10a837ecb7ad77be14a8f216ba9a27e9
1e40a2e8dc545db1b3951b03bc6f1d8b
1bca3e164a7694e2bfc2629ad0b7db8b
c7a919798d24e17663a9c150955521f3
2e4800fb97b05f0d1e4fcaeb813d1f8d
3d3c9407fd88f380fe0ecf16ee272c75
0322bada829af4fbc99deccc6787594b
9e89d8604f37b8d9d910ca8bf2f15198
16e80409037afd6531a3c25648efd36a
0e59ac54f3f9d686876ffca3ab8d0156
662f48cd18a06ab7fa7a036c39dd5009
a05a82856ecb0e9f04dee5f2b945355c
c3150d4a50452db71ce563353ba982af
30e1a69c0102c91804e02b385310b1ef
d96bf3515187f64e04bc30c105eeffaa
17a2073789197d2833c22b7dba0bffb9
a5d7544dc7fcd215554f142ad7882408
c0bf80b9314aec2b1dca0dcb2662f42d
4f2dafde6729cd7069faa9e1a06ecedb
1dc3cb8f363bde761d4cff6e874f7609

Network Activity

URLs

URL	IP
hxxp://duzip.com/Config/sTakeList.asp?n=3196	220.73.162.43
hxxp://220.73.162.42/Config/AdNw/FcTimeLab.asp
hxxp://220.73.162.42/Config/ProgramUpdateLab.asp?version=1347
hxxp://220.73.162.3/Download/MicroProProc.exe
hxxp://maketop.kr/Config/AdNw/StakePsList.asp?uno=3196	220.73.162.49
hxxp://220.73.162.22/Config/FormLocation.asp
hxxp://220.73.162.22/Config/AdNw/FcPimSLab.asp
hxxp://220.73.162.22/Config/newConf/UCg_LPrMLab.asp?user_no=3196
hxxp://220.73.162.22/Config/TransSiteString.asp?nation=KOREA
hxxp://loadform.co.kr/Download/WinCtrCon.exe	220.73.162.14
hxxp://maketop.kr/Config/sTakeList.asp?n=3196	220.73.162.49
hxxp://220.73.162.46/Config/AdNw/FcTimeLab.asp
hxxp://220.73.162.46/Config/NewConf/ProgramUpdateLab.asp?version=1704
hxxp://220.73.162.3/Download/WinCtrProc.exe
hxxp://itemprice.kr/Config/AdNw/StakePsList.asp?uno=3196	220.73.162.55
hxxp://itemprice.kr/Config/FormLocation.asp	220.73.162.55
hxxp://itemprice.kr/Config/AdNw/FcPimSLab.asp	220.73.162.55
hxxp://itemprice.kr/Config/newConf/UCg_LPrMLab.asp?user_no=3196	220.73.162.55
hxxp://itemprice.kr/Config/TransSiteString.asp?nation=KOREA	220.73.162.55
hxxp://itemprice.kr/config/keyword_platinum.asp?user_no=3196&SubName=MAIN	220.73.162.55
hxxp://itemprice.kr/Config/ipget.asp?kn=first&usd=3196&SubName=MAIN&preid=0&ver=sup&Version=1704	220.73.162.55
hxxp://itemprice.kr/Config/ipget.asp?kn=every&usd=3196&SubName=MAIN&preid=0&ver=sup&Version=1704	220.73.162.55
hxxp://220.73.162.3/Download/Uninstall_Ctr.exe
hxxp://220.73.162.55/Config/FormLocation.asp
hxxp://220.73.162.55/config/keyword_platinum.asp?user_no=3196&SubName=MAIN
hxxp://220.73.162.55/Config/ipget.asp?kn=first&usd=3196&SubName=MAIN&preid=0&ver=sup&Version=1704
hxxp://220.73.162.55/Config/newConf/UCg_LPrMLab.asp?user_no=3196
hxxp://220.73.162.55/Config/TransSiteString.asp?nation=KOREA
hxxp://220.73.162.55/Config/AdNw/FcPimSLab.asp
hxxp://220.73.162.55/Config/ipget.asp?kn=every&usd=3196&SubName=MAIN&preid=0&ver=sup&Version=1704

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /Download/WinCtrCon.exe HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

User-Agent: Microsoft URL Control - 6.01.9782

Host: loadform.co.kr

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Fri, 23 Jan 2015 05:09:41 GMT

Accept-Ranges: bytes

ETag: "276181cbca36d01:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:13:55 GMT

Content-Length: 114144

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9...9...9.......8...P...?.......8...Rich9...........PE..L....r.T.................p... ......."............@..........................................................................i..(...........................................................................(... ....................................text...tb.......p.................. ..`.data...............................@....rsrc...............................@..@l.[J............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

GET /Config/sTakeList.asp?n=3196 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: duzip.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 917

Content-Type: text/html

Server: Microsoft-IIS/7.0

Set-Cookie: ASPSESSIONIDACDSBSTQ=OENNHEJBIMFKADMPDEEECNDJ; path=/

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:14:55 GMT

hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..http://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..http://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..http://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http://220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http://220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://220.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://220.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.73.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73.162.61HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 917..Content-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cookie: ASPSESSIONIDACDSBSTQ=OENNHEJBIMFKADMPDEEECNDJ; path=/..X-Powered-By: ASP.NET..Date: Sat, 24 Jan 2015 05:14:55 GMT..hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..hXXp://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..hXXp://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..hXXp://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..hXXp://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..hXXp://220.73.162.37,..hXXp://220

<<< skipped >>>

GET /Config/AdNw/FcTimeLab.asp HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: 220.73.162.46

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 157

Content-Type: text/html

Server: Microsoft-IIS/7.0

Set-Cookie: ASPSESSIONIDACTCDTBD=CANKNEJBIJMDFOMGPKHHMKHA; path=/

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:21:14 GMT

5|5|60|hXXp://loadform.co.kr/Download,hXXp://220.73.162.2/Download,http://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|120|Y|Y|Y|Y|Y|Y..HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 157..Content-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cookie: ASPSESSIONIDACTCDTBD=CANKNEJBIJMDFOMGPKHHMKHA; path=/..X-Powered-By: ASP.NET..Date: Sat, 24 Jan 2015 05:21:14 GMT..5|5|60|hXXp://loadform.co.kr/Download,hXXp://220.73.162.2/Download,hXXp://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|120|Y|Y|Y|Y|Y|Y..t>....

GET /Config/NewConf/ProgramUpdateLab.asp?version=1704 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: 220.73.162.46

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDACTCDTBD=CANKNEJBIJMDFOMGPKHHMKHA

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 19

Content-Type: text/html

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:21:17 GMT

1704|WinCtrProc.exeHTTP/1.1 200 OK..Cache-Control: private..Content-Length: 19..Content-Type: text/html..Server: Microsoft-IIS/7.0..X-Powered-By: ASP.NET..Date: Sat, 24 Jan 2015 05:21:17 GMT..1704|WinCtrProc.exe..

GET /Config/FormLocation.asp HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: 220.73.162.55

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 5287

Content-Type: text/html

Server: Microsoft-IIS/7.0

Set-Cookie: ASPSESSIONIDSSCSRRTB=GMKMPEJBJKCBFAHHIGPPJNDN; path=/

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:15:56 GMT

hXXp://blink.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://cafe.naver.com/CafeRankingSectionList.nhn?|961|C|962|50|R|L|8|8|283#..hXXp://kin.naver.com/db/detail.php?|961|C|962|50|R|L|10|10|283#..hXXp://news.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://section.blog.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://sample.naver.com|781|C|870|260|R|L|12|12|255#..hXXp://weather.news.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://VVV.naver.com|882|C|882|260|R|L|6|6|255#..hXXp://agora.media.daum.net|978|C|58.34|900|R|L|9|9|430#..hXXp://agoraplaza.media.daum.net/petition/petition.do?|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/?|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_blog/_top|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_top/|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_top/layout|978|C|58.34|900|R|L|9|9|430#..http://cafe.daum.net/_c21_/cafefocus_list?|978|C|58.34|900|R|L|9|9|430#..http://cafe.daum.net/_ranking/rank_top100_1.html?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/support/cafesupport.html?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/brand/brandstar.html?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/event/event_list.html?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/_bbs/0noti/bbs_read?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/?_top_blogtop=navi_cafehome|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/top/top.html?_top_cafetop=cafehome|978|C|58.34|900|R|L|9|9|430#..hXXp://cartoon.media.daum.net|978|C|58.34|900|R|L|9|9|430#..hXXp://issue.media.daum.ne

<<< skipped >>>

GET /Config/AdNw/FcPimSLab.asp HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: 220.73.162.55

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSSCSRRTB=GMKMPEJBJKCBFAHHIGPPJNDN

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 157

Content-Type: text/html

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:15:56 GMT

5|5|60|hXXp://loadform.co.kr/Download,hXXp://220.73.162.2/Download,http://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|120|Y|Y|Y|Y|Y|Y......

GET /Config/newConf/UCg_LPrMLab.asp?user_no=3196 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: 220.73.162.55

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSSCSRRTB=GMKMPEJBJKCBFAHHIGPPJNDN

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 396

Content-Type: text/html

Expires: Sat, 24 Jan 2015 05:15:57 GMT

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:15:56 GMT

KOREA|Y|N|N|Y|hXXp://kr.search.yahoo.com/search?fr=clickstory_kr_synd_search&ovt=A_P_AB_cityfriend_5&p=|Y|N|N|0|hXXp://220.73.162.59/config/LanguageTranslate.asp?hl=[u]&sl=[u]&tl=[1]&p=[KEYWORD]|name="p" value=,16|hXXp://kr.dictionary.search.yahoo.com/search/dictionaryp?subtype=[1]&prop=7&p=[KEYWORD]|50|N|N|N|0|hXXp://VVV.hebogo.com/search/csearch.asp|N|0|N|0|Y|N|N|N|N|Y|Y|Y|0|N|ALRIM|Y|N|N|N|....

GET /Config/TransSiteString.asp?nation=KOREA HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: 220.73.162.55

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSSCSRRTB=GMKMPEJBJKCBFAHHIGPPJNDN

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 12071

Content-Type: text/html

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:15:57 GMT

KOREA,ko,hXXp://kr.search.yahoo.com,hXXp://kr.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,hXXp://search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|CHINA,zh-TW,hXXp://one.cn.yahoo.com,hXXp://one.cn.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|CANADA,ca,hXXp://ca.search.yahoo.com,http://ca.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.yahoo.com,hXXp://de.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|FRANCE,fr,http://fr.search.yahoo.com,hXXp://fr.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JAPAN,ja,hXXp://VVV.yahoo.co.jp,hXXp://search.yahoo.co.jp/search?p=,http://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|KOREA,ko,hXXp://search.naver.com,hXXp://search.naver.com/search.naver?query=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.yahoo.com,hXXp://de.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,http://search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JAPAN,ja,hXXp://VVV.goog

<<< skipped >>>

GET /config/keyword_platinum.asp?user_no=3196&SubName=MAIN HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: 220.73.162.55

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSSCSRRTB=GMKMPEJBJKCBFAHHIGPPJNDN

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 4784

Content-Type: text/html

Expires: Sat, 24 Jan 2015 05:15:58 GMT

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:15:57 GMT

[icon][/icon][startpage][/startpage][startpop][/startpop][popup][/popup][adminkeywordpop]N|1024*750|1|..........^±¤°í´ëÇà»ç^광고대행사 ###N|1024*750|2|..........^Å°¿öµå±¤°í^키워드광고 ###N|1024*750|3|http:VVV.naver.com^http:naver.com ###N|1024*750|4|http:VVV.daum.net ###N|1024*750|5|http:kr.yahoo.com ###N|1024*750|6|http:VVV.paran.com ###N|1024*750|7|http:VVV.netmarble.net ###N|1024*750|8|http:VVV.gajai.com ###N|1024*750|9|http:VVV.korea.com^http:VVV.freechal.com^http:VVV.dreamwiz.com ###N|1024*750|10|http:VVV.chol.com^http:kr.msn.com^http:VVV.hanafos.com ###N|1024*750|11|http:VVV.imbc.com^http:VVV.chosun.com^http:VVV.sportsseoul.com^http:VVV.edaily.co.kr ###N|1024*750|12|http:VVV.soribada.com ###N|1024*750|13|http:VVV.hangame.com^http:VVV.sayclub.com ###N|1024*750|14|http:VVV.gmarket.co.kr^http:VVV.interpark.com ###N|1024*750|15|http:VVV.buddybuddy.co.kr ###N|1024*750|16|http:sample.naver.com^................ ###N|1024*750|17|http:zusoo.com^http:VVV.nuguni.com^http:VVV.emdb.co.kr^http:VVV.unitel.co.kr^http:VVV.totalplaza.com ###N|1024*750|18|http:VVV.tworld.co.kr^http:

<<< skipped >>>

GET /Config/ipget.asp?kn=first&usd=3196&SubName=MAIN&preid=0&ver=sup&Version=1704 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: 220.73.162.55

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSSCSRRTB=GMKMPEJBJKCBFAHHIGPPJNDN

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 0

Content-Type: text/html

Expires: Sat, 24 Jan 2015 05:15:58 GMT

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:15:58 GMT

....

GET /Config/ipget.asp?kn=every&usd=3196&SubName=MAIN&preid=0&ver=sup&Version=1704 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: 220.73.162.55

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSSCSRRTB=GMKMPEJBJKCBFAHHIGPPJNDN

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 0

Content-Type: text/html

Expires: Sat, 24 Jan 2015 05:15:59 GMT

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:15:58 GMT

HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 0..Content-Type: text/html..Expires: Sat, 24 Jan 2015 05:15:59 GMT..Server: Microsoft-IIS/7.0..X-Powered-By: ASP.NET..Date: Sat, 24 Jan 2015 05:15:58 GMT..

GET /Config/sTakeList.asp?n=3196 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: maketop.kr

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 917

Content-Type: text/html

Server: Microsoft-IIS/7.0

Set-Cookie: ASPSESSIONIDACRACTBA=EPOBPEJBIDNKIEFKKBKHHLBH; path=/

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:16:03 GMT

hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..http://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..http://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..http://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http://220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http://220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://220.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://220.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.73.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73.162.61HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 917..Content-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cookie: ASPSESSIONIDACRACTBA=EPOBPEJBIDNKIEFKKBKHHLBH; path=/..X-Powered-By: ASP.NET..Date: Sat, 24 Jan 2015 05:16:03 GMT..hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..hXXp://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..hXXp://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..hXXp://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..hXXp://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..hXXp://220.73.162.37,..hXXp://220

<<< skipped >>>

GET /Download/Uninstall_Ctr.exe HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

User-Agent: Microsoft URL Control - 6.01.9782

Host: 220.73.162.3

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Mon, 28 Jul 2014 00:07:10 GMT

Accept-Ranges: bytes

ETag: "ab59ce0f7a9cf1:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:07:21 GMT

Content-Length: 191984

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.............................`.......Rich............................PE..L...8.yS..................... .......(............@..................................(..........................................(.......@...................................................................8... ....................................text............................... ..`.data...............................@....rsrc...@...........................@..@=..H............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

GET /Config/AdNw/StakePsList.asp?uno=3196 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: maketop.kr

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 917

Content-Type: text/html

Server: Microsoft-IIS/7.0

Set-Cookie: ASPSESSIONIDACRACTBA=AMMBPEJBLMIFBAOHBAMKKNND; path=/

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:15:54 GMT

hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..http://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..http://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..http://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http://220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http://220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://220.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://220.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.73.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73.162.61HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 917..Content-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cookie: ASPSESSIONIDACRACTBA=AMMBPEJBLMIFBAOHBAMKKNND; path=/..X-Powered-By: ASP.NET..Date: Sat, 24 Jan 2015 05:15:54 GMT..hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..hXXp://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..hXXp://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..hXXp://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..hXXp://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..hXXp://220.73.162.37,..hXXp://220

<<< skipped >>>

GET /Config/FormLocation.asp HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: 220.73.162.22

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 5287

Content-Type: text/html

Server: Microsoft-IIS/7.0

Set-Cookie: ASPSESSIONIDQCDRRSBB=LHBOLEJBHMGOCHHGFKHBKJCK; path=/

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:16:38 GMT

hXXp://blink.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://cafe.naver.com/CafeRankingSectionList.nhn?|961|C|962|50|R|L|8|8|283#..hXXp://kin.naver.com/db/detail.php?|961|C|962|50|R|L|10|10|283#..hXXp://news.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://section.blog.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://sample.naver.com|781|C|870|260|R|L|12|12|255#..hXXp://weather.news.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://VVV.naver.com|882|C|882|260|R|L|6|6|255#..hXXp://agora.media.daum.net|978|C|58.34|900|R|L|9|9|430#..hXXp://agoraplaza.media.daum.net/petition/petition.do?|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/?|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_blog/_top|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_top/|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_top/layout|978|C|58.34|900|R|L|9|9|430#..http://cafe.daum.net/_c21_/cafefocus_list?|978|C|58.34|900|R|L|9|9|430#..http://cafe.daum.net/_ranking/rank_top100_1.html?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/support/cafesupport.html?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/brand/brandstar.html?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/event/event_list.html?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/_bbs/0noti/bbs_read?|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/?_top_blogtop=navi_cafehome|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/top/top.html?_top_cafetop=cafehome|978|C|58.34|900|R|L|9|9|430#..hXXp://cartoon.media.daum.net|978|C|58.34|900|R|L|9|9|430#..hXXp://issue.media.daum.ne

<<< skipped >>>

GET /Config/AdNw/FcPimSLab.asp HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: 220.73.162.22

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDQCDRRSBB=LHBOLEJBHMGOCHHGFKHBKJCK

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 157

Content-Type: text/html

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:16:38 GMT

5|5|60|hXXp://loadform.co.kr/Download,hXXp://220.73.162.2/Download,http://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|120|Y|Y|Y|Y|Y|Y......

GET /Config/newConf/UCg_LPrMLab.asp?user_no=3196 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: 220.73.162.22

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDQCDRRSBB=LHBOLEJBHMGOCHHGFKHBKJCK

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 396

Content-Type: text/html

Expires: Sat, 24 Jan 2015 05:16:39 GMT

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:16:39 GMT

KOREA|Y|N|N|Y|hXXp://kr.search.yahoo.com/search?fr=clickstory_kr_synd_search&ovt=A_P_AB_cityfriend_5&p=|Y|N|N|0|hXXp://220.73.162.56/config/LanguageTranslate.asp?hl=[u]&sl=[u]&tl=[1]&p=[KEYWORD]|name="p" value=,16|hXXp://kr.dictionary.search.yahoo.com/search/dictionaryp?subtype=[1]&prop=7&p=[KEYWORD]|50|N|N|N|0|hXXp://VVV.hebogo.com/search/csearch.asp|N|0|N|0|Y|N|N|N|N|Y|Y|Y|0|N|ALRIM|Y|N|N|N|....

GET /Config/TransSiteString.asp?nation=KOREA HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: 220.73.162.22

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDQCDRRSBB=LHBOLEJBHMGOCHHGFKHBKJCK

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 12071

Content-Type: text/html

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:16:39 GMT

KOREA,ko,hXXp://kr.search.yahoo.com,hXXp://kr.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,hXXp://search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|CHINA,zh-TW,hXXp://one.cn.yahoo.com,hXXp://one.cn.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|CANADA,ca,hXXp://ca.search.yahoo.com,http://ca.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.yahoo.com,hXXp://de.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|FRANCE,fr,http://fr.search.yahoo.com,hXXp://fr.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JAPAN,ja,hXXp://VVV.yahoo.co.jp,hXXp://search.yahoo.co.jp/search?p=,http://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|KOREA,ko,hXXp://search.naver.com,hXXp://search.naver.com/search.naver?query=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.yahoo.com,hXXp://de.search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,http://search.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JAPAN,ja,hXXp://VVV.goog

<<< skipped >>>

GET /Download/MicroProProc.exe HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

User-Agent: Microsoft URL Control - 6.01.9782

Host: 220.73.162.3

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Mon, 01 Sep 2014 06:20:28 GMT

Accept-Ranges: bytes

ETag: "238862d3acc5cf1:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:06:49 GMT

Content-Length: 839160

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........MTK.,:..,:..,:.~04..,:..33..,:..37..,:.Rich.,:.................PE..L....M.T.....................P......8r............@.................................7...........................................(...........................................................................0... ....................................text............................... ..`.data....5..........................@....rsrc...............................@..@=..H............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

GET /Config/AdNw/StakePsList.asp?uno=3196 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: itemprice.kr

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 917

Content-Type: text/html

Server: Microsoft-IIS/7.0

Set-Cookie: ASPSESSIONIDSSCSRRTB=CLKMPEJBOOHBAHDOJJEGEDJB; path=/

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:15:55 GMT

hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..http://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..http://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..http://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http://220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http://220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://220.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://220.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.73.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73.162.61HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 917..Content-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cookie: ASPSESSIONIDSSCSRRTB=CLKMPEJBOOHBAHDOJJEGEDJB; path=/..X-Powered-By: ASP.NET..Date: Sat, 24 Jan 2015 05:15:55 GMT..hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..hXXp://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..hXXp://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..hXXp://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..hXXp://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..hXXp://220.73.162.37,..hXXp://220

<<< skipped >>>

GET /Download/WinCtrProc.exe HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

User-Agent: Microsoft URL Control - 6.01.9782

Host: 220.73.162.3

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Fri, 23 Jan 2015 05:02:15 GMT

Accept-Ranges: bytes

ETag: "2bb226c1c936d01:0"

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:07:08 GMT

Content-Length: 851416

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........MTK.,:..,:..,:.~04..,:..33..,:..37..,:.Rich.,:.................PE..L....q.T.....................P.......r............@.............................................................................(...........................................................................0... ....................................text............................... ..`.data....5..........................@....rsrc...............................@..@l.[J............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

GET /Config/AdNw/FcTimeLab.asp HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: 220.73.162.42

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 157

Content-Type: text/html

Server: Microsoft-IIS/7.0

Set-Cookie: ASPSESSIONIDAACRARTR=BELJEFJBCALCMCHPGAOOOGOF; path=/

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:16:59 GMT

5|5|60|hXXp://loadform.co.kr/Download,hXXp://220.73.162.2/Download,http://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|120|Y|Y|Y|Y|Y|Y..HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 157..Content-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cookie: ASPSESSIONIDAACRARTR=BELJEFJBCALCMCHPGAOOOGOF; path=/..X-Powered-By: ASP.NET..Date: Sat, 24 Jan 2015 05:16:59 GMT..5|5|60|hXXp://loadform.co.kr/Download,hXXp://220.73.162.2/Download,hXXp://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|120|Y|Y|Y|Y|Y|Y..t>....

GET /Config/ProgramUpdateLab.asp?version=1347 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.01.9782

Host: 220.73.162.42

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDAACRARTR=BELJEFJBCALCMCHPGAOOOGOF

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 21

Content-Type: text/html

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Sat, 24 Jan 2015 05:17:01 GMT

1656|MicroProProc.exeHTTP/1.1 200 OK..Cache-Control: private..Content-Length: 21..Content-Type: text/html..Server: Microsoft-IIS/7.0..X-Powered-By: ASP.NET..Date: Sat, 24 Jan 2015 05:17:01 GMT..1656|MicroProProc.exe..

Map

The PUP connects to the servers at the folowing location(s):

Strings from Dumps

WinCtrProc.exe_1348:

.text

.text

`.data

`.data

.rsrc

.rsrc

MSVBVM60.DLL

MSVBVM60.DLL

InetCtlsObjects.Inet

InetCtlsObjects.Inet

WebBrowser1

WebBrowser1

SHDocVwCtl.WebBrowser

SHDocVwCtl.WebBrowser

vb6ko.dll

vb6ko.dll

ieframe.dll

ieframe.dll

WebBrowser

WebBrowser

MSINET.OCX

MSINET.OCX

KeywordForm

KeywordForm

GetKeyState

GetKeyState

shell32.dll

shell32.dll

ShellExecuteA

ShellExecuteA

EnumWindows

EnumWindows

GetAsyncKeyState

GetAsyncKeyState

VBA6.DLL

VBA6.DLL

GetWindowsDirectoryA

GetWindowsDirectoryA

UpdateLayeredWindows

UpdateLayeredWindows

User32.DLL

User32.DLL

WSOCK32.DLL

WSOCK32.DLL

RegCloseKey

RegCloseKey

kernel32.dll

kernel32.dll

WinExec

WinExec

advapi32.dll

advapi32.dll

RegCreateKeyExA

RegCreateKeyExA

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyA

RegCreateKeyA

RegOpenKeyA

RegOpenKeyA

C:\Windows\system32\msvbvm60.dll\3

C:\Windows\system32\msvbvm60.dll\3

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

C:\Windows\system32\MSINET.oca

C:\Windows\system32\MSINET.oca

=PC:\Windows\System32\ieframe.oca

=PC:\Windows\System32\ieframe.oca

.Timer2

.Timer2

vb6stkit.dll

vb6stkit.dll

GetKeyboardState

GetKeyboardState

URLEncode

URLEncode

2008:02:21 11:10:24

2008:02:21 11:10:24

urlTEXT

urlTEXT

MsgeTEXT

MsgeTEXT

HhXXp://ns.adobe.com/xap/1.0/

HhXXp://ns.adobe.com/xap/1.0/

xmlns:xapMM='hXXp://ns.adobe.com/xap/1.0/mm/'>

xmlns:xapMM='hXXp://ns.adobe.com/xap/1.0/mm/'>

adobe:docid:photoshop:253266fe-e021-11dc-8e7f-a474304460f4

adobe:docid:photoshop:253266fe-e021-11dc-8e7f-a474304460f4

hXXp://

hXXp://

hXXp:///

hXXp:///

\WinCtrPrc(20140224)\WinCtrProc\WinMatchProc.vbp

\WinCtrPrc(20140224)\WinCtrProc\WinMatchProc.vbp

78E1BDD1-9941-11cf-9756-00AA00C00908

78E1BDD1-9941-11cf-9756-00AA00C00908

Error opening key.

Error opening key.

Error getting subkey value.

Error getting subkey value.

chrome

chrome

mozilla

mozilla

firefox

firefox

opera

opera

Chrome_OmniboxView

Chrome_OmniboxView

netpia.com

netpia.com

keyboard

keyboard

2.asp

2.asp

3.asp

3.asp

/config/formactive.asp?uno=

/config/formactive.asp?uno=

&url=

&url=

&keyword=

&keyword=

&keyno=

&keyno=

&kind=PORTAL

&kind=PORTAL

microsoft.com

microsoft.com

/config/FormActive.asp?uno=

/config/FormActive.asp?uno=

/config/FormActive_Distinct.asp?uno=

/config/FormActive_Distinct.asp?uno=

/config/Formactive_Distinct.asp?uno=

/config/Formactive_Distinct.asp?uno=

&kind=KEYWORD

&kind=KEYWORD

st.asp?uno=

st.asp?uno=

/Config/FormLocation.asp

/Config/FormLocation.asp

/Config/AdNw/FcPimSLab.asp

/Config/AdNw/FcPimSLab.asp

/Config/newConf/UCg_LPrMLab.asp?user_no=

/Config/newConf/UCg_LPrMLab.asp?user_no=

/Config/TransSiteString.asp?nation=

/Config/TransSiteString.asp?nation=

/Config/FileNameDataMicro.asp

/Config/FileNameDataMicro.asp

SetDownValue.asp?uno=

SetDownValue.asp?uno=

software\microsoft\windows\currentversion\run

software\microsoft\windows\currentversion\run

/Config/UrlEncodeDecode.asp?q=

/Config/UrlEncodeDecode.asp?q=

/Config/MakeStartPage.asp?uno=

/Config/MakeStartPage.asp?uno=

&key=

&key=

?keyword=

?keyword=

?key=

?key=

keyword=

keyword=

/Config/MakeSearchPage.asp?uno=

/Config/MakeSearchPage.asp?uno=

/Config/MakeIcon.asp?uno=

/Config/MakeIcon.asp?uno=

[KEYWORD]

[KEYWORD]

/Config/TargetDataConnect.asp?p=&uno=

/Config/TargetDataConnect.asp?p=&uno=

/Config/MakeProgram.asp?uno=

/Config/MakeProgram.asp?uno=

%Program Files%\micrOLAb\SearchEngin\LanguageConvert

%Program Files%\micrOLAb\SearchEngin\LanguageConvert

/Config/ServerList.asp?uno=

/Config/ServerList.asp?uno=

hXXp://koreaserver.kr

hXXp://koreaserver.kr

hXXp://domainserver.co.kr

hXXp://domainserver.co.kr

hXXp://hostserver.kr

hXXp://hostserver.kr

hXXp://mainserver.kr

hXXp://mainserver.kr

hXXp://makevalue.com

hXXp://makevalue.com

hXXp://duzip.com

hXXp://duzip.com

hXXp://maketop.kr

hXXp://maketop.kr

hXXp://itemprice.kr

hXXp://itemprice.kr

2000-10-01

2000-10-01

Software\Microsoft\Windows\currentversion\Run

Software\Microsoft\Windows\currentversion\Run

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\Currentversion\Run

Software\Microsoft\Windows\Currentversion\Run

VB6KO.DLL

VB6KO.DLL

msvbvm60.dll

msvbvm60.dll

wshom.ocx

wshom.ocx

ERROR_URL

ERROR_URL

/advertisebanner/keyword/

/advertisebanner/keyword/

/advertisedistinct/keyword/

/advertisedistinct/keyword/

InternetExplorer.Application

InternetExplorer.Application

/Config/Pop_Key_MainPlatinum.asp?uno=

/Config/Pop_Key_MainPlatinum.asp?uno=

/Config/Pop_Key_MainDistinct.asp?uno=

/Config/Pop_Key_MainDistinct.asp?uno=

&distinct=keyword

&distinct=keyword

error_url

error_url

hXXp://VVV.naver.com

hXXp://VVV.naver.com

/Config/ipget.asp?kn=first&usd=

/Config/ipget.asp?kn=first&usd=

Windows 32s

Windows 32s

Windows 95/98

Windows 95/98

Windows NT

Windows NT

/config/keyword_platinum.asp?user_no=

/config/keyword_platinum.asp?user_no=

[adminkeywordpop]

[adminkeywordpop]

[/adminkeywordpop]

[/adminkeywordpop]

[keywordpop]

[keywordpop]

[/keywordpop]

[/keywordpop]

/Config/ipget.asp?kn=every&usd=

/Config/ipget.asp?kn=every&usd=

MicroProCon.exe

MicroProCon.exe

MicroProProc.exe

MicroProProc.exe

RetainPt.exe

RetainPt.exe

RetainComp.exe

RetainComp.exe

in.asp?uno=

in.asp?uno=

Software\Microsoft\Windows\currentversion\run

Software\Microsoft\Windows\currentversion\run

00000001

00000001

00000060

00000060

.asp?version=

.asp?version=

.asp?user_no=

.asp?user_no=

.asp?uno=

.asp?uno=

/Config/GuideSiteString.asp?p=

/Config/GuideSiteString.asp?p=

.dictionary

.dictionary

dic.daum

dic.daum

dic.naver

dic.naver

dic.nate

dic.nate

http:

http:

https:

https:

로

로

을

을

e.asp?p=

e.asp?p=

.asp?p=

.asp?p=

roLab.asp?p=

roLab.asp?p=

Code.asp?p=

Code.asp?p=

hXXps://

hXXps://

ode.asp?uno=

ode.asp?uno=

/Config/KeySt

/Config/KeySt

ab.asp?p=

ab.asp?p=

/Config/SiteLink_Code.asp?uno=

/Config/SiteLink_Code.asp?uno=

/Config/ConvertLanguagemicrOLAb.asp?p=

/Config/ConvertLanguagemicrOLAb.asp?p=

/Config/OvertureDataConnect.asp?p=&uno=

/Config/OvertureDataConnect.asp?p=&uno=

/Config/RankeyLink_Code.asp?uno=

/Config/RankeyLink_Code.asp?uno=

/advertisebanner/keyword

/advertisebanner/keyword

/advertisedistinct/keyword

/advertisedistinct/keyword

JOIN

JOIN

KEYWORD

KEYWORD

\Internet Explorer\iexplore.exe

\Internet Explorer\iexplore.exe

WScript.Shell

WScript.Shell

iexplorer.exe

iexplorer.exe

%Program Files%\Internet Explorer\iexplore.exe

%Program Files%\Internet Explorer\iexplore.exe

/Config/KeyStringmicrOLAbPop.asp?p=

/Config/KeyStringmicrOLAbPop.asp?p=

wscript.shell

wscript.shell

/Config/GolbalString.asp?p=

/Config/GolbalString.asp?p=

/Config/TransSiteString_Commit.asp?site=

/Config/TransSiteString_Commit.asp?site=

/Config/FindBrowserCode.asp?p=

/Config/FindBrowserCode.asp?p=

PORTUGAL

PORTUGAL

from portugal

from portugal

to portugal

to portugal

WinCtrProc.exe

WinCtrProc.exe