Trojan.Generic.12056297_9e913b6133 – Adaware

Trojan.Generic.12056297 (B) (Emsisoft), Trojan.Generic.12056297 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 9e913b6133dc02e55a5a01a69b184321

SHA1: 9cdd087e4dad88e5f3dee1a7f0fc819a9e3ca942

SHA256: 586e862a52bd4076dda1fbbe44354f987fb7882482bc97caed11d43f6901f6bc

SSDeep: 98304:HiQcrGTjUDRwqfSauEb2ZBuZLLByeqfSauEb2ZBuZLLByvVQWrvnEVQWrvn :CQfuL6uRXg6uRXC9TE9T

Size: 8086528 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6, ACProtect141

Company: AirInstaller

Created at: 2014-10-28 18:50:02

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

taskkill.exe:1744
taskkill.exe:332
regsvr32.exe:2516
regsvr32.exe:3188
amigo.exe:1768
MailRuUpdater.exe:2192
MailRuUpdater.exe:2368
BDKVWsc.exe:2572
id1 - 34.exe:504
%original file name%.exe:928
bddownloader.exe:2316
RegSvr32.exe:4092
RegSvr32.exe:2168
RegSvr32.exe:2272
AmigoDistrib.exe:1676
netsh.exe:2480
BaiduSdTray.exe:2996
etranslator_gui_0 (6) (2).exe:1056
setup.tmp:1748
setup.exe:1304
setup.exe:380
MsiExec.exe:3808
MsiExec.exe:3132
F1023_s_30768.exe:3512

The Trojan injects its code into the following process(es):

%original file name%.exe:1504
BindEx.exe:708
BindEx.exe:248
services.exe:724
svchost.exe:1108

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process amigo.exe:1768 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\debug.log (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\User Data\1.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\User Data\2.tmp (5 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\User Data\Local State~RF9aaea.TMP (0 bytes)

The process MailRuUpdater.exe:2192 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\MailRuUpdater.exe (46100 bytes)

The process MailRuUpdater.exe:2368 makes changes in the file system.

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\E0E17871C3C14B87A55BC9BB6CF463C6.html (0 bytes)

The process id1 - 34.exe:504 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\setup.exe (490 bytes)

The process %original file name%.exe:1504 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{80C47B02-16F0-424C-920F-6B5A889D2A44}\id1 - 34.exe (1679 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Amigo.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{717598EB-33E7-4687-94A0-8D20DCB6D246}\etranslator_gui_0 (6) (2).exe (23407 bytes)
C:\IEXPLORE.bat (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{C1E685B2-3E0A-4D74-9161-D1B5BBD4B5FD}\AmigoDistrib.exe (380715 bytes)
%Documents and Settings%\%current user%\Desktop\Amigo.lnk (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\amigo.bat (645 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Amigo.lnk (2 bytes)

The process AmigoDistrib.exe:1676 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CR_23450.tmp\SETUP.EX_ (1697 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_23450.tmp\setup.exe (18208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_23450.tmp\CHROME.PACKED.7Z (375522 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CR_23450.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_23450.tmp\SETUP.EX_ (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_23450.tmp\setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_23450.tmp\CHROME.PACKED.7Z (0 bytes)

The process BaiduSdTray.exe:2996 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config (4 bytes)
C:\ (4 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086 (296 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602 (4 bytes)
%System%\wbem\Logs (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games (4 bytes)
%Documents and Settings%\All Users\APPLICATION DATA (4 bytes)
%WinDir%\WinSxS (8 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (484 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\white_list.db-journal (512 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319 (576 bytes)
%Documents and Settings%\%current user%\Desktop (4 bytes)
%WinDir%\WinSxS\Manifests (1444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp (4 bytes)
%WinDir%\Prefetch\NETSH.EXE-085CFFDE.pf (24 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\IsolationDB.db-journal (532 bytes)
%Program Files%\Common Files (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\G1023_s_71023.exe (12137 bytes)
%Documents and Settings%\All Users (4 bytes)
%WinDir%\Fonts (544 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%System% (4272 bytes)
%WinDir% (864 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\G1023_s_71023[1].exe (13860 bytes)
%Program Files% (4 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667 (12 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content (8 bytes)
%WinDir%\Prefetch\REGSVR32.EXE-25EEFE2F.pf (64 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%System%\config (8 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\FTSysFixer (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_678.dat (4 bytes)
%System%\drivers (4 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application (4 bytes)
%WinDir%\Prefetch (772 bytes)
%System%\wbem\Logs\wbemcore.log (384 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\IsolationDB.db (149 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%WinDir%\Installer (96 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\white_list.db (149 bytes)
%Documents and Settings%\%current user%\Cookies (96 bytes)
%WinDir%\Prefetch\BAIDUSDTRAY.EXE-191E616B.pf (65 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\IsolationDB.db-journal (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\white_list.db-journal (0 bytes)

The process etranslator_gui_0 (6) (2).exe:1056 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\eTranslator\bzip.dll (4061 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\etranslator_preferences.json (834 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\etranslator1.crx (51 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\etranslator3.oex (51 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\sqlite3.dll (3421 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\eTranslator.exe (24284 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\SWData (3833 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\eTranslator_withoutzoneid.exe (29521 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\SWData_T (23407 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\etranslator2.xpi (20 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\etranslator.log (52818 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\eTranslator\bzip.dll (0 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\etranslator_preferences.json (0 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\etranslator1.crx (0 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\etranslator3.oex (0 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\sqlite3.dll (0 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\etranslator2.xpi (0 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\SWData (0 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\SWData_T (0 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\eTranslator.exe (0 bytes)

The process BindEx.exe:708 makes changes in the file system.

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Desktop\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢.lnk (0 bytes)

The process BindEx.exe:248 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\G1023_s_71023[1].exe (1032277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dlinstlit.txt (132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\G1023_s_71023.exe (582160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\F1023_s_30768.exe (2142334 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\test[1].txt (132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\F1023_s_30768[1].exe (2905069 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

The process setup.tmp:1748 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\baidu\is-1T895.tmp (16 bytes)
%Program Files%\baidu\unins000.dat (934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I6R3T.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\baidu\is-BD508.tmp (23593 bytes)
%Program Files%\baidu\is-E3PTU.tmp (7 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\baidu\baidu.lnk (479 bytes)
%Program Files%\baidu\BindEx.ini (65 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-I6R3T.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I6R3T.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I6R3T.tmp\_isetup (0 bytes)

The process setup.exe:1304 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\ok.exe (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\fi.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ms.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ko.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\nl.pak (226 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\npchrome_frame.dll (15801 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\pt-BR.pak (226 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\hi.pak (1754 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\hr.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\32.0.1709.113\Installer\setup.exe (7971 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\bg.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\hu.pak (246 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ml.dll (8 bytes)
%Documents and Settings%\%current user%\Desktop\Amigo.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sk.pak (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\VisualElements\logo.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ml.pak (3679 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\th.pak (1745 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÂÃ…Â¾ÃƒÂÃ‚Â´ÃƒÂÃ‚Â½ÃƒÂÃ‚Â¾ÃƒÂÃ‚ÂºÃƒÂÃ‚Â»ÃƒÂÃ‚Â°Ãƒâ€˜Ã‚ÂÃƒâ€˜Ã‚ÂÃƒÂÃ‚Â½ÃƒÂÃ‚Â¸ÃƒÂÃ‚ÂºÃƒÂÃ‚Â¸.lnk (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\ÃƒÂÃ¢â‚¬â„¢ÃƒÂÃ‚ÂºÃƒÂÃ‚Â¾ÃƒÂÃ‚Â½Ãƒâ€˜Ã¢â‚¬Å¡ÃƒÂÃ‚Â°ÃƒÂÃ‚ÂºÃƒâ€˜Ã¢â‚¬Å¡ÃƒÂÃ‚Âµ.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\te.pak (1805 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\am.pak (323 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\te.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\pt-PT.pak (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sr.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\ppgooglenaclpluginchrome.dll (1745 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\vi.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\gu.pak (1745 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ar.pak (314 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÂÃ¢â‚¬â„¢ÃƒÂÃ‚ÂºÃƒÂÃ‚Â¾ÃƒÂÃ‚Â½Ãƒâ€˜Ã¢â‚¬Å¡ÃƒÂÃ‚Â°ÃƒÂÃ‚ÂºÃƒâ€˜Ã¢â‚¬Å¡ÃƒÂÃ‚Âµ.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\extensions\mailru_checker_1.2.3.crx (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\amigo.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ja.pak (282 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Amigo.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\agentloader.exe (115 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\MailRu\MailRuUpdater.exe (46100 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\id.pak (209 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\es-419.pak (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\fa.pak (1611 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\chrome_launcher.exe (178 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\pt-BR.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ca.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\vk.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\it.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\fil.pak (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sw.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\pl.pak (229 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ko.pak (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\icudt.dll (72365 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\resources.pak (172310 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ru.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\chrome_installer.log (972 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\am.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\libglesv2.dll (6347 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\nb.pak (213 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ar.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sl.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ta.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\lv.dll (8 bytes)
%Documents and Settings%\%current user%\Desktop\ÃƒÂÃ¢â‚¬â„¢ÃƒÂÃ‚ÂºÃƒÂÃ‚Â¾ÃƒÂÃ‚Â½Ãƒâ€˜Ã¢â‚¬Å¡ÃƒÂÃ‚Â°ÃƒÂÃ‚ÂºÃƒâ€˜Ã¢â‚¬Å¡ÃƒÂÃ‚Âµ.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\da.pak (213 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\et.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\mailruupdater.exe (45823 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\bn.pak (1769 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\he.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\zh-CN.pak (192 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\fr.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\en-US.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\pt-PT.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\he.pak (266 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Amigo.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\kn.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\es.pak (242 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\es.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\xinput1_3.dll (81 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\chrome.dll (283704 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\mr.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\ffmpegsumo.dll (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\it.pak (229 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\pl.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\vk.exe (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\hi.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\ok.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ro.pak (242 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\chrome_child.dll (286042 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\nl.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\fa.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\kn.pak (1815 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\delegate_execute.exe (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\hr.pak (222 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ja.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\VisualElements\smalllogo.png (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ta.pak (1829 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\extensions\external_extensions.json (103 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ru.pak (1642 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\chrome_frame_helper.dll (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\wow_helper.exe (71 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\bg.pak (1668 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\ÃƒÂÃ…Â¾ÃƒÂÃ‚Â´ÃƒÂÃ‚Â½ÃƒÂÃ‚Â¾ÃƒÂÃ‚ÂºÃƒÂÃ‚Â»ÃƒÂÃ‚Â°Ãƒâ€˜Ã‚ÂÃƒâ€˜Ã‚ÂÃƒÂÃ‚Â½ÃƒÂÃ‚Â¸ÃƒÂÃ‚ÂºÃƒÂÃ‚Â¸.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\el.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\lt.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\fil.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sv.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\chrome.7z (1341364 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ca.pak (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\gcswf32.dll (108196 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\tr.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\d3dcompiler_46.dll (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\cs.pak (234 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\master_preferences (982 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\bn.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\d3dcompiler_43.dll (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\es-419.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\zh-TW.pak (195 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\en-GB.pak (195 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\uk.pak (1648 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\VisualElements\splash-620x300.png (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ms.pak (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\master_preferences (982 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\fr.pak (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\zh-TW.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\el.pak (1699 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sr.pak (1636 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\gu.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sw.pak (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\VisualElementsManifest.xml (391 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ro.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\fi.pak (220 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\secondarytile.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\nacl64.exe (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\chrome.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\extensions\kgkggmpkealihpbjpdmcblcplljamohl.json (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\et.pak (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\da.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\uk.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\lv.pak (234 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\lt.pak (231 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\en-GB.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\nb.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\de.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sk.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\chrome_100_percent.pak (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\hu.dll (8 bytes)
%Documents and Settings%\%current user%\Desktop\ÃƒÂÃ…Â¾ÃƒÂÃ‚Â´ÃƒÂÃ‚Â½ÃƒÂÃ‚Â¾ÃƒÂÃ‚ÂºÃƒÂÃ‚Â»ÃƒÂÃ‚Â°Ãƒâ€˜Ã‚ÂÃƒâ€˜Ã‚ÂÃƒÂÃ‚Â½ÃƒÂÃ‚Â¸ÃƒÂÃ‚ÂºÃƒÂÃ‚Â¸.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\chrome_frame_helper.exe (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\libegl.dll (107 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\en-US.pak (195 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\de.pak (234 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\cs.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sl.pak (218 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\tr.pak (231 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\chrome_touch_100_percent.pak (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\nacl_irt_x86_32.nexe (42362 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sv.pak (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\id.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\nacl_irt_x86_64.nexe (28502 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\th.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\vi.pak (263 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\zh-CN.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\metro_driver.dll (1745 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\mr.pak (1748 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\MailRuUpdater.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\vk.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\agentloader.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\ok.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\master_preferences (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\wow_helper.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\amigo.exe (0 bytes)

The process setup.exe:380 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-PKUDN.tmp\setup.tmp (3781 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-PKUDN.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-PKUDN.tmp\setup.tmp (0 bytes)

The process F1023_s_30768.exe:3512 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDUDiskGuard.dll (7192 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\repairplugins\RepairPluginContainerConfig.xml (228 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDUDiskGuard.dll (1281 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\FTSysFixer\SysFixerXMLScript.dat (2 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\ad.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\SysFixerConfig.dat (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVMC.rdb (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMDownload.dll (15336 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\hips_customer.xml (75 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\bd0002.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\KVTray_PluginConfig.xml (1 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\TrustAndIso.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\BDDownLoadProtectPlugin.dll (3073 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\wverify.dat (15019 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHipsUpdate.exe (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bd0002.sys (13168 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\ToastLogo.ico (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\GameNoDisturb.ini (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\WebSafePlugin.dll (11344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMWrench.sys (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\white_list.dat (12088 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMStringUtils.dll (63 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\bdcomproxy.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\WebMonBHO.dll (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMNet.dll (58168 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\811.dat (8 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\NetService.ini (615 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\GCCommunicate.dll (39 bytes)
%Program Files%\Common Files\Baidu\BDDownload\108\bddownloader.exe (9605 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdUProxy64.exe (4545 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMAVEng.dll (4545 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVTray\TrayPlugin.rdb (18424 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDDriverFixer.dll (1281 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMNet.dll (5873 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHipsIU.dll (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bdvs.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\901.dat (8 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\CompatibilityChecker.dll (673 bytes)
%Program Files%\Common Files\Baidu\BDDownload\108\bdcomproxy.dll (601 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMPatchAgent.dll (39 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\systemfile.dat (3 bytes)
%System%\config (576 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\806.dat (3 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdUpdate.exe (7385 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\HIPSClient.dll (2321 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDPerflog.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\GCCallbackBind.dll (1552 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\monitor_config.dat (559 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\bd0001.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDKitUtils.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\drivers\BDMWrench.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKitUtils.dll (2392 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\Repair_PluginConfig.xml (411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMRepBase.dll (30968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\GCScriptBind.dll (32128 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\KVRtp_PluginConfig.xml (2 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\virus_type.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVMainFrame.dll (33633 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\ToastLogo.ico (12024 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\bduf.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMFrameWork.dll (21480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMSkin.dll (33536 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavFrame.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVDownloadProtect_x64.dll (673 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x86\bd0001.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\KavUpdate.dll (12536 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMWindowsLib.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMUpdate.dll (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDLogicUtils.dll (673 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHips.exe (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMSDWrench.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavScanS.dll (2392 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\blacksign.dat (852 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSdUProxy64.exe (23936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\vatl.msi (6584 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\vatl.msi (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\900.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\directui license.txt (593 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\WebMonHook.dll (2105 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\InstallCfg.xml (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVVirusPlugins.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\hips_product.xml (291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMUpdate.dll (12104 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\GameNoDisturb.ini (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\hips_customer.xml (75 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\uninst.exe (6841 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMTinyXml.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVTrayTipsPlugin.dll (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\hips_self_enc.xml (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢.lnk (907 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVDeskBand.dll (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMStringUtils.dll (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\804.dat (3 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x64\bd0001.sys (673 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDPerflog.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\hips_self_enc.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\7z.dll (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bduf.dll (13584 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\RtpContainerConfig.xml (818 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bd0002.dll (16424 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMDownload.dll (2105 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\TrustAndIso.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMFrameWork.dll (1425 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDShellExt64.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\PrivacyProtect.dll (6360 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\hips_customer.xml (75 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\cache_config.dat (469 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bd0001.sys (8752 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSd.exe (2105 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMSDWrench.dll (601 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMFrameWork.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMPatchAgent.dll (3104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\RtpContainerConfig.xml (818 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\TrayDldProtect.rdb (3616 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x64\bd0001.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\KVMainframePluginContainerConfig.xml (384 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMPatchAgent.dll (39 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\PrivacyProtect.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMAVE.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavEngine.dll (3312 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDLogicUtils.dll (673 bytes)
%System%\config\system (1178 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDShellExt64.dll (15168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMLog.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDLogicUtils.dll (16864 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVUpdate.rdb (13584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\RepairPluginContainerConfig.xml (228 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\blacksign.dat (852 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMStringUtils.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\InstallCfg.xml (177 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch.7z (7433 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\FTSysFixer\SysFixerLuaScript.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\putips_wording.dat (580 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDLogicUtils.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\hipsClient.xml (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavScanH.dll (1856 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMAVCached.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVRecomm.dll (58402 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMNet.dll (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavScanM.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\PullUpConfig.xml (1524 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\updlog.dll (13 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\NetService.ini (615 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\vcrt.msi (4545 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMSkin.dll (7433 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmsysrepair\BDMSREng.dll (1425 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\NetService.ini (615 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdBugRpt.exe (4545 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\FTSysFixer\SysFixerConfig.dat (1 bytes)
%Documents and Settings%\All Users\Desktop\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢.lnk (895 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\baidusdRepair.dll (6360 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\drivers\BDArKit.sys (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\dl.dll (14988 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHipsBugRpt.exe (3361 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMDownload.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\GCCallbackBind.dll (39 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\Cooly_PluginConfig.xml (726 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\DesktopToast.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\res\InstallWnd.zip (12536 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMTinyXml.dll (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\coolyplugins\CoolyContainerConfig.xml (329 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMUpdate.dll (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\TrayPullUpWS.rdb (3616 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMScriptVM.dll (1281 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\hips_product.xml (291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDArKit.sys (5064 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\KavUpdate.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMReport.dll (23504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BSRLib.dat (5064 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\Database\bdmp.dat (32 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\kav_verify.dat (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\app.ico (12024 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavScanH.dll (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\DesktopToast.exe (3616 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\wverify.dat (15019 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVRecomm.dll (13122 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\TrayPlugin.rdb (9608 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMPatchAgent.dll (43 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\hips_self_enc.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\dl.dll (65930 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMDbSqlite.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\uninst.exe (29256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\tips.xml (1 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDConfig.dll (3073 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVTray.rdb (1552 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x64\bd0002.sys (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\TrustAndIso.dll (1425 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHipsIU.dll (55 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVTips.rdb (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMPerfMon.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\GCCommunicate.dll (1552 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHipsBugRpt.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\Cooly_PluginConfig.xml (726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavScanV.dll (2392 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\900.dat (8 bytes)
%System%\drivers\bd0003.sys (55 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\systemfile.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\monitor_config.dat (559 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\updlog.dll (13 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\BDKVTrayTipsPlugin.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVDownloadProtect_x64.dll (6360 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\GCScriptBind.dll (7345 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\placeholder_tmp (11 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\7z.dll (2105 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\DriverManager.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\809.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduHipsBugRpt.exe (19152 bytes)
%Program Files%\Common Files\Baidu\BDDownload\108\dl.dll (14988 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKV.rdb (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\FileMon.dll (21216 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\DllInject.dll (43 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\iexplore.exe.xml (528 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\809.dat (3 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\SearchProtection.rdb (5064 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\tuopan.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\810.dat (3 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavScanM.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\KVMainframe_PluginConfig.xml (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x86\bd0001.sys (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\scan_mgr_config.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduHips.exe (38495 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\ccesign.dat (2105 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\bddownloader.exe (9605 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVQuarantine.rdb (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\KVInstallHelper.dll (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\ad.dll (19152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\ccesign.dat (12024 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMAVCached.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bdmp.dat (1552 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\repairplugins\baidusdRepair.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\WebSafe.dll (33747 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢\ÃƒÂ¥Ã‚ÂÃ‚Â¸ÃƒÂ¨Ã‚Â½Ã‚Â½ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢.lnk (880 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMBase.dll (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\fm.dat (597 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMMsg.dll (47 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\white_list.dat (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMMsg.dll (1552 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMEvents.dll (15 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\bd0001.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSdRepair.exe (16288 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVDeskBand64.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\TrayPluginContainerConfig.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMRepMgr.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMDbSqlite.dll (19592 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x86\bd0002.sys (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDConfig.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMEvents.dll (15 bytes)
%System%\drivers\bd0002.sys (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMLog.dll (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSd.exe (12536 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\bd0001.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMReport.dll (1425 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmsysrepair\BSRLib.dat (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\virus_type.dat (1 bytes)
%System%\drivers\bd0001.sys (601 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\smr.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVDownloadProtect.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSdSvc.exe (27704 bytes)
%System%\config\SYSTEM.LOG (4386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDPerflog.dll (10512 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMScriptVM.dll (7192 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkv\KVMainframePluginContainerConfig.xml (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMAVCached.dll (23584 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\tips.xml (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdRepair.exe (3073 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\InstallCfg.xml (177 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\cache_config.dat (469 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\KVCommonRes.rdb (131925 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\WebSafe.dll (7547 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\bd0002.sys (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVWsc.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\UserDetectionPlugin.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMSRCore.dll (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDShellExt.dll (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\ToastImage.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\placeholder_tmp (11 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\901.dat (8 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\wverify.dat (15019 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVRmvDevPlugin.dll (8560 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMDownload.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\DllInject.dll (1552 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsClient.xml (18 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkv\BDKVVirusPlugins.dll (2105 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\BDKVRmvDevPlugin.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMBase.dll (32128 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdSvc.exe (5873 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\DriverManager.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMAVEng.dll (4545 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\UserDetectionPlugin.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\WebMonHook.dll (12088 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x64\bd0002.sys (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\PullUpConfig.xml (1524 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\KVRtp_PluginConfig.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDDriverFixer.dll (16368 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\fm.dat (597 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\WebMonBHO.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\systemfile.dat (6 bytes)
%System%\drivers\BDArKit.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMTinyXml.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\duilib license.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\tuopan.png (3 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVMainFrame.dll (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMSREng.dll (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bd0001.dll (4992 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMUpdate.dll (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\patch.7z (7433 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmsysrepair\BDMSRCore.dll (1425 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\804.dat (3 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\Database\bdvs.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\HIPSClient.dll (15536 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMReport.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMWindowsLib.dll (3312 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavScanS.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDConfig.dll (36536 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHips.exe (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bdcomproxy.dll (2392 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMRepBase.dll (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\vcrt.msi (22552 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\bd0002.dll (3073 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDDriverFixer.dll (1281 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdTray.exe (15116 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMBase.dll (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\blacksign.dat (1704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\KVFixerConfigMgr.dll (8560 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\WebSafePlugin.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\CoolyContainerConfig.xml (329 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHipsUpdate.exe (37 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\FileMon.dll (4185 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\blacksign.dat (852 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVDownloadProtect.dll (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\licenses\duilib license.txt (1 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMAVEng.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\811.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\System.dll (784 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMFrameWork.dll (1425 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\patch\placeholder_tmp (11 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDShellExt.dll (2321 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavScanV.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduHipsIU.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\cache_config.dat (938 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSdTray.exe (66750 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\806.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\GetSupplyId.dll (3616 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMNet.dll (5873 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\dl.dll (14988 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMReport.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\SysFixerLuaScript.dat (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\patch.7z (33536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDDownLoadProtectPlugin.dll (16288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduHipsUpdate.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\KVMainframe_PluginConfig.xml (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\hips_product.xml (291 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\systemfile.dat (3 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDDriverFixer.dll (1281 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\user_trusted_list.dat (125 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\putips_wording.dat (580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\scan_mgr_config.dat (5 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVConfig.rdb (5064 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\ToastImage.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\TrustAndIso.dll (13440 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\KVTray_PluginConfig.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\NetService.ini (1230 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavFrame.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVDeskBand64.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk4.tmp (1287722 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\drivers\bd0003.sys (55 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMAVE.dll (1281 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDPerflog.dll (601 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMLog.dll (43 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMRepMgr.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\Repair_PluginConfig.xml (411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMAVEng.dll (46488 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\810.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\smr.dat (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMPerfMon.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSdBugRpt.exe (23936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\iexplore.exe.xml (528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bd0003.sys (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\DriverManager.dll (8608 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMMsg.dll (47 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\cache_config.dat (469 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\app.ico (2105 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x86\bd0002.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\kav_verify.dat (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSdUpdate.exe (33263 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDCooly.dll (3312 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMAVCached.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\BDMSkin.dll (37727 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDCooly.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVDeskBand.dll (5064 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDConfig.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bddownloader.exe (41699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\CompatibilityChecker.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\TrayPluginContainerConfig.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavCommon.dll (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\user_trusted_list.dat (125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVWsc.exe (13368 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\DriverManager.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\smr.dat (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\KVFixerConfigMgr.dll (1281 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavCommon.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\SysFixerXMLScript.dat (2 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavEngine.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\licenses\directui license.txt (593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\wverify.dat (132336 bytes)
%Program Files%\Common Files\Baidu\BDDownload\108\7z.dll (2105 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMWindowsLib.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDConfig.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDUDiskGuard.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMAVE.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavEngine.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\810.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\vcrt.msi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\TrustAndIso.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMLog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDLogicUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\RepairPluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduHips.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\SysFixerConfig.dat (0 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\bddownloader.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\KVInstallHelper.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMStringUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\ccesign.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMDownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bdmp.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\putips_wording.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\blacksign.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\WebSafe.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\KVFixerConfigMgr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\CoolyContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\hipsClient.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavScanH.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\KVTray_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVRecomm.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\hips_product.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\fm.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavScanM.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\PullUpConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMMsg.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bd0002.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\GameNoDisturb.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\license.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bdcomproxy.dll (0 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\vcrt.msi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMRepMgr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMDbSqlite.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMWrench.sys (0 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMEvents.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x64 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\smr.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSd.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\kav_verify.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\baidusdRepair.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\ToastLogo.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\cache_config.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\ToastImage.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\virus_type.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\WebMonBHO.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMNet.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\GetSupplyId.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\811.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDShellExt64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVDownloadProtect.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\SysFixerLuaScript.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\WebSafePlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSdSvc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSdRepair.exe (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x86\bd0002.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\patch.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\res\InstallWnd.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bdvs.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDDownLoadProtectPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduHipsUpdate.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDPerflog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\901.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\KVMainframe_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMAVCached.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVRmvDevPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\GCCallbackBind.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVDownloadProtect_x64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDArKit.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMReport.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMScriptVM.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\scan_mgr_config.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BSRLib.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKitUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\UserDetectionPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMSRCore.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMRepBase.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\GCScriptBind.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\app.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDShellExt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\NetService.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVMainFrame.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\DesktopToast.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavFrame.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVDeskBand64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMFrameWork.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMSkin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\placeholder_tmp (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x86 (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x86\bd0001.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\KavUpdate.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\DllInject.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\Repair_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMAVEng.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMSDWrench.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavScanS.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\ad.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSdUProxy64.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSdBugRpt.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\vatl.msi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\uninst.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\900.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\iexplore.exe.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bd0003.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\tips.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\InstallCfg.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\directui license.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\DriverManager.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduHipsIU.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVVirusPlugins.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\TrayPluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMUpdate.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x64\bd0002.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMBase.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSdUpdate.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDCooly.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\hips_customer.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMPerfMon.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\GCCommunicate.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\WebMonHook.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\BDMSkin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVTrayTipsPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVDeskBand.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\hips_self_enc.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\res (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSdTray.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\dl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\KVRtp_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\Cooly_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavScanV.dll (0 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\dl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bddownloader.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\systemfile.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDDriverFixer.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\806.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\CompatibilityChecker.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\monitor_config.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\updlog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\7z.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMTinyXml.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bduf.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\duilib license.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavCommon.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\tuopan.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\user_trusted_list.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMSREng.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bd0002.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVWsc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bd0001.dll (0 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\7z.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\804.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\PrivacyProtect.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\809.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduHipsBugRpt.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bd0001.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\SysFixerXMLScript.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\FileMon.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMPatchAgent.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\RtpContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\HIPSClient.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\wverify.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\white_list.dat (0 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\bdcomproxy.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x64\bd0001.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\KVMainframePluginContainerConfig.xml (0 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\vatl.msi (0 bytes)

Registry activity

The process taskkill.exe:1744 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 F4 F3 CD 2C C0 27 B5 24 5E 2C 7B A9 FA 95 DF"

The process taskkill.exe:332 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 48 09 BA 65 FA 69 6F 0D 82 3B 6E BB 7A 38 56"

The process regsvr32.exe:2516 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 1A 26 F7 A4 57 CC 02 08 74 5F B0 9A 60 69 44"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}]
"(Default)" = "IDownloader_2"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"(Default)" = "%Program Files%\Common Files\Baidu\BDDownload\108\bdcomproxy.dll"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods]
"(Default)" = "15"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"

The process regsvr32.exe:3188 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 15 D4 E0 F6 73 D9 83 D7 72 E0 B3 66 52 02 6C"

[HKCR\CLSID\{85E0B1AA-04FA-11D1-B7DA-00A0C90348D6}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\2.1.0.3086\BDKVDeskBand.dll"
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{85E0B1AA-04FA-11D1-B7DA-00A0C90348D6}]
"(Default)" = "UÃƒÂ§Ã¢â‚¬ÂºÃ‹Å“ÃƒÂ©Ã‹Å“Ã‚Â²ÃƒÂ¦Ã…Â Ã‚Â¤"

The process amigo.exe:1768 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\.html]
"(Default)" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe,0"

[HKCU\Software\Classes\https\shell]
"(Default)" = "open"

[HKCU\Software\Classes\.shtml]
"(Default)" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Classes\http\shell]
"(Default)" = "open"

[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe,0"

[HKCU\Software\Classes\http]
"URL Protocol" = ""

[HKCU\Software\Classes\https]
"URL Protocol" = ""

[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe -- %1"

[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\.xhtml]
"(Default)" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\.xht]
"(Default)" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\.htm]
"(Default)" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 65 2A 03 EF CC 78 C9 84 AA 92 22 0F 0B 7C AF"

[HKCU\Software\Amigo]
"usagestats" = "0"

[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\ftp]
"URL Protocol" = ""

[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe,0"

[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe -- %1"

[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe -- %1"

The process MailRuUpdater.exe:2192 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MailRuUpdater]
"Publisher" = "Mail.Ru"
"InstallLocation" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\MailRuUpdater.exe"

"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\MailRuUpdater.exe uninstall"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MailRuUpdater]
"DisplayName" = "ÃƒÂÃ‚Â¡ÃƒÂÃ‚Â»Ãƒâ€˜Ã†â€™ÃƒÂÃ‚Â¶ÃƒÂÃ‚Â±ÃƒÂÃ‚Â° ÃƒÂÃ‚Â°ÃƒÂÃ‚Â²Ãƒâ€˜Ã¢â‚¬Å¡ÃƒÂÃ‚Â¾ÃƒÂÃ‚Â¼ÃƒÂÃ‚Â°Ãƒâ€˜Ã¢â‚¬Å¡ÃƒÂÃ‚Â¸Ãƒâ€˜Ã¢â‚¬Â¡ÃƒÂÃ‚ÂµÃƒâ€˜Ã‚ÂÃƒÂÃ‚ÂºÃƒÂÃ‚Â¾ÃƒÂÃ‚Â³ÃƒÂÃ‚Â¾ ÃƒÂÃ‚Â¾ÃƒÂÃ‚Â±ÃƒÂÃ‚Â½ÃƒÂÃ‚Â¾ÃƒÂÃ‚Â²ÃƒÂÃ‚Â»ÃƒÂÃ‚ÂµÃƒÂÃ‚Â½ÃƒÂÃ‚Â¸Ãƒâ€˜Ã‚Â ÃƒÂÃ‚Â¿Ãƒâ€˜Ã¢â€šÂ¬ÃƒÂÃ‚Â¾ÃƒÂÃ‚Â³Ãƒâ€˜Ã¢â€šÂ¬ÃƒÂÃ‚Â°ÃƒÂÃ‚Â¼ÃƒÂÃ‚Â¼"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MailRuUpdater]
"VersionMinor" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MailRuUpdater]
"VersionMajor" = "1"
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\MailRuUpdater.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru]
"MailRuUpdater.exe" = "Mail.Ru updater"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 4D 09 28 9B 2F B5 C0 91 2B 7B 91 EE 99 E9 59"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MailRuUpdater" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\MailRuUpdater.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MailRuUpdater]

The Trojan deletes the following value(s) in system registry:

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MailRuUpdater"

The process MailRuUpdater.exe:2368 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 DC F0 05 DF 2C 30 0A 66 9D 62 91 B0 9D 13 6A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Mail.Ru\IE_Bar\Settings]
"Guid" = "{BDEE9378-6BD9-4C2E-BA1E-68ACEE391ADD}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Mail.Ru\Updater]
"IconsConvertation" = "1"

[HKCU\Software\Mail.Ru\Tech\ptls\{A12C4AB1-F4D0-4771-8C21-613E9D12491F}\ch]
"gdup" = "LlyYT03/qx vUgo0O6evFTcBnV5X6pcJog1NZ2f/v11XfPY/b8ecM5s5dVIbkY9lVX/ IFbdi2fccSAWGIGIcC8Pjl9O6upf8F8GMz2Ur0VaSNgCH4fpX/lPPzQ8tf8dU3/2LifEmm7SfzxUQ8nPOwd56z4NiMl zmhiXB2JiGKo9A=="

The process BDKVWsc.exe:2572 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 4C C3 EC 1A F8 08 92 B3 C0 BE 84 6D 61 86 81"

The process id1 - 34.exe:504 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"setup.exe" = "baidu Setup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Administrative Tools" = "%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Templates" = "%Documents and Settings%\All Users\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 EA 4F A6 A2 0E D1 73 97 F6 68 E4 0D 19 3F CD"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:928 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 7C 77 B8 26 5D 3F 54 FD 81 28 CA A8 0F 88 D5"

The process %original file name%.exe:1504 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCU\Software\IM]
"HomePage" = "14-12-11 1:57:46"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Search Page" = "http://yamdex.net/?searchid=1&l10n=ru&fromsearch=1&imsid=809ae869fb7d3446ed13503ac7f7313b&text={searchTerms}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{C1E685B2-3E0A-4D74-9161-D1B5BBD4B5FD}]
"AmigoDistrib.exe" = "Amigo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\9e913b6133dc02e55a5a01a69b184321\DEBUG]
"Trace Level" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\IM\shortcuts]
"QzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xhZG1cQXBwbGljYXRpb24gRGF0YVxNaWNyb3NvZnRcSW50ZXJuZXQgRXhwbG9yZXJcUXVpY2sgTGF1bmNoXEFtaWdvLmxuaw==" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKCU\Software\IM\shortcuts]
"QzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xhZG1cQXBwbGljYXRpb24gRGF0YVxNaWNyb3NvZnRcSW50ZXJuZXQgRXhwbG9yZXJcUXVpY2sgTGF1bmNoXExhdW5jaCBJbnRlcm5ldCBFeHBsb3JlciBCcm93c2VyLmxuaw==" = ""

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3C}]
"SuggestionsURLFallback" = "http://yamdex.net/?searchid=1&l10n=ru&fromsearch=1&imsid=809ae869fb7d3446ed13503ac7f7313b&text={searchTerms}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{0633EE93-D776-472f-A0FF-E1416B8B2E3C}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL" = "http://yamdex.net/?searchid=1&l10n=ru&fromsearch=1&imsid=809ae869fb7d3446ed13503ac7f7313b&text={searchTerms}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\IM\shortcuts]
"QzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xhZG1cRGVza3RvcFxBbWlnby5sbms=" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3C}]
"URL" = "http://yamdex.net/?searchid=1&l10n=ru&fromsearch=1&imsid=809ae869fb7d3446ed13503ac7f7313b&text={searchTerms}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B EC 23 3C 36 0B 9A 1E A4 7C B7 DD 1D BA 78 8F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3C}]
"SuggestionsURL" = "http://yamdex.net/?searchid=1&l10n=ru&fromsearch=1&imsid=809ae869fb7d3446ed13503ac7f7313b&text={searchTerms}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3C}]
"DisplayName" = "yambler"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCU\Software\IM\shortcuts]
"QzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xhZG1cU3RhcnQgTWVudVxQcm9ncmFtc1xBbWlnby5sbms=" = ""

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{717598EB-33E7-4687-94A0-8D20DCB6D246}]
"etranslator_gui_0 (6) (2).exe" = "etranslator_gui_0 (6) (2)"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{80C47B02-16F0-424C-920F-6B5A889D2A44}]
"id1 - 34.exe" = "id1 - 34"

[HKCU\Software\IM\shortcuts]
"QzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xhZG1cU3RhcnQgTWVudVxQcm9ncmFtc1xJbnRlcm5ldCBFeHBsb3Jlci5sbms=" = ""

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\9e913b6133dc02e55a5a01a69b184321\DEBUG]
"Trace Level"

The process bddownloader.exe:2316 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32]
"(Default)" = "%Program Files%\Common Files\Baidu\BDDownload\108\bddownloader.exe"

[HKCR\BDDownloadProxy.Downloader\CLSID]
"(Default)" = "{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\LocalServer32]
"(Default)" = "%Program Files%\Common Files\Baidu\BDDownload\108\bddownloader.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\BDDownloadProxy.Downloader.1]
"(Default)" = "Downloader Class"

[HKCR\BDDownloadProxy.Downloader.1\CLSID]
"(Default)" = "{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\BDDownloadProxy.Downloader]
"(Default)" = "Downloader Class"

[HKCR\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}]
"(Default)" = "DownloadProxy"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}]
"(Default)" = "Downloader Class"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\ProgID]
"(Default)" = "BDDownloadProxy.Downloader.1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"netsh.exe" = "Network Command Shell"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib]
"Version" = "1.0"

[HKCR\AppID\DownloadProxy.EXE]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\HELPDIR]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A AE 9C 1A 0B EA 2D 12 9F 6A D0 43 DB 66 66 09"

[HKCR\BDDownloadProxy.Downloader\CurVer]
"(Default)" = "BDDownloadProxy.Downloader.1"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}]
"(Default)" = "_IDownloaderEvents"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0]
"(Default)" = "DownloadProxy 1.0 Type Library"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\VersionIndependentProgID]
"(Default)" = "BDDownloadProxy.Downloader"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process RegSvr32.exe:4092 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 0D D9 29 D9 8E 2C E4 F9 2A 43 17 93 42 D9 1B"

[HKCR\CLSID\{15DEE173-1BE9-4424-81E0-58A87076E9B1}\InprocServer32]
"ThreadingModel" = "Apartment"
"(Default)" = "%Program Files%\Baidu\BaiduSd\2.1.0.3086\websafe\WebMonBHO.dll"

[HKCR\CLSID\{15DEE173-1BE9-4424-81E0-58A87076E9B1}]
"(Default)" = "WebMonBHO"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15DEE173-1BE9-4424-81E0-58A87076E9B1}]
"(Default)" = "BDHOOK"

"NoExplorer" = "1"

The process RegSvr32.exe:2168 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 87 FE 60 B3 57 5F DB 4E F4 57 60 19 BF 5C 70"

[HKCR\BDShellExt.BDShellExtMenu\CLSID]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\BDShellExt.BDShellExtMenu\CurVer]
"(Default)" = "BDShellExt.BDShellExtMenu.1"

[HKCR\BDShellExt.BDShellExtMenu.1]
"(Default)" = "BDShellExtMenu Class"

[HKCR\BDShellExt.BDShellExtMenu]
"(Default)" = "BDShellExtMenu Class"

[HKCR\BDShellExt.BDShellExtMenu.1\CLSID]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\AppID\{FBE0E29B-01DB-4876-B147-46F5AABA6823}]
"(Default)" = "BDShellExt"

[HKCR\AppID\BDShellExt.DLL]
"AppID" = "{FBE0E29B-01DB-4876-B147-46F5AABA6823}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00890530-6A9F-4be2-B1BB-73F01E2BB986}" = "BDShellExtMenu Class"

The Trojan deletes the following registry key(s):

[HKCR\BDShellExt.BDShellExtMenu\CurVer]
[HKCR\BDShellExt.BDShellExtMenu.1\CLSID]
[HKCR\BDShellExt.BDShellExtMenu\CLSID]
[HKCR\BDShellExt.BDShellExtMenu.1]
[HKCR\BDShellExt.BDShellExtMenu]

The process RegSvr32.exe:2272 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 8B 5E 16 95 C6 F5 FD 5F 8B F4 30 61 0D 0C 06"

The process AmigoDistrib.exe:1676 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 1C E5 86 42 48 A2 BD D2 4F F4 BD D2 37 C6 67"

[HKCU\Software\Mail.Ru\AmigoInstaller]
"RFR" = "profitraf7"

The process netsh.exe:2480 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 99 EE BF CD 2D 9C BE F1 E3 22 D6 2E CF 89 C4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

The process BaiduSdTray.exe:2996 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 6E 80 4E 23 B9 90 04 46 3D 2B 38 D1 EE 4A 6E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{15DEE173-1BE9-4424-81E0-58A87076E9B1}" = "1A"

The process etranslator_gui_0 (6) (2).exe:1056 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\eTranslator]
"PCID" = "im7-200042305-C2107680-92B0-4F35-BA61-7AEA2CB9A809"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\etranslator]
"DisplayName" = "etranslator"

[HKCU\Software\eTranslator]
"PathToApplication" = "%Documents and Settings%\%current user%\Application Data\eTranslator\eTranslator.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"taskkill.exe" = "Kill Process"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\etranslator]
"Publisher" = "etranslator"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\etranslator]
"UninstallString" = "%Documents and Settings%\%current user%\Application Data\eTranslator\eTranslator.exe /uninstall"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E A2 6C C0 92 1A F7 20 E3 F4 91 D5 1D AD 5B A6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\etranslator]
"DisplayIcon" = "%Documents and Settings%\%current user%\Application Data\eTranslator\eTranslator.exe"

[HKCU\Software\eTranslator]
"Version" = "0"
"dir" = "16"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"eTranslator Update" = "%Documents and Settings%\%current user%\Application Data\eTranslator\eTranslator.exe -checkforupdates"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The process BindEx.exe:708 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 07 D6 67 6D 52 54 C8 6C 27 68 65 1A B3 48 B1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢]
[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}]

The process BindEx.exe:248 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD C9 0D 9F C6 A3 83 6A 35 B6 B6 51 DF DA 77 D4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process setup.tmp:1748 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC2}_is1]
"NoRepair" = "1"
"QuietUninstallString" = "%Program Files%\baidu\unins000.exe /SILENT"

"DisplayVersion" = "1.9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC2}_is1]
"Inno Setup: Selected Tasks" = "startup,bind1"
"Inno Setup: Icon Group" = "baidu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC2}_is1]
"MinorVersion" = "9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC2}_is1]
"Inno Setup: Deselected Tasks" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC2}_is1]
"InstallDate" = "20141211"
"DisplayName" = "baidu version 1.9"
"UninstallString" = "%Program Files%\baidu\unins000.exe"
"Inno Setup: User" = "%CurrentUserName%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\baidu]
"BindEx.exe" = "BindEx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC2}_is1]
"Inno Setup: Language" = "english"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 9F BB 5A 0A 41 29 22 1E 41 B9 53 5B 73 BB 4E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC2}_is1]
"Inno Setup: App Path" = "%Program Files%\baidu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC2}_is1]
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC2}_is1]
"Inno Setup: Setup Version" = "5.5.5 (a)"
"InstallLocation" = "%Program Files%\baidu\"
"MajorVersion" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"baidu" = "%Program Files%\baidu\BindEx.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process setup.exe:1304 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Amigo]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\32.0.1709.113\Installer\setup.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".webp" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\Startmenu]
"StartMenuInternet" = "Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe,0"

[HKCR\.shtml\OpenWithProgids]
"AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Amigo\Commands\on-os-upgrade]
"CommandLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\32.0.1709.113\Installer\setup.exe --on-os-upgrade --verbose-logging"

[HKCR\.webp\OpenWithProgids]
"AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Amigo]
"ap" = "-stage:refreshing_policy"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"tel" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Amigo\Commands\on-os-upgrade]
"AutoRunOnOSUpgrade" = "1"

[HKCU\Software\Mail.Ru\AmigoInstaller]
"AgentInstall" = "0"

"ua" = "CHANNEL_profitraf7"

[HKCU\Software\Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29161}]
"(Default)" = "CommandExecuteImpl Class"

[HKCU\Software\Amigo]
"pv" = "32.0.1709.113"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Amigo]
"Name" = "Amigo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".xhtml" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCR\.html\OpenWithProgids]
"AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\.htm\OpenWithProgids]
"AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\amigo.exe]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".html" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Amigo]
"UninstallArguments" = " --uninstall"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Mail.Ru\AmigoInstaller]
"FirstInstall" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"http" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Mail.Ru\AmigoInstaller]
"InstallResult" = "install"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe -- %1"

[HKCR\AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ]
"(Default)" = "HTML Document"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"DisplayVersion" = "32.0.1709.113"
"InstallLocation" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application"

[HKCR\AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe,0"

[HKCR\.xht\OpenWithProgids]
"AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"mms" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationName" = "Amigo"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".shtml" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"VersionMajor" = "1709"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"ReinstallCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe --make-default-browser"

[HKCU\Software\Amigo]
"InstallerSuccessLaunchCmdLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationDescription" = "Amigo is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into Amigo."

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"smsto" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Amigo\Commands\install-extension]
"CommandLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe --limited-install-from-webstore=%1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"HideIconsCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe --hide-icons"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"news" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".htm" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\32.0.1709.113\Installer\setup.exe --uninstall"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"IconsVisible" = "1"

[HKCU\Software\Amigo]
"InstallerError" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 66 E8 50 43 23 63 4C 80 65 DC FA 7C 6A BA 35"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"InstallDate" = "20141211"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ]
"(Default)" = "Amigo"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"https" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCR\AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ]
"URL Protocol" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Mail.Ru\AmigoInstaller]
"Guid" = "{34AC175C-5D3B-4B71-BDBB-95A9533CD3F6}"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"urn" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29161}\LocalServer32]
"ServerExecutable" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\32.0.1709.113\delegate_execute.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Amigo]
"oopcrashes" = "1"

[HKCU\Software\Mail.Ru\AmigoInstaller]
"stage" = "1"

[HKCR\.xhtml\OpenWithProgids]
"AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Amigo\Commands\install-extension]
"WebAccessible" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"mailto" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"irc" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
"nntp" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"Publisher" = "Mail.Ru"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe,0"

[HKCU\Software\Amigo]
"InstallerExtraCode1" = "9"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\Default User\Application Data"

[HKCU\Software\Amigo\Commands\install-extension]
"RunAsUser" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\amigo.exe]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"NoModify" = "1"

[HKCU\Software\Amigo]
"InstallerResult" = "0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".xht" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29161}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\32.0.1709.113\delegate_execute.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"DisplayName" = "Amigo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"NoRepair" = "1"
"Version" = "32.0.1709.113"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"webcal" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
"ftp" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Amigo]
"lang" = "en"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"ShowIconsCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe --show-icons"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"VersionMinor" = "113"

[HKCU\Software\Amigo\Commands\install-extension]
"SendsPings" = "1"

[HKLM\SOFTWARE\RegisteredApplications]
"Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = "Software\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"sms" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"amigo" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe --no-startup-window"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Amigo]
"ap"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Mail.Ru\AmigoInstaller]
"InstallResult"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Amigo]
"InstallerExtraCode1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process setup.exe:380 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 28 E4 65 68 48 74 FE 6B E6 DB 0F C2 1B A4 BC"

The process MsiExec.exe:3808 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 1C D7 F7 10 45 6B 73 5F F7 74 49 42 96 17 DA"

The process MsiExec.exe:3132 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 E1 AC 99 10 3B DE B5 49 B4 D9 8F 38 D4 8B 76"

The process F1023_s_30768.exe:3512 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\bd0002]
"Description" = "bd0002"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Common Files\Baidu\BDDownload\108]
"bddownloader.exe" = "ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ©Ã‚Â«Ã‹Å“ÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ¤Ã‚Â¸Ã¢â‚¬Â¹ÃƒÂ¨Ã‚Â½Ã‚Â½ÃƒÂ¥Ã‚Â¼Ã¢â‚¬Â¢ÃƒÂ¦Ã¢â‚¬Å“Ã…Â½"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Description" = "BDArKit"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"InstallDate" = "2014-12-11"
"Version" = "2.1.0.3086"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢]
"DisplayIcon" = "%Program Files%\Baidu\BaiduSd\2.1.0.3086\app.ico"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Type" = "1"
"Group" = "bddriver"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ImagePath" = "system32\DRIVERS\BDArKit.sys"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Type" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢]
"DisplayVersion" = "2.1.0.3086"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\iexplore\AllowedDomains\*]
"(Default)" = ""

[HKLM\System\CurrentControlSet\Services\bd0002]
"ImagePath" = "system32\DRIVERS\bd0002.sys"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz5.tmp\BDMSkin.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"vendor" = "Beijing baidu Netcom science and technology co.ltd"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin\MimeTypes\application/np-BaiduSDDetect]
"Description" = "BaidusdDetectNPPlugin"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Tag" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"INSTLANG" = "2052"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢]
"Publisher" = "ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¥Ã…â€œÃ‚Â¨ÃƒÂ§Ã‚ÂºÃ‚Â¿ÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ§Ã‚Â»Ã…â€œÃƒÂ¦Ã…Â Ã¢â€šÂ¬ÃƒÂ¦Ã…â€œÃ‚Â¯ÃƒÂ¯Ã‚Â¼Ã‹â€ ÃƒÂ¥Ã…â€™Ã¢â‚¬â€ÃƒÂ¤Ã‚ÂºÃ‚Â¬ÃƒÂ¯Ã‚Â¼Ã¢â‚¬Â°ÃƒÂ¦Ã…â€œÃ¢â‚¬Â°ÃƒÂ©Ã¢â€žÂ¢Ã‚ÂÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¬ÃƒÂ¥Ã‚ÂÃ‚Â¸"

[HKLM\System\CurrentControlSet\Services\bd0002]
"DisplayName" = "bd0002"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Type" = "1"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\System\CurrentControlSet\Services\bd0002]
"ErrorControl" = "0"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"ProductName" = "BaiduSd"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"RtpFlag" = "273"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Group" = "bddriver"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Tag" = "2"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"InstallDir" = "%Program Files%\Baidu\BaiduSd"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ImagePath" = "system32\DRIVERS\bd0001.sys"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢]
"UninstallString" = "%Program Files%\Baidu\BaiduSd\2.1.0.3086\uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DisplayName" = "BDArKit"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"Path" = "%Program Files%\Baidu\BaiduSd\2.1.0.3086\explugin\npBaiduSDDetectPlug.dll"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Tag" = "4"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 9F B5 D1 AD 1E 3E 5A 1C 69 32 68 63 39 B0 28"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"Description" = "Baidusd detect NPAPI plugin"

[HKLM\System\CurrentControlSet\Control\ServiceGroupOrder]
"List" = "System Reserved, Boot Bus Extender, System Bus Extender, SCSI miniport, Port, Primary Disk, SCSI Class, SCSI CDROM Class, FSFilter Infrastructure, FSFilter System, FSFilter Bottom, FSFilter Copy Protection, FSFilter Security Enhancer, FSFilter Open File, FSFilter Physical Quota Management, FSFilter Encryption, FSFilter Compression, FSFilter HSM, FSFilter Cluster File System, FSFilter System Recovery, FSFilter Quota Management, FSFilter Content Screener, FSFilter Continuous Backup, FSFilter Replication, bddriver, FSFilter Anti-Virus, FSFilter Undelete, FSFilter Activity Monitor, FSFilter Top, Filter, Boot File System, Base, Pointer Port, Keyboard Port, Pointer Class, Keyboard Class, Video Init, Video, Video Save, File System, Event Log, Streams Drivers, NDIS Wrapper, COM Infrastructure, UIGroup, LocalValidation, PlugPlay, PNP_TDI, NDIS, TDI, NetBIOSGroup, ShellSvcGroup, SchedulerGroup, SpoolerGroup, AudioGroup, SmartCardGroup, NetworkProvider, RemoteValidation, NetDDEGroup, Parallel arbitrator, Extended Base, PCI Configuration, MS Transactions"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"Version" = "1.0.0.1"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Group" = "bddriver"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"VirusTime" = "2013.11.28 0110"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DisplayName" = "bd0001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\bd0002]
"InstallDir_hips" = "%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ErrorControl" = "0"

[]
"DisplayName" = "ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢2.1"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"SupplyID" = "30768"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Description" = "bd0001"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ErrorControl" = "0"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduSd\2.1.0.3086]
"BaiduSdTray.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdTray.exe:*:Enabled:ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢ÃƒÂ¦Ã¢â‚¬Â°Ã‹Å“ÃƒÂ§Ã¢â‚¬ÂºÃ‹Å“ÃƒÂ§Ã‚Â¨Ã¢â‚¬Â¹ÃƒÂ¥Ã‚ÂºÃ‚Â"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduSd\2.1.0.3086]
"BaiduSdTray.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdTray.exe:*:Enabled:ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢ÃƒÂ¦Ã¢â‚¬Â°Ã‹Å“ÃƒÂ§Ã¢â‚¬ÂºÃ‹Å“ÃƒÂ§Ã‚Â¨Ã¢â‚¬Â¹ÃƒÂ¥Ã‚ÂºÃ‚Â"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Start" = "2"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduSd\2.1.0.3086]
"BaiduSdBugRpt.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdBugRpt.exe:*:Enabled:ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢BUGÃƒÂ¤Ã‚Â¸Ã…Â ÃƒÂ¦Ã…Â Ã‚Â¥ÃƒÂ§Ã‚Â¨Ã¢â‚¬Â¹ÃƒÂ¥Ã‚ÂºÃ‚Â"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduSd\2.1.0.3086]
"BaiduSdUpdate.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdUpdate.exe:*:Enabled:ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢ÃƒÂ¦Ã¢â‚¬ÂºÃ‚Â´ÃƒÂ¦Ã¢â‚¬â€œÃ‚Â°ÃƒÂ§Ã‚Â¨Ã¢â‚¬Â¹ÃƒÂ¥Ã‚ÂºÃ‚Â"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bd0002]
"Start" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Common Files\Baidu\BDDownload\108]
"bddownloader.exe" = "%Program Files%\Common Files\Baidu\BDDownload\108\bddownloader.exe:*:Enabled:ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ©Ã‚Â«Ã‹Å“ÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ¤Ã‚Â¸Ã¢â‚¬Â¹ÃƒÂ¨Ã‚Â½Ã‚Â½ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bd0001]
"Start" = "1"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduSd\2.1.0.3086]
"BaiduSdUpdate.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdUpdate.exe:*:Enabled:ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢ÃƒÂ¦Ã¢â‚¬ÂºÃ‚Â´ÃƒÂ¦Ã¢â‚¬â€œÃ‚Â°ÃƒÂ§Ã‚Â¨Ã¢â‚¬Â¹ÃƒÂ¥Ã‚ÂºÃ‚Â"

"BaiduSd.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSd.exe:*:Enabled:ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢ÃƒÂ¤Ã‚Â¸Ã‚Â»ÃƒÂ§Ã‚Â¨Ã¢â‚¬Â¹ÃƒÂ¥Ã‚ÂºÃ‚Â"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduSd\2.1.0.3086]
"BaiduSdBugRpt.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdBugRpt.exe:*:Enabled:ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢BUGÃƒÂ¤Ã‚Â¸Ã…Â ÃƒÂ¦Ã…Â Ã‚Â¥ÃƒÂ§Ã‚Â¨Ã¢â‚¬Â¹ÃƒÂ¥Ã‚ÂºÃ‚Â"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Common Files\Baidu\BDDownload\108]
"bddownloader.exe" = "%Program Files%\Common Files\Baidu\BDDownload\108\bddownloader.exe:*:Enabled:ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ©Ã‚Â«Ã‹Å“ÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ¤Ã‚Â¸Ã¢â‚¬Â¹ÃƒÂ¨Ã‚Â½Ã‚Â½ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduSd\2.1.0.3086]
"BaiduSdSvc.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdSvc.exe:*:Enabled:ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢ÃƒÂ¦Ã…â€œÃ‚ÂÃƒÂ¥Ã…Â Ã‚Â¡ÃƒÂ§Ã‚Â¨Ã¢â‚¬Â¹ÃƒÂ¥Ã‚ÂºÃ‚Â"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduSd\2.1.0.3086]
"BaiduSdSvc.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdSvc.exe:*:Enabled:ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢ÃƒÂ¦Ã…â€œÃ‚ÂÃƒÂ¥Ã…Â Ã‚Â¡ÃƒÂ§Ã‚Â¨Ã¢â‚¬Â¹ÃƒÂ¥Ã‚ÂºÃ‚Â"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\bd0002]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DeleteFlag"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"RtpFlag"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\DRIVERS\bd0001.sys" the Trojan controls creation and closing of processes by installing the process notifier.

Using the driver "%System%\DRIVERS\bd0001.sys" the Trojan controls creation and closing of threads by installing the thread notifier.

Using the driver "%System%\DRIVERS\bd0001.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.

The Trojan installs the following kernel-mode hooks:

ZwUnloadKey

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
taskkill.exe:1744
taskkill.exe:332
regsvr32.exe:2516
regsvr32.exe:3188
amigo.exe:1768
MailRuUpdater.exe:2192
MailRuUpdater.exe:2368
BDKVWsc.exe:2572
id1 - 34.exe:504
%original file name%.exe:928
bddownloader.exe:2316
RegSvr32.exe:4092
RegSvr32.exe:2168
RegSvr32.exe:2272
AmigoDistrib.exe:1676
netsh.exe:2480
BaiduSdTray.exe:2996
etranslator_gui_0 (6) (2).exe:1056
setup.tmp:1748
setup.exe:1304
setup.exe:380
MsiExec.exe:3808
MsiExec.exe:3132
F1023_s_30768.exe:3512
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\debug.log (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\User Data\1.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\User Data\2.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\MailRuUpdater.exe (46100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup.exe (490 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80C47B02-16F0-424C-920F-6B5A889D2A44}\id1 - 34.exe (1679 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Amigo.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{717598EB-33E7-4687-94A0-8D20DCB6D246}\etranslator_gui_0 (6) (2).exe (23407 bytes)
C:\IEXPLORE.bat (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{C1E685B2-3E0A-4D74-9161-D1B5BBD4B5FD}\AmigoDistrib.exe (380715 bytes)
%Documents and Settings%\%current user%\Desktop\Amigo.lnk (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\amigo.bat (645 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Amigo.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_23450.tmp\SETUP.EX_ (1697 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_23450.tmp\setup.exe (18208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_23450.tmp\CHROME.PACKED.7Z (375522 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config (4 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086 (296 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602 (4 bytes)
%System%\wbem\Logs (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games (4 bytes)
%Documents and Settings%\All Users\APPLICATION DATA (4 bytes)
%WinDir%\WinSxS (8 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (484 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\white_list.db-journal (512 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319 (576 bytes)
%WinDir%\WinSxS\Manifests (1444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp (4 bytes)
%WinDir%\Prefetch\NETSH.EXE-085CFFDE.pf (24 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\IsolationDB.db-journal (532 bytes)
%Program Files%\Common Files (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\G1023_s_71023.exe (12137 bytes)
%WinDir%\Fonts (544 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\G1023_s_71023[1].exe (13860 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667 (12 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content (8 bytes)
%WinDir%\Prefetch\REGSVR32.EXE-25EEFE2F.pf (64 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%System%\config (8 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\FTSysFixer (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_678.dat (4 bytes)
%System%\drivers (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories (4 bytes)
%System%\wbem\Logs\wbemcore.log (384 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%WinDir%\Installer (96 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%WinDir%\Prefetch\BAIDUSDTRAY.EXE-191E616B.pf (65 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\bzip.dll (4061 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\etranslator_preferences.json (834 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\etranslator1.crx (51 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\etranslator3.oex (51 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\sqlite3.dll (3421 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\eTranslator.exe (24284 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\SWData (3833 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\eTranslator_withoutzoneid.exe (29521 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\SWData_T (23407 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\etranslator2.xpi (20 bytes)
%Documents and Settings%\%current user%\Application Data\eTranslator\etranslator.log (52818 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dlinstlit.txt (132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\F1023_s_30768.exe (2142334 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\test[1].txt (132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\F1023_s_30768[1].exe (2905069 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Program Files%\baidu\is-1T895.tmp (16 bytes)
%Program Files%\baidu\unins000.dat (934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I6R3T.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\baidu\is-BD508.tmp (23593 bytes)
%Program Files%\baidu\is-E3PTU.tmp (7 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\baidu\baidu.lnk (479 bytes)
%Program Files%\baidu\BindEx.ini (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\ok.exe (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\fi.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ms.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ko.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\nl.pak (226 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\npchrome_frame.dll (15801 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\pt-BR.pak (226 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\hi.pak (1754 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\hr.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\32.0.1709.113\Installer\setup.exe (7971 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\bg.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\hu.pak (246 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ml.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sk.pak (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\VisualElements\logo.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ml.pak (3679 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\th.pak (1745 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÂÃ…Â¾ÃƒÂÃ‚Â´ÃƒÂÃ‚Â½ÃƒÂÃ‚Â¾ÃƒÂÃ‚ÂºÃƒÂÃ‚Â»ÃƒÂÃ‚Â°Ãƒâ€˜Ã‚ÂÃƒâ€˜Ã‚ÂÃƒÂÃ‚Â½ÃƒÂÃ‚Â¸ÃƒÂÃ‚ÂºÃƒÂÃ‚Â¸.lnk (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\ÃƒÂÃ¢â‚¬â„¢ÃƒÂÃ‚ÂºÃƒÂÃ‚Â¾ÃƒÂÃ‚Â½Ãƒâ€˜Ã¢â‚¬Å¡ÃƒÂÃ‚Â°ÃƒÂÃ‚ÂºÃƒâ€˜Ã¢â‚¬Å¡ÃƒÂÃ‚Âµ.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\te.pak (1805 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\am.pak (323 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\te.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\pt-PT.pak (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sr.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\ppgooglenaclpluginchrome.dll (1745 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\vi.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\gu.pak (1745 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ar.pak (314 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÂÃ¢â‚¬â„¢ÃƒÂÃ‚ÂºÃƒÂÃ‚Â¾ÃƒÂÃ‚Â½Ãƒâ€˜Ã¢â‚¬Å¡ÃƒÂÃ‚Â°ÃƒÂÃ‚ÂºÃƒâ€˜Ã¢â‚¬Å¡ÃƒÂÃ‚Âµ.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\extensions\mailru_checker_1.2.3.crx (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\amigo.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ja.pak (282 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\agentloader.exe (115 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\MailRu\MailRuUpdater.exe (46100 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\id.pak (209 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\es-419.pak (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\fa.pak (1611 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\chrome_launcher.exe (178 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\pt-BR.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ca.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\vk.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\it.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\fil.pak (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sw.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\pl.pak (229 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ko.pak (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\icudt.dll (72365 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\resources.pak (172310 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ru.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\chrome_installer.log (972 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\am.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\libglesv2.dll (6347 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\nb.pak (213 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ar.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sl.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ta.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\lv.dll (8 bytes)
%Documents and Settings%\%current user%\Desktop\ÃƒÂÃ¢â‚¬â„¢ÃƒÂÃ‚ÂºÃƒÂÃ‚Â¾ÃƒÂÃ‚Â½Ãƒâ€˜Ã¢â‚¬Å¡ÃƒÂÃ‚Â°ÃƒÂÃ‚ÂºÃƒâ€˜Ã¢â‚¬Å¡ÃƒÂÃ‚Âµ.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\da.pak (213 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\et.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\mailruupdater.exe (45823 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\bn.pak (1769 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\he.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\zh-CN.pak (192 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\fr.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\en-US.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\pt-PT.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\he.pak (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\kn.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\es.pak (242 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\es.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\xinput1_3.dll (81 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\chrome.dll (283704 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\mr.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\ffmpegsumo.dll (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\it.pak (229 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\pl.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\vk.exe (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\hi.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\ok.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ro.pak (242 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\chrome_child.dll (286042 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\nl.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\fa.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\kn.pak (1815 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\delegate_execute.exe (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\hr.pak (222 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ja.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\VisualElements\smalllogo.png (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ta.pak (1829 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\extensions\external_extensions.json (103 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ru.pak (1642 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\chrome_frame_helper.dll (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\wow_helper.exe (71 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\bg.pak (1668 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\ÃƒÂÃ…Â¾ÃƒÂÃ‚Â´ÃƒÂÃ‚Â½ÃƒÂÃ‚Â¾ÃƒÂÃ‚ÂºÃƒÂÃ‚Â»ÃƒÂÃ‚Â°Ãƒâ€˜Ã‚ÂÃƒâ€˜Ã‚ÂÃƒÂÃ‚Â½ÃƒÂÃ‚Â¸ÃƒÂÃ‚ÂºÃƒÂÃ‚Â¸.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\el.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\lt.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\fil.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sv.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\chrome.7z (1341364 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ca.pak (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\gcswf32.dll (108196 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\tr.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\d3dcompiler_46.dll (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\cs.pak (234 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\master_preferences (982 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\bn.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\d3dcompiler_43.dll (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\es-419.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\zh-TW.pak (195 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\en-GB.pak (195 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\uk.pak (1648 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\VisualElements\splash-620x300.png (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ms.pak (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\master_preferences (982 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\fr.pak (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\zh-TW.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\el.pak (1699 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sr.pak (1636 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\gu.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sw.pak (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\VisualElementsManifest.xml (391 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\ro.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\fi.pak (220 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\secondarytile.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\nacl64.exe (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\chrome.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\extensions\kgkggmpkealihpbjpdmcblcplljamohl.json (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\et.pak (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\da.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\uk.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\lv.pak (234 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\lt.pak (231 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\en-GB.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\nb.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\de.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sk.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\chrome_100_percent.pak (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\hu.dll (8 bytes)
%Documents and Settings%\%current user%\Desktop\ÃƒÂÃ…Â¾ÃƒÂÃ‚Â´ÃƒÂÃ‚Â½ÃƒÂÃ‚Â¾ÃƒÂÃ‚ÂºÃƒÂÃ‚Â»ÃƒÂÃ‚Â°Ãƒâ€˜Ã‚ÂÃƒâ€˜Ã‚ÂÃƒÂÃ‚Â½ÃƒÂÃ‚Â¸ÃƒÂÃ‚ÂºÃƒÂÃ‚Â¸.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\chrome_frame_helper.exe (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\libegl.dll (107 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\en-US.pak (195 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\de.pak (234 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\cs.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sl.pak (218 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\tr.pak (231 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\chrome_touch_100_percent.pak (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\nacl_irt_x86_32.nexe (42362 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\sv.pak (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\id.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\nacl_irt_x86_64.nexe (28502 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\th.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\vi.pak (263 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\zh-CN.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\metro_driver.dll (1745 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1304_16837\Chrome-bin\32.0.1709.113\Locales\mr.pak (1748 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-PKUDN.tmp\setup.tmp (3781 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDUDiskGuard.dll (7192 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\repairplugins\RepairPluginContainerConfig.xml (228 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDUDiskGuard.dll (1281 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\FTSysFixer\SysFixerXMLScript.dat (2 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\ad.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\SysFixerConfig.dat (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVMC.rdb (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMDownload.dll (15336 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\hips_customer.xml (75 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\bd0002.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\KVTray_PluginConfig.xml (1 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\TrustAndIso.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\BDDownLoadProtectPlugin.dll (3073 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\wverify.dat (15019 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHipsUpdate.exe (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bd0002.sys (13168 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\ToastLogo.ico (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\GameNoDisturb.ini (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\WebSafePlugin.dll (11344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMWrench.sys (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\white_list.dat (12088 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMStringUtils.dll (63 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\bdcomproxy.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\WebMonBHO.dll (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMNet.dll (58168 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\811.dat (8 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\NetService.ini (615 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\GCCommunicate.dll (39 bytes)
%Program Files%\Common Files\Baidu\BDDownload\108\bddownloader.exe (9605 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdUProxy64.exe (4545 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMAVEng.dll (4545 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVTray\TrayPlugin.rdb (18424 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDDriverFixer.dll (1281 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMNet.dll (5873 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHipsIU.dll (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bdvs.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\901.dat (8 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\CompatibilityChecker.dll (673 bytes)
%Program Files%\Common Files\Baidu\BDDownload\108\bdcomproxy.dll (601 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMPatchAgent.dll (39 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\systemfile.dat (3 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\806.dat (3 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdUpdate.exe (7385 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\HIPSClient.dll (2321 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDPerflog.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\GCCallbackBind.dll (1552 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\monitor_config.dat (559 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\bd0001.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDKitUtils.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\drivers\BDMWrench.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKitUtils.dll (2392 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\Repair_PluginConfig.xml (411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMRepBase.dll (30968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\GCScriptBind.dll (32128 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\KVRtp_PluginConfig.xml (2 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\virus_type.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVMainFrame.dll (33633 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\ToastLogo.ico (12024 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\bduf.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMFrameWork.dll (21480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMSkin.dll (33536 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavFrame.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVDownloadProtect_x64.dll (673 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x86\bd0001.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\KavUpdate.dll (12536 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMWindowsLib.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMUpdate.dll (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDLogicUtils.dll (673 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHips.exe (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMSDWrench.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavScanS.dll (2392 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\blacksign.dat (852 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSdUProxy64.exe (23936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\vatl.msi (6584 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\vatl.msi (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\900.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\directui license.txt (593 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\WebMonHook.dll (2105 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\InstallCfg.xml (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVVirusPlugins.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\hips_product.xml (291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMUpdate.dll (12104 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\GameNoDisturb.ini (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\hips_customer.xml (75 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\uninst.exe (6841 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMTinyXml.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVTrayTipsPlugin.dll (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\hips_self_enc.xml (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢.lnk (907 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVDeskBand.dll (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMStringUtils.dll (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\804.dat (3 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x64\bd0001.sys (673 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDPerflog.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\hips_self_enc.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\7z.dll (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bduf.dll (13584 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\RtpContainerConfig.xml (818 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bd0002.dll (16424 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMDownload.dll (2105 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\TrustAndIso.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMFrameWork.dll (1425 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDShellExt64.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\PrivacyProtect.dll (6360 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\hips_customer.xml (75 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\cache_config.dat (469 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bd0001.sys (8752 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSd.exe (2105 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMSDWrench.dll (601 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMFrameWork.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMPatchAgent.dll (3104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\RtpContainerConfig.xml (818 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\TrayDldProtect.rdb (3616 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x64\bd0001.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\KVMainframePluginContainerConfig.xml (384 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMPatchAgent.dll (39 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\PrivacyProtect.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMAVE.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavEngine.dll (3312 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDLogicUtils.dll (673 bytes)
%System%\config\system (1178 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDShellExt64.dll (15168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMLog.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDLogicUtils.dll (16864 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVUpdate.rdb (13584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\RepairPluginContainerConfig.xml (228 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\blacksign.dat (852 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMStringUtils.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\InstallCfg.xml (177 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch.7z (7433 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\FTSysFixer\SysFixerLuaScript.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\putips_wording.dat (580 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDLogicUtils.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\hipsClient.xml (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavScanH.dll (1856 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMAVCached.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVRecomm.dll (58402 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMNet.dll (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavScanM.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\PullUpConfig.xml (1524 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\updlog.dll (13 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\NetService.ini (615 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\vcrt.msi (4545 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMSkin.dll (7433 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmsysrepair\BDMSREng.dll (1425 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\NetService.ini (615 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdBugRpt.exe (4545 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\FTSysFixer\SysFixerConfig.dat (1 bytes)
%Documents and Settings%\All Users\Desktop\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢.lnk (895 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\baidusdRepair.dll (6360 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\drivers\BDArKit.sys (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\dl.dll (14988 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHipsBugRpt.exe (3361 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMDownload.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\GCCallbackBind.dll (39 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\Cooly_PluginConfig.xml (726 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\DesktopToast.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\res\InstallWnd.zip (12536 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMTinyXml.dll (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\coolyplugins\CoolyContainerConfig.xml (329 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMUpdate.dll (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\TrayPullUpWS.rdb (3616 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMScriptVM.dll (1281 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\hips_product.xml (291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDArKit.sys (5064 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\KavUpdate.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMReport.dll (23504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BSRLib.dat (5064 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\Database\bdmp.dat (32 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\kav_verify.dat (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\app.ico (12024 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavScanH.dll (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\DesktopToast.exe (3616 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\wverify.dat (15019 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVRecomm.dll (13122 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\TrayPlugin.rdb (9608 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMPatchAgent.dll (43 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\hips_self_enc.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\dl.dll (65930 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMDbSqlite.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\uninst.exe (29256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\tips.xml (1 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDConfig.dll (3073 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVTray.rdb (1552 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x64\bd0002.sys (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\TrustAndIso.dll (1425 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHipsIU.dll (55 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVTips.rdb (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMPerfMon.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\GCCommunicate.dll (1552 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHipsBugRpt.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\Cooly_PluginConfig.xml (726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavScanV.dll (2392 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\900.dat (8 bytes)
%System%\drivers\bd0003.sys (55 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\systemfile.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\monitor_config.dat (559 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\updlog.dll (13 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\BDKVTrayTipsPlugin.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVDownloadProtect_x64.dll (6360 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\GCScriptBind.dll (7345 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\placeholder_tmp (11 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\7z.dll (2105 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\DriverManager.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\809.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduHipsBugRpt.exe (19152 bytes)
%Program Files%\Common Files\Baidu\BDDownload\108\dl.dll (14988 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKV.rdb (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\FileMon.dll (21216 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\DllInject.dll (43 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\iexplore.exe.xml (528 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\809.dat (3 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\SearchProtection.rdb (5064 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\tuopan.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\810.dat (3 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavScanM.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\KVMainframe_PluginConfig.xml (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x86\bd0001.sys (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\scan_mgr_config.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduHips.exe (38495 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\ccesign.dat (2105 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\bddownloader.exe (9605 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVQuarantine.rdb (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\KVInstallHelper.dll (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\ad.dll (19152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\ccesign.dat (12024 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMAVCached.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bdmp.dat (1552 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\repairplugins\baidusdRepair.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\WebSafe.dll (33747 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢\ÃƒÂ¥Ã‚ÂÃ‚Â¸ÃƒÂ¨Ã‚Â½Ã‚Â½ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢.lnk (880 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMBase.dll (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\fm.dat (597 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMMsg.dll (47 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\white_list.dat (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMMsg.dll (1552 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMEvents.dll (15 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\bd0001.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSdRepair.exe (16288 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVDeskBand64.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\TrayPluginContainerConfig.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMRepMgr.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMDbSqlite.dll (19592 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x86\bd0002.sys (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDConfig.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMEvents.dll (15 bytes)
%System%\drivers\bd0002.sys (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMLog.dll (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSd.exe (12536 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\bd0001.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMReport.dll (1425 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmsysrepair\BSRLib.dat (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\virus_type.dat (1 bytes)
%System%\drivers\bd0001.sys (601 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\smr.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVDownloadProtect.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSdSvc.exe (27704 bytes)
%System%\config\SYSTEM.LOG (4386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDPerflog.dll (10512 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMScriptVM.dll (7192 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkv\KVMainframePluginContainerConfig.xml (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMAVCached.dll (23584 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\tips.xml (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdRepair.exe (3073 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\InstallCfg.xml (177 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\cache_config.dat (469 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\KVCommonRes.rdb (131925 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\WebSafe.dll (7547 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\bd0002.sys (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVWsc.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\UserDetectionPlugin.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMSRCore.dll (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDShellExt.dll (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\ToastImage.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\placeholder_tmp (11 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\901.dat (8 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\wverify.dat (15019 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVRmvDevPlugin.dll (8560 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMDownload.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\DllInject.dll (1552 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsClient.xml (18 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkv\BDKVVirusPlugins.dll (2105 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\BDKVRmvDevPlugin.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMBase.dll (32128 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdSvc.exe (5873 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\DriverManager.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMAVEng.dll (4545 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\UserDetectionPlugin.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\WebMonHook.dll (12088 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x64\bd0002.sys (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\PullUpConfig.xml (1524 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\KVRtp_PluginConfig.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDDriverFixer.dll (16368 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\fm.dat (597 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\WebMonBHO.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\systemfile.dat (6 bytes)
%System%\drivers\BDArKit.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMTinyXml.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\duilib license.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\tuopan.png (3 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVMainFrame.dll (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMSREng.dll (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bd0001.dll (4992 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMUpdate.dll (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\patch.7z (7433 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmsysrepair\BDMSRCore.dll (1425 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\804.dat (3 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\Database\bdvs.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\HIPSClient.dll (15536 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMReport.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMWindowsLib.dll (3312 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavScanS.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDConfig.dll (36536 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHips.exe (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bdcomproxy.dll (2392 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMRepBase.dll (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\vcrt.msi (22552 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\bd0002.dll (3073 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDDriverFixer.dll (1281 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdTray.exe (15116 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMBase.dll (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\blacksign.dat (1704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\KVFixerConfigMgr.dll (8560 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\WebSafePlugin.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\CoolyContainerConfig.xml (329 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHipsUpdate.exe (37 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\FileMon.dll (4185 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\blacksign.dat (852 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVDownloadProtect.dll (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\licenses\duilib license.txt (1 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMAVEng.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\811.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\System.dll (784 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMFrameWork.dll (1425 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\patch\placeholder_tmp (11 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDShellExt.dll (2321 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavScanV.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduHipsIU.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\cache_config.dat (938 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSdTray.exe (66750 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\806.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\GetSupplyId.dll (3616 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMNet.dll (5873 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\dl.dll (14988 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMReport.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\SysFixerLuaScript.dat (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\patch.7z (33536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDDownLoadProtectPlugin.dll (16288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduHipsUpdate.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\KVMainframe_PluginConfig.xml (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\hips_product.xml (291 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\systemfile.dat (3 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDDriverFixer.dll (1281 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\user_trusted_list.dat (125 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\putips_wording.dat (580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\scan_mgr_config.dat (5 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVConfig.rdb (5064 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\ToastImage.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\TrustAndIso.dll (13440 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\KVTray_PluginConfig.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\NetService.ini (1230 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavFrame.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVDeskBand64.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk4.tmp (1287722 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\drivers\bd0003.sys (55 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMAVE.dll (1281 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDPerflog.dll (601 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMLog.dll (43 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMRepMgr.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\Repair_PluginConfig.xml (411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDMAVEng.dll (46488 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\810.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\smr.dat (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMPerfMon.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSdBugRpt.exe (23936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\iexplore.exe.xml (528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bd0003.sys (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\DriverManager.dll (8608 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMMsg.dll (47 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\cache_config.dat (469 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\app.ico (2105 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x86\bd0002.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\kav_verify.dat (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BaiduSdUpdate.exe (33263 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDCooly.dll (3312 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMAVCached.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\BDMSkin.dll (37727 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDCooly.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVDeskBand.dll (5064 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDConfig.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\bddownloader.exe (41699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\CompatibilityChecker.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\TrayPluginContainerConfig.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BavCommon.dll (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\user_trusted_list.dat (125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\BDKVWsc.exe (13368 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\DriverManager.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\smr.dat (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\KVFixerConfigMgr.dll (1281 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavCommon.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\SysFixerXMLScript.dat (2 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavEngine.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\licenses\directui license.txt (593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\file\wverify.dat (132336 bytes)
%Program Files%\Common Files\Baidu\BDDownload\108\7z.dll (2105 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MailRuUpdater" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\MailRuUpdater.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"eTranslator Update" = "%Documents and Settings%\%current user%\Application Data\eTranslator\eTranslator.exe -checkforupdates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"baidu" = "%Program Files%\baidu\BindEx.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"amigo" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe --no-startup-window"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: 0.0.0.0
Product Name: 0.0.0.0
Product Version: 0.0.0.0
Legal Copyright: 0.0.0.0
Legal Trademarks: 0.0.0.0
Original Filename: 0.0.0.0
Internal Name: 0.0.0.0
File Version: 0.0.0.0
File Description: 0.0.0.0
Comments: 0.0.0.0
Language: English (United Kingdom)

Company Name: 0.0.0.0Product Name: 0.0.0.0Product Version: 0.0.0.0Legal Copyright: 0.0.0.0Legal Trademarks: 0.0.0.0Original Filename: 0.0.0.0Internal Name: 0.0.0.0File Version: 0.0.0.0File Description: 0.0.0.0Comments: 0.0.0.0Language: English (United Kingdom)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	2491916	2492416	4.49624	d3e56176cccc2d63615cc428353cba9f
.itext	2498560	8388	8704	4.31856	fba802c40e1cbe19226783ab161d586f
.data	2510848	22872	23040	3.57779	e4fc7fe9a9187919095376fc2fa022c4
.bss	2535424	21852	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	2560000	14876	15360	3.53207	bfb7d44dad0bde449282d497c1d61a89
.didata	2576384	2518	2560	2.90164	b52800be4f3b71638a52a44f0c581100
.tls	2580480	80	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	2584576	24	512	0.143426	c5b60a955b567dfd021dd069f786560f
.reloc	2588672	233652	233984	4.62552	ef2fda4b19ab5821add6163588b2e787
.rsrc	2826240	5306690	5306880	5.52336	e2483020b986011e548a2669a8bb829f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 5
43a57e295389b33940065640d26ca3f2
7269ea0914ebde28fdbb10ed474c075f
625cef4edf44f1688027593d63d5a8b7
58eef55d2cda5ce47a2c8aaeba63dcee
95871415ba84c2b3e96ae89fd7b40b44

Network Activity

URLs

URL	IP
hxxp://7d8elkqrpz9cesw.xn--n1aaaglu5c.xn--p1ai/api
hxxp://moscow.cdnmail.ru/AmigoDistrib.exe
hxxp://amigobin.cdnmail.ru/AmigoDistrib.exe	217.69.139.110

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /AmigoDistrib.exe HTTP/1.1

Host: amigobin.cdnmail.ru

Accept: text/html, */*

Accept-Encoding: identity

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Server: nginx

Date: Wed, 10 Dec 2014 23:55:52 GMT

Content-Type: application/octet-stream

Content-Length: 50381352

Connection: keep-alive

Last-Modified: Wed, 22 Oct 2014 09:47:42 GMT

ETag: "54477d3e-300c228"

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Vv..................*....`................0.......=.......7.....Rich............................PE..L...I.>T.................6...v......p8.......P....@.........................................................................`?..x....p...t..............(............................................................................................text....4.......6.................. ..`.data... ....P......................@....rsrc....t...p...v...:..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................DD..6D..$D...D..TD......&A..6A..BA..TA..`A..vA...A...A...A...A...A...A...B...B..$B..@B..LB..bB..xB...B...A...B...B...B...B...B...B...C...C..0C..>C..TC..dC..xC...C...C...C...C...C...C...A...@...@...@...B...@.......D..rD.......D...D.......D......................I.>T........[...,...,.......{.8.A.6.9.D.3.4.5.-.D.5.6.4.-.4.6.3.c.-.A.F.F.1.-.A.6.9.D.9.E.5.3.0.F.9.6.}.....{.F.D.A.7.1.E.6.F.-.A.C.4.C.-.4.a.0.0.-.8.B.7.0.-.9.9.5.8.A.6.8.9.0.6.B.F.}.....{.8.B.A.9.8.6.D.A.-.5.1.0.0.-.4.0.5.E.-.A.A.3.5.-.8.6.F

<<< skipped >>>

POST /api HTTP/1.0

Connection: keep-alive

Content-Length: 339

Host: 7d8elkqrpz9cesw.xn--n1aaaglu5c.xn--p1ai

Accept: text/html, */*

Accept-Encoding: identity

User-Agent: Mozilla/3.0 (compatible; Indy Library)

....x.eQ.n.0....U.z..5C..@..A.......Zr. ...J...`....Q.\..ZH.:;.....R.....l{.\'5......*....#}..2...g...s.....u..0......y.R.1.e.........~M....T.g..0O?.a..\s^jO..SI.U 0...W..'.FT..?....Hj......W.......b.......N9.............i :...................}\E..1d..d.*...F.....mW..c.(-.r...x)..]i....;%O6f...V..&...[rT.uC.8-.........-..NP.@......o

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Wed, 10 Dec 2014 23:55:23 GMT

Content-Type: text/html; charset=utf-8

Connection: close

X-Powered-By: PHP/5.4.17

....x..Xmo.8.. Qt[.R.$..T. .....j..~8.".L GH....U...........b.....=...b..4..9..6s.v..I.t.............'?t.<.......(....f.r.a...m;. .A......qa...3...1.O.0.T..,gq....C.. ....&l ..a...4....m...G...%u?H.,..|J.]!.EY..~.....(....J.l.}..a:..I......8.t....n.A..^{...G.w.%.i...h........=.5aP.V.p&...3.O....$..KX..N.g....E.h.r..H.9.r.9...r..KeR..K5[..W..bV.5.E....K.@jiK?..T'}.|.vs....M...........>a...nE..2q..V...w&<.....E..yBv..{y...S.(.!N.....{.Z.E`.S.AV.h..d..*#k..!.6...I..q0.....y..}..d.@<.|.x...x....@Fi.<`...e....&.u.... ..@..........<`p..@..y..|.o..<.F.M..s..R..8-...F..".l.....".*-......"(.3!.[qM..\.....@.....3.@\.0...........<..z).}..x.P.j...s..,O.......s..ZG{.=:..._(...*.uio(i.WRVYi.E...YZ.d..hp.8=5.K=P...[.2.).. ....n8^ .tP.E_e.P<T... 5.Ci*...@.).....U.n.#u....#.....|.S.l.c..{...U..X.J].tv....o..~...?..xVA.A.;...0D...nm.F..d$.j........|.5..J.4.....2..\...x....@.9~.....s.b[........m.-(......l6..R...... ...;.%.1..-.......\..5....]..{<.t.``_.ZJ.. .-.Hs.K?.w^..Z.2.N. ..hw...d.c9.H...f.....\m...YY....'4IK-.bS.c..*..8.B.V...6B.........j...S.i... .......ZAV.......`.. ....5.K...&.U..j.u.won......qV.k..G...<..9...g.JE_...l.Z.. ...n...k...........&[.MR... o..VB.*1.$1..?.....%s........C..}.....~...$.....<.......Pz.....C-.l....w.J........V.{.h...W...N?........

POST /api HTTP/1.0

Connection: keep-alive

Content-Length: 333

Host: 7d8elkqrpz9cesw.xn--n1aaaglu5c.xn--p1ai

Accept: text/html, */*

Accept-Encoding: identity

User-Agent: Mozilla/3.0 (compatible; Indy Library)

....x.eQ.n. ...h...m.kN.U..R.... a'..4...].....w....".`B)...V0>Pw......(5.z.O..6.......Vp,f._r.K...X....QJ%.T!....!.CLa....T.R.;B..^j@...K;.!.x^...n.i.........Y.......:..K..;... .A....<...g..._...4.|....=.j......|.v....d.G..eH..8.....q..v.o...&} .(..a..%..).FM%.-6.2.K%..T .tk.O..........jK....:...n`.N..^k.{....Sp.......`.q..?)<.v

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Wed, 10 Dec 2014 23:55:22 GMT

Content-Type: text/html; charset=utf-8

Connection: close

X-Powered-By: PHP/5.4.17

k...x..WmO.8.. Q.E Q..n.".^...w,..]>.O..;mD.TNJ.P....B..........<3...q..l.j9..!.s...s..-..4.Q.C.s....<.\.\....g.....jS...8.......,D#/..7..<..(L.F..?....i..%MS.@'.....`.......%}..f.....&i.a...$..X6.I./.....^R."......8IyF...n5....A>..Q.............i.A..Q.v..n..0.F...;0:...yt..w.4.C%[4.....oi:.Ll.RP..a9#&i..dla....jt..,525r5Vr...#e.*3kn.......V..])Es$T....7.q <7G........k...W.\.E...t..QA...b6.....h4D,:...T.`:....Y..K....i./....2."..$...<..L...)i....|_$.c#.mm.!.;.....'.."........V....o.*=;.6..ATER. aSb...1N......y........{H.a...Z.[.........\.q9.......U.T<T4.i......*wj=l..yn....M.........mm.... M@%M;t........rQ&..^.W...Q...Hk^...)-s.........;.....@^..'.%..._.qK.H..S..qE.x..3.U...WO...zf..2R...,.Z..4...{....f..jC....E..._Cji....)........w.<.......4.$.Y....0%.....?.S.UK.TY.Q...g..|...[..8.D....j."KD.v...P.....W ...$Y......y..|....!e....".3....EHEM.P.....z7;w...j_........U.<h........NT.X....X.8...id.!.7 ..K..Yo9..}....u..G8.|.Bf...!.PVT..O........._lg.\'....hos..h..$=.'..r.9;V]...'...5.n...D~..b..4f@%....Y..bcv..s.l.a .a......OFK}X...o..4acc..k..f.K..u..7.........2.s.&..Y9.~C.8..W...ak..Z. By. .....[...p..E..e/....5..~...xx...a...... ....x,.@f.m..m.:......;..]..}..

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1504:

.idata

.rdata

.reloc

.rsrc

.aspack

.adata

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

otcpa*cze

Otcpa

.wnmw

ob`gr[cl.lrol

wlcpe[cl.lrol

ijbgx[cl.lrol

ejb".KhAojrgnp.

ejb".sd@ebipeJgticgve6.

ejb".sd]ragf_tgpaiu

Otcpa ?,84&*Wmhfosu"NP&4.5/"Pvcqtk)0.54,3"Vatqikh-16(35

ejb".sd]fmjn_kvvikhq

ejb".sd]fmjn_k`dev`mri

ejb".sd]ojvcgajma`

baakn$(Ccgcrt,

ejb".Eeaetr*

ejb".PKFlc(Gxaewta

ejb".BipmGtgapc

Otcpa ?,84&*Wmhfosu"NP&4.5/"Pvcqtk)0.54,3"Vatqikh-16(35$.knwrclhkmnwrgr-

.VcfivcatPI*

.MCFoshnoeb3Pvierauq(

.hglg9

ejb".BipmGjmsa

e|egpp&VTfRcsoRjragf.ccvTeuiOflgcp.

e|egpp&VTfRcsoRjragf.hicdBtmmQTN(

pvidihcq.mhk

%EVRDERC%XIrevg^OtcpaXirevgrra`q.mhk

OtcpaSoldkqAleuq

otcpa*cze$)loSol

weovfmh"otcpa*cze

%EVRDERC%XKmzmjnaX@kra`mxX

\wccrgn/marcderc.numn

8UgavejPhseij&zmhhq=&nvtt

%QUGRTTMFMJG%XJmcej"Sarvijaq\Evrlmectmil @gvaXAmocjg\Gnpoic^Uwcp @gvaX

{wccrgnVevkq}#*2,#!.173;945247*2,#!.1(!%,4*2,#!.173;945247*4A55EF-F>26)2365 ;0A4/DBD794710075'(!Y]#/9"

Dmurle

otcpa

0|#,2|#,2|#,2|#,2|#,2|#,2|

hprr: )dihc/smrg.vs-gar]ra`grat=perlev;575>

%QUGRTTMFMJG%XJmcej"Sarvijaq\Evrlmectmil @gvaXAmocjg\Gnpoic^Uwcp @gvaXBgfesntX

%EvrDerc%XIrevg"Sk`vwetg\Kvgre&QtedneX

dajgta&drkk"marc sngra&ie};Ãš`cuhr"Sagpcl&Rrkpkdat"Ka

EjsoDmurle

ob`gr[sc.lrol

wlcpe[sc.lrol

ijbgx[sc.lrol

png a~rrauq stktpcl tcpmmuqikh, Png bone$kcy$ncva&rapcltw*"pergnp&cptjkcerkoju. ptcdakcrou. giryvoehpu. kt"opngr$oltajnegrwah&rrkvgrp

.mkar|

%QUGRTTMFMJG%XJmcej"Sarvijaq\Evrlmectmil @gvaX_cn`cz\]glda~@rkqqevZWsat"Derc\@cdaqjv\

$&" $&" &ucfaYdovYcupipetjcca$8 bgnsa*

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

.Owner

1.0.4

EIdCanNotBindPortInRange

EIdInvalidPortRange@

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

WS2_32.DLL

Wship6.dll

EIdIPVersionUnsupportedU

TIdSocketListWindows

TIdStackWindowsU

IdStackWindows

127.0.0.1

ftpTransfer

ftpReady

ftpAborted

EIdTCPConnectionError

EIdObjectTypeNotSupported

Portl

ClientPortMinl

ClientPortMax

PortU

"EIdTransparentProxyUDPNotSupported

TIdTCPClientCustom

IdTCPClient

TIdTCPClient

%EIdSocksUDPNotSupportedBySOCKSVersion

saUsernamePassword

Passwordl

Port

0.0.0.1

0.0.0.0

BoundPortl

DefaultPort

TIdTCPConnection

IdTCPConnection

ISO_646.irv:1991

ISO_646.basic:1983

ISO_646.irv:1983

csISO16Portuguese

csISO84Portuguese2

windows-936

csShiftJIS

ISO-8859-1-Windows-3.0-Latin-1

csWindows30Latin1

ISO-8859-1-Windows-3.1-Latin-1

csWindows31Latin1

ISO-8859-2-Windows-Latin-2

csWindows31Latin2

ISO-8859-9-Windows-Latin-5

csWindows31Latin5

csMicrosoftPublishing

Windows-31J

csWindows31J

windows-1250

windows-1251

windows-1252

windows-1253

windows-1254

windows-1255

windows-1256

windows-1257

windows-1258

Uh%XF

%s, %.2d %s %.4d %s %s

password

Password

CommentURL

IdHTTPHeaderInfo

ProxyPasswordl

ProxyPort

%d%s%d

Mozilla/3.0 (compatible; Indy Library)

TIdHTTPMethod

IdHTTP

TIdHTTPOption

TIdHTTPOptions

TIdHTTPProtocolVersion

IdHTTP8

TIdHTTPOnRedirectEvent

TIdHTTPResponse

TIdHTTPRequest

TIdHTTPProtocol

TIdCustomHTTP

TIdHTTP

HTTPOptions4

EIdHTTPProtocolException

application/x-www-form-urlencoded

HTTPS

https

HTTP/1.0 200 OK

HTTP/

TSQLTimeStampVariantType

TSQLTimeStampData

SqlTimSt

%s %s

(%s%s)

-%s%s

%s-%s

%s%s-

-%s %s

%s %s-

%s -%s

(%s- %s)

(%s %s)

coInKey

IADStanAsyncOperation

IADStanAsyncExecutor

ole32.dll

ftParadoxOle

upWhereKeyOnly

pfInKey

ImportedConstraint

LookupKeyFields

KeyFields

TSQLTimeStampField

SQLTimeStamp

%s: %s

%s.%s

supports

importNode

%s="%s"

%s%s%s: %d%s%s

TADSQLTimeIntervalKind

uADStanSQLTimeInt

TADSQLTimeIntervalData

TADSQLTimeIntervalData0gJ

TADSQLTimeIntervalVariantType

Cannot perform operation on non initialized interval value

%u-%.2u

%u %.2u:%.2u:%.2u

%u:%.2u:%.2u

[%s] is not a valid interval

TADGUIxLoginHistoryStorage

TADGUIxLoginDialogEvent

IADGUIxLoginDialog

gcrSQLWait

IADGUIxAsyncExecuteDialog

%sP%uY

%sP%uM

%sP%uD

%sT%uH

%sT%uM

%sT%uS%uF

%sP%uY%uM

%sP%uDT%uH

%sP%uDT%uH%uM

%sP%uDT%uH%uM%uS%uF

%sT%uH%uM

%sT%uH%uM%uS%uF

%sT%uM%uS%uF

EADDBArrayExecuteError

TADThreadMsgBase

TADThreadStartMsg

TADThreadStopMsg

TADThreadTerminateMsg

Failed to %s thread [%s].

Timeout [%d] expired

System error: %s

%s has not supported architecture [%s]. Required [%s].

delphi32.exe

\StringFileInfo\%s\FileDescription

\StringFileInfo\%s\FileVersion

\StringFileInfo\%s\LegalCopyright

\StringFileInfo\%s\Comments

%d.%d.%d (Build %d)%s

rvCmdExecMode

rvCmdExecTimeout

rvDirectExecute

xoIfCmdsInactive

CmdExecMode

CmdExecTimeout

DirectExecute

rsImportingCurent

rsImportingOriginal

rsImportingProposed

TADDatSForeignKeyConstraint

ChildKeyConstraint

ParentKeyConstraint

yyyy-mm-dd hh:nn:ss.zzz

atPLSQLTable

InKey

skExecute

MSSQL

MYSQL

SQLITE

POSTGRESQL

MySQL

SQLite

TADGUIxAsyncExecuteDialog

TADGUIxLoginDialog

Object factory for class %s%s is missing

Class [%s] does not implement interface [%s]

MSSQL2000

MSSQL2005

%s%s=%s%s%s%s

%s%s=%s%s

Password=*****

NewPassword

NewPassword=*****

ADConnectionDefs.ini

TADStanAsyncExecutor

ARow.Table.Name

HistoryWithPassword(

HistoryKey

LoginRetries

ChangeExpiredPasswordl

OnLogint

OnChangePasswordU

TADIndexes

TADSQLTimeIntervalField

UpdateOptions.KeyFields

UpdateOptions.AutoIncFields

FSortView.SortingMechanism

LocateRecord(AKeyFields)

PSGetKeyFields

(SQLTimeInterval)

Uh.eQ

TADConnectionLoginEvent

TADExecuteErrorEvent

LoginDialog

LoginPrompt

OnLoginp

BeforeExecutel

AfterExecutep

TADLocalSQLDataSet

TADLocalSQLDataSets

TADCustomLocalSQL

Indexes

IndexesActive

BeforeExecuteP

AfterExecuteP

LocalSQL

OnExecuteErrorl

TADCustomCommand.Prepare

TADCustomCommand.Prepare - Exception

TADCustomCommand.Unprepare

TADCustomCommand.Unprepare - Exception

TADCustomCommand.InternalClose

TADCustomCommand.InternalClose - Exception

TADCustomCommand.InternalOpenFinished - Exception

TADCustomCommand.InternalOpenFinished

TADCustomCommand.InternalOpen

TADCustomCommand.InternalOpen - Exception

TADCustomCommand.InternalExecuteFinished - Exception

TADCustomCommand.InternalExecuteFinished

TADCustomCommand.InternalExecute

TADCustomCommand.InternalExecute - Exception

TADCustomCommand.FetchFinished - Exception

TADCustomCommand.FetchFinished

TADCustomCommand.Fetch

TADCustomCommand.Fetch - Exception

TADDefaultLocalSQLAdapter

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

uxtheme.dll

MAPI32.DLL

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDownL

OnKeyPress

OnKeyUp$

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

%s$#%d

uADPhysCmdGenerator

uADPhysCmdGeneratorU

RDB$DB_KEY AS

DB_KEY

{LIMIT(%d,1)}

{LIMIT(%d)}

ADDrivers.ini

Warning: The client [%s] and server [%s] major versions difference > 1.

7.0.1 (Build 3119) Professional

TADPhysCommandAsyncOperation

Table Indexes (

Table PKeys (

Table PKey Fields (

Table FKeys (

Table FKey Fields (

foreign key name

Primary key

TADPhysCommandAsyncExecute

ABSOLUTE,ACTION,ADA,ADD,ALL,ALLOCATE,ALTER,AND,ANY,ARE,AS,ASC,ASSERTION,AT,AUTHORIZATION,AVG,BEGIN,BETWEEN,BIT,BIT_LENGTH,BOTH,BY,CASCADE,CASCADED,CASE,CAST,CATALOG,CHAR,CHAR_LENGTH,CHARACTER,CHARACTER_LENGTH,CHECK,CLOSE,COALESCE,COLLATE,COLLATION,COLUMN,COMMIT,CONNECT,CONNECTION,CONSTRAINT,CONSTRAINTS,CONTINUE,CONVERT,CORRESPONDING,COUNT,CREATE,CROSS,CURRENT,CURRENT_DATE,CURRENT_TIME,CURRENT_TIMESTAMP,CURRENT_USER,CURSOR,DATE,DAY,DEALLOCATE,DEC,DECIMAL,DECLARE,DEFAULT,DEFERRABLE,DEFERRED,DELETE,DESC,DESCRIBE,DESCRIPTOR,DIAGNOSTICS,DISCONNECT,DISTINCT,DOMAIN,DOUBLE,DROP,ELSE,END,END-EXEC,ESCAPE,EXCEPT,EXCEPTION,EXEC,EXECUTE,EXISTS,EXTERNAL,EXTRACT,FALSE,FETCH,FIRST,FLOAT,FOR,FOREIGN,FORTRAN,FOUND,FROM,FULL,GET,GLOBAL,GO,GOTO,GRANT,GROUP,HAVING,HOUR,IDENTITY,IMMEDIATE,IN,INCLUDE,INDEX,INDICATOR,INITIALLY,INNER,INPUT,INSENSITIVE,INSERT,INT,INTEGER,INTERSECT,INTERVAL,INTO,IS,ISOLATION,JOIN,KEY,LANGUAGE,LAST,LEADING,LEFT,LEVEL,LIKE,LOCAL,LOWER,MATCH,MAX,MIN,MINUTE,MODULE,MONTH,NAMES,NATIONAL,NATURAL,NCHAR,NEXT,NO,NONE,NOT,NULL,NULLIF,NUMERIC,OCTET_LENGTH,OF,ON,ONLY,OPEN,OPTION,OR,ORDER,OUTER,OUTPUT,OVERLAPS,PAD,PARTIAL,PASCAL,PLI,POSITION,PRECISION,PREPARE,PRESERVE,PRIMARY,PRIOR,PRIVILEGES,PROCEDURE,PUBLIC,READ,REAL,REFERENCES,RELATIVE,RESTRICT,REVOKE,RIGHT,ROLLBACK,ROWSSCHEMA,SCROLL,SECOND,SECTION,SELECT,SESSION,SESSION_USER,SET,SIZE,SMALLINT,SOME,SPACE,SQL,SQLCA,SQLCODE,SQLERROR,SQLSTATE,SQLWARNING,SUBSTRING,SUM,SYSTEM_USER,TABLE,TEMPORARY,THEN,TIME,TIMESTAMP,TIMEZONE_HOUR,TIMEZONE_MINUTE,TO,TRAILING,TRANSACTION,TRANSLATE,TRANSLATION,TRIM,TRUE,UNION,UNIQUE,UNKNOWN,UPDATE,UPPER,USAGE,USER,USING,VALUE,VALUES,VARCHAR,VARYING,VIEW,WHEN,WHENEVER,WHERE,WITH,WORK,WRITE,YEAR,ZONE

#INDEXES

#PRIMARYKEYS

#PRIMARYKEYFIELDS

#FOREIGNKEYS

#FOREIGNKEYFIELDS

PKEY_NAME

FKEY_NAME

PKEY_CATALOG_NAME

PKEY_SCHEMA_NAME

PKEY_TABLE_NAME

PKEY_COLUMN_NAME

RESULTSET_KEY

RESULTSET_KEY =

TADPhysSQLiteMetadata

TADPhysSQLiteCommandGenerator

ABORT,ADD,AFTER,ALL,ALTER,ANALYZE,AND,AS,ASC,ATTACH,AUTOINCREMENT,BEFORE,BEGIN,BETWEEN,BY,CASCADE,CASE,CAST,CHECK,COLLATE,COLUMN,COMMIT,CONFLICT,CONSTRAINT,CREATE,CROSS,CURRENT_DATE,CURRENT_TIME,CURRENT_TIMESTAMP,DATABASE,DEFAULT,DEFERRABLE,DEFERRED,DELETE,DESC,DETACH,DISTINCT,DROP,EACH,ELSE,END,ESCAPE,EXCEPT,EXCLUSIVE,EXISTS,EXPLAIN,FAIL,FOR,FOREIGN,FROM,FULL,GLOB,GROUP,HAVING,IF,IGNORE,IMMEDIATE,IN,INDEX,INITIALLY,INNER,INSERT,INSTEAD,INTERSECT,INTO,IS,ISNULL,JOIN,KEY,LEFT,LIKE,LIMIT,MATCH,NATURAL,NOT,NOTNULL,NULL,OF,OFFSET,ON,OR,ORDER,OUTER,PLAN,PRAGMA,PRIMARY,QUERY,RAISE,REFERENCES,REGEXP,REINDEX,RENAME,REPLACE,RESTRICT,RIGHT,ROLLBACK,ROW,SELECT,SET,TABLE,TEMP,TEMPORARY,THEN,TO,TRANSACTION,TRIGGER,UNION,UNIQUE,UPDATE,USING,VACUUM,VALUES,VIEW,VIRTUAL,WHEN,WHERE

CAST(STRFTIME('%d',

CAST(STRFTIME('%S',

FROM sqlite_sequence WHERE name = '

sqlite_master t1

sqlite_temp_master t2)

foreign_key_list("

Password must be not empty

Invalid password is specified or DB is corrupted

Invalid password is specified

Cipher: Password must be not empty

Cipher: failed to change the DB password

;.ud3

~.SWj

~.CB3

TSQLiteRTreeDoubleArray

uADPhysSQLiteWrapper

ESQLiteNativeException

TSQLiteLib

TSQLiteHandle

TSQLiteDatabase

TSQLiteExtension

TSQLiteExtensionManager

TSQLiteCollation

TSQLiteValueDef

TSQLiteValue

TSQLiteStmtVar

TSQLiteBind

TSQLiteColumn

TSQLiteVariables

TSQLiteStatement

TSQLiteFuncVar

TSQLiteInput

TSQLiteInputs

TSQLiteOutput

TSQLiteFunction

TSQLiteFunctionData

TSQLiteExpressionFunction

TSQLiteExpressionFunctionData

TSQLiteRTree

TSQLiteRTreeData

sqlite3_libversion

sqlite3_libversion_number

sqlite3_compileoption_used

sqlite3_compileoption_get

sqlite3_initialize

sqlite3_shutdown

sqlite3_close

sqlite3_errcode

sqlite3_errmsg

sqlite3_extended_result_codes

sqlite3_open

sqlite3_open_v2

sqlite3_key

sqlite3_rekey

sqlite3_trace

sqlite3_profile

sqlite3_busy_timeout

sqlite3_get_autocommit

sqlite3_set_authorizer

sqlite3_update_hook

sqlite3_limit

sqlite3_changes

sqlite3_total_changes

sqlite3_interrupt

sqlite3_last_insert_rowid

sqlite3_enable_shared_cache

sqlite3_release_memory

sqlite3_soft_heap_limit

sqlite3_status

sqlite3_malloc

sqlite3_memory_used

sqlite3_memory_highwater

sqlite3_prepare

sqlite3_finalize

sqlite3_step

sqlite3_reset

sqlite3_column_count

sqlite3_column_type

sqlite3_column_name

sqlite3_column_database_name

sqlite3_column_table_name

sqlite3_column_origin_name

sqlite3_column_decltype

sqlite3_column_blob

sqlite3_column_double

sqlite3_column_int64

sqlite3_column_text

sqlite3_column_bytes

sqlite3_clear_bindings

sqlite3_bind_parameter_count

sqlite3_bind_parameter_index

sqlite3_bind_parameter_name

sqlite3_bind_blob

sqlite3_bind_double

sqlite3_bind_int64

sqlite3_bind_null

sqlite3_bind_text

sqlite3_bind_value

sqlite3_bind_zeroblob

sqlite3_value_type

sqlite3_value_blob

sqlite3_value_bytes

sqlite3_value_double

sqlite3_value_int64

sqlite3_value_text

sqlite3_result_blob

sqlite3_result_double

sqlite3_result_error

sqlite3_result_error_code

sqlite3_result_int64

sqlite3_result_null

sqlite3_result_text

sqlite3_result_zeroblob

sqlite3_create_collation

sqlite3_create_function

sqlite3_user_data

sqlite3_enable_load_extension

sqlite3_load_extension

sqlite3_free

sqlite3_table_column_metadata

sqlite3_progress_handler

sqlite3_declare_vtab

sqlite3_create_module

sqlite3_create_module_v2

sqlite3_vfs_find

sqlite3_vfs_register

sqlite3_vfs_unregister

sqlite3_backup_init

sqlite3_backup_step

sqlite3_backup_finish

sqlite3_backup_remaining

sqlite3_backup_pagecount

sqlite3_wal_hook

sqlite3_wal_autocheckpoint

sqlite3_wal_checkpoint

sqlite3_rtree_geometry_callback

sqlite3_blob_open

sqlite3_blob_close

sqlite3_blob_bytes

sqlite3_blob_read

sqlite3_blob_write

sqlite3_vtab_config

sqlite3_vtab_on_conflict

SQLITE_INTEGER

SQLITE_FLOAT

SQLITE_TEXT

SQLITE_BLOB

SQLITE_NULL

sqlite3

PRIMARY KEY must be unique

ADsqlite3_compare

sqlite3_column_xxx

8.ugj

zSql

sqlite_version

SQLiteNativeException

TADPhysSQLiteDriverLink

uADPhysSQLite

TADPhysSQLiteDriver

TADPhysSQLiteConnection

TADPhysSQLiteTransaction

TADPhysSQLitePostEventFunc

TADPhysSQLiteEventAlerter

TADSQLiteVarInfoRecD

TADPhysSQLiteCommand

@F:SQLite Database|*.sdb;*.db

ForeignKeys

SQLiteAdvanced

foreign_keys

TADPhysSQLiteEventMessageU

DriverID=SQLite

libeay32.dll

ssleay32.dll

SSL_CTX_use_PrivateKey_file

SSL_CTX_use_certificate_file

SSL_get_peer_certificate

SSL_CTX_set_default_passwd_cb

SSL_CTX_set_default_passwd_cb_userdata

SSL_CTX_check_private_key

X509_STORE_CTX_get_current_cert

des_set_key

sslvrfFailIfNoPeerCert

TPasswordEvent

Certificate

RootCertFile\

CertFile\

KeyFile

OnGetPassword\

EIdOSSLLoadingRootCertError

EIdOSSLLoadingCertError

EIdOSSLLoadingKeyError

Open SSL Support DLL Delphi and C Builder interface

hXXp://VVV.indyproject.org/

1993 - 2004

https:

\\.\Scsi%d:

8$4,8$4

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLYHerF

3.7.15

SQLITE_

d-d-d d:d:d

d-d-d

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

922337203685477580

API call with %s database connection pointer

RowKey

GetProcessHeap

OsError 0x%x (%u)

os_win.c:%d: (%d) %s(%s) - %s

delayed %dms for lock/sharing conflict

%s-shm

%s\etilqs_

%s\%s

Recovered %d frames from WAL file %s

cannot limit WAL size: %s

SQLite format 3

invalid page number %d

2nd reference to page %d

Failed to read ptrmap key=%d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

%d of %d pages missing from overflow list starting at %d

failed to get page %d

freelist leaf count too big on page %d

Page %d:

unable to get the page. error code=%d

btreeInitPage() returns error code %d

On tree page %d cell %d:

On page %d at right child:

Corruption detected in cell %d on page %d

Multiple uses for byte %d of page %d

Fragmentation of %d bytes reported as %d on page %d

Page %d is never used

Pointer map page %d is referenced

Outstanding page count goes from %d to %d during this analysis

unknown database %s

keyinfo(%d

%s(%d)

%s-mjXXXXXX9XXz

MJ delete: %s

MJ collide: %s

-mjX9X

foreign key constraint failed

unable to use function %s in the requested context

bind on a busy prepared statement: [%s]

zeroblob(%d)

abort at %d in [%s]: %s

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

no such savepoint: %s

cannot release savepoint - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_temp_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot change %s wal mode from within a transaction

database table is locked: %s

statement aborts at %d: [%s] %s

cannot open value of type %s

cannot open virtual table: %s

cannot open view: %s

no such column: "%s"

foreign key

indexed

cannot open %s column for writing

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s

not authorized to use function: %s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

too many SQL variables

too many columns in %s

EXECUTE %s%s SUBQUERY %d

misuse of aggregate: %s()

%.*s"%w"%s

%s%.*s"%w"

sqlite_rename_table

sqlite_rename_trigger

sqlite_rename_parent

%s OR name=%Q

type='trigger' AND (%s)

sqlite_

table %s may not be altered

there is already another table or index with this name: %s

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

sqlite_sequence

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

sqlite_stat1

sqlite_stat3

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE %s=%Q

SELECT idx,count(*) FROM %Q.sqlite_stat3 GROUP BY idx

SELECT idx,neq,nlt,ndlt,sample FROM %Q.sqlite_stat3

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

invalid name: "%s"

too many attached databases - max %d

database %s is already in use

Invalid key value

unable to open database: %s

no such database: %s

cannot detach database %s

database %s is locked

sqlite_detach

sqlite_attach

%s %T cannot reference objects in database %s

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

there is already an index named %s

too many columns on %s

duplicate column name: %s

default value of column [%s] is not constant

table "%s" has more than one primary key

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

CREATE %s %.*s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE TABLE %Q.sqlite_sequence(name,seq)

view %s is circularly defined

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

sqlite_stat%d

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

sqlite_stat

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

indexed columns are not unique

table %s may not be indexed

views may not be indexed

virtual tables may not be indexed

there is already a table named %s

index %s already exists

sqlite_autoindex_%s_%d

table %s has no column named %s

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

a JOIN clause is required before %s

unable to identify the object to be reindexed

no such collation sequence: %s

table %s may not be modified

cannot modify %s because it is a view

sqlite_source_id

sqlite_log

sqlite_compileoption_used

sqlite_compileoption_get

foreign key mismatch

table %S has %d columns but %d values were supplied

%d values for %d columns

table %S has no column named %s

%s.%s may not be NULL

constraint %s failed

automatic extension loading failed: %s

foreign_key_list

*** in database %s ***

unsupported encoding: %s

rekey

hexkey

hexrekey

malformed database schema (%s)

%s - %s

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

database schema is locked: %s

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

USE TEMP B-TREE FOR %s

COMPOUND SUBQUERIES %d AND %d %s(%s)

%s:%d

ORDER BY clause should come after %s not before

LIMIT clause should come after %s not before

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

sqlite_subquery_%p_

no such table: %s

SCAN TABLE %s %s%s(~%d rows)

sqlite3_get_table() called with two or more incompatible queries

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

-- TRIGGER %s

no such column: %s

cannot VACUUM - SQL statements in progress

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor failed: %s

vtable constructor did not declare schema: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

%s TABLE %s

%s AS %s

%s USING %s%sINDEX%s%s%s

%s USING INTEGER PRIMARY KEY

%s (rowid=?)

%s (rowid>? AND rowid)

%s (rowid>?)

%s (rowid)

%s VIRTUAL TABLE INDEX %d:%s

%s (~%lld rows)

at most %d tables in a join

cannot use index: %s

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

SQL logic error or missing database

unknown operation

large file support is disabled

unknown database: %s

no such %s mode: %s

%s mode not allowed: %s

no such vfs: %s

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

no such table column: %s.%s

CREATE TABLE x(%s %Q HIDDEN, docid HIDDEN, %Q HIDDEN)

CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);

docid INTEGER PRIMARY KEY

%z, 'c%d%q'

CREATE TABLE %Q.'%q_content'(%s)

CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);

CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));

CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);

PRAGMA %Q.page_size

,%s(x.'c%d%q')

FROM '%q'.'%q%s' AS x

,%s(?)

unrecognized parameter: %s

unrecognized matchinfo: %s

unrecognized order: %s

error parsing prefix parameter: %s

missing %s parameter in fts4 constructor

SELECT %s WHERE rowid = ?

malformed MATCH expression: [%s]

SELECT %s ORDER BY rowid %s

illegal first argument to %s

porter

unknown tokenizer: %s

SELECT %s WHERE rowid=?

INSERT INTO %Q.'%q_content' VALUES(%s)

%s_segments

SELECT %s

unrecognized matchinfo request: %c

%d %d %d %d

CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))

CREATE TABLE x(%s

%s, %s

%s {%s}

?456789:;

!"#$%&'()* ,-./0123

10000000000000000010

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

RegQueryInfoKeyA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

GetCPInfo

version.dll

gdi32.dll

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

crtdll_wrapper

KWindows

UrlMon

rSqlTimSt

.uADStanAsync

%uADPhysCmdPreprocessor

uADPhysSQLiteMeta

uADPhysSQLiteCli

sndkey

0IdHTTPHeaderInfo

gDISQLite3Api

DISQLite3Database

IdTCPServer

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

hXXp://VVV.w3.org/2001/XMLSchema

hXXp://VVV.w3.org/2000/xmlns/

hXXp://VVV.w3.org/2001/XMLSchema-instance

888816666554443

6666554443

!6666554443

No help keyword specified.

Alt Clipboard does not support Icons/Menu '%s' is already being used by another form

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Unsupported clipboard format

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

No matching DOM Vendor: "%s"

Node "%s" not found

IDOMNode required.Attributes are not supported on this node type

Invalid node type Mismatched paramaters to RegisterChildNodes Element does not contain a single text node4DOM Implementation does not support IDOMParseOptions

Node is readonlyCRefresh is only supported if the FileName or XML properties are set

VTab: Operation is not supported!VTab: Savepoint [%d] is not found!VTab: Dataset modification failed/VTab: Explicit ROWID at INSERT is not supported9VTab: Dataset state was changed. Cannot perform operation"VTab: Specified row does not exist

VTab: Invalid cursor;TADLocalSQL must be attached to an active SQLite connection0VTab: DataSet [%s] is busy by another result set/Cannot perform action. DBTOOLn.DLL is not found

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters)"%s" DOMImplementation already registered

0[%s] is not a callable PL/SQL object (NOE130/SP)2[%s, #%d] is not found in [%s] package (NOE134/SP)TParameter with type TABLE OF BOOLEAN/RECORD not supported (use TADQuery) (NOE135/SP)KParameter with type RECORD must be of named type (use TADQuery) (NOE142/SP))Cannot convert Oracle Number [%s] to TBcd7DBMS_PIPE event alerter supports only single event name9Cannot start a trace session, when there is an active one"Stored procedure [%s] is not founduArray-typed variable [%s] dimensions [%d] are not supported.

Only sigle dimensional simple type arrays are supportedqArray-typed variable [%s] unsupported element type [%d].

Only sigle dimensional simple type arrays are supportedCArray-typed variable [%s] item index [%d] is out of bounds [%d, %d]

Cannot describe type [%d].

%sHSQLite library initialization failed. Main code [%d], extended code [%d]/Database specified by [%p] handle was not foundHVTab: Invalid number of arguments at VTabCreate. Expected [%d], got [%d](VTab: Dataset [%s] is not found or empty

UUnsupported MySQL version [%d].

Supported are client and server from v 3.20 to v 6.2

Port number cannot be changed&Error in parameter [%s] definition. %sFFailed to initialize embedded server.

See MySQL log files for details/Variable [%s] C data type [%d] is not supported

No cursors availableCCannot initialize OCI with character set [%s].

Possible reason: %s1Cannot assign value to BFILE/CFILE parameter [%s]HNo cursor parameters are defined. Include fiMeta into FetchOptions.Items9OCI is not properly installed on this machine (NOE1/INIT)ZUnsupported OCI library [%s] version [%s].

At least version 8.0.3 is required (NOE2/INIT)0Bad or undefined variable param type (NOE12/VAR)5Maximum length (%d) of GTRID exceeded - %d (NOE18/TX)5Maximum length (%d) of BQUAL exceeded - %d (NOE19/TX)@Maximum length (%d) of transaction name exceeded - %d (NOE20/TX)@Too many close braces in names file after alias [%s] (NOE105/DB)

"Cannot move file [%s] to [%s].

%s!Invalid date interval format [%s]ÃŠnnot execute host command [%s].

%s)String size must be of 1 character length.Character cannot be alphanumeric or whitespace

Invalid command [%s] syntax-ACCEPT statement must specify a variable name,DEFINE requires a value following equal sign

VARIABLE has missed right brace"VARIABLE has unsupported data typeÃŠnnot execute command. Not logged onlNo script commands registered.

Possible reason: uADCompScriptCommands unit is not linked to the application`No script to execute for [%s].

Possible reason: SQLScriptFileName and SQLScripts both are empty Connection parameter [%s] must be not empty|DbExpress driver configuration file [%s] is not found.

Timeout expired"Cannot get access to BLOB raw datahVariable length data parameter [%s] overflow.

Value length - [%d], parameter data maximum length - [%d]PCannot perform nonblocking action, while other nonblocking action is in progress

Macro [%s] is not found7Parameter [%s] value index [%d] is out of range [0..%d]mCannot acquire item (connection) from pool.

Maximal number [%d] of simultaneous items (connections) reached.@.

To register it, you can drop component [%s] into your project>.

To register it, you can include unit [%s] into your project

Cannot read [%s] property

Cannot read [%s] object#Cannot read RAW data of [%s] object

Class [%s] is not registered

Unknown storage format [%s]

Table adapter [%s] cannot be assigned to [%s], because it is

already assigned to [%s] and cannot be shared across few datasets6Dataset connection does not match to called connection Table [%s] must have primary keyWLocal SQL engine misusage by [%s].

Hint: activate connection before activating dataset=Table [%s] index [%s] must be existing non-expressional index

Dataset name must be not empty?Dataset name [%s] must be unique across Local SQL [%s] datasets

Text field [%s] is not found

Destination dataset not set;Destination text data file name or stream must be specified6Source text data file name or stream must be specified=Text field [%s] size is undefined in Fixed Size Record format"Text field [%s] name is Duplicated5Bad text value [%s] format for mapping item [%s].

%s?Undefined source field or expression for destination field [%s]

ADManager must be active#Connection name [%s] must be unique Connection [%s] must be inactive

Connection [%s] must be active)Connection [%s] establishment is canceled

Connection [%s] cannot be pooled.

Possible reason: connection definition is not in the ADManager.ConnectionDefs list or

TADConnection.Params has additional parameters

Connection [%s] is not found

Possible reason: [%s] ConnectionName property is misspelled or references to nonexistent connection$Command [%s] must be in active state&Command [%s] must be in inactive state*Dataset [%s] must be in cached update moderConnection is not defined for [%s].

Connection [%s] must be online

Expected number of parameters is [%d], but actual number is [%d].

Possible reason: a parameter was added or deletedsData too large for variable [%s]. Max len = [%d], actual len = [%d]

Hint: set the TADParam.Size to a greater value

Database [%s] does not exist

Access 2003 or earlier: hXXp://support.microsoft.com/kb/239114

Access 2007: hXXp://VVV.microsoft.com/download/en/details.aspx?displaylang=en&id=23734

Access 2010: hXXp://VVV.microsoft.com/download/en/details.aspx?id=13255{JRO.JetEngine class is missing on client machine.

Hint: install latest engine from: hXXp://support.microsoft.com/kb/239114aDatabase format is not recognized.

Possible reason: DBVersion value mismatches database version.&Specified database password is invalid

Unknown OLE error1To perform operation DriverLink must be specified To perform operation service must be activeGCannot deinstall a SQLite collation, while there are active connections?%s command %s [%d] instead of [1] record.

Possible reasons: %saupdate table does not have PK or row identifier,

record has been changed/deleted by another user

Too long identifier (> 255)6Parameter [%s] ArraySize [%d] is less than ATimes [%d]=Cannot perform action, because previous action is in progress%Escape function [%s] is not supported8Define(mmReset) is only supported for metainfo retrieval6Cannot generate update query. WHERE condition is empty4Cannot generate update query. Update table undefined

Cannot parse object name - [%s])Syntax error in escape function [%s].

%shADPhysManager shutdown timeout.

Possible reason: application has not released all connection interfaceszParameter [%s] data type is unknown.

Hint: specify TADParam.DataType or assign TADParam value before Prepare/Execute call)Parameter [%s] data type is not supported&Column [%s] data type is not supported

Param [%s] type changed from [ft%s] to [ft%s]. Query must be reprepared.

Possible reason: an assignment to a TADParam.AsXXX property implicitly changed the parameter data type.

Hint: use the TADParam.Value or appropriate TADParam.AsXXX property1A meta data argument [%s] value must be specified

CTransaction [%s] must be inactive. Nested transactions are disabled

Hint: use Execute / ExecSQL method for non-SELECT commands!Command must be is prepared state]Cannot execute command returning result sets.

Hint: use Open method for SELECT-like commands!Command must be open for fetching/Exact %s [%d] of rows, while [%d] was requested

Meta information mismatchvCannot load vendor library [%s].

%sHint: check it is in the PATH or application EXE directories, and has x86 bitness./Cannot get vendor library entry point[s].

Connection must be inactive*Too many login retries. Allowed [%d] times1To perform operation driver manager, must be [%s]

Character [%s] is missed

eCannot set dataset [%s] to offline mode.

Hint: check that FetchOptions.AutoFetchAll is not afDisable|Cannot turn off cached updates mode for DataSet [%s].

Hint: dataset has updated rows, cancel or apply updates before action.Cannot make definition [%s] circular reference7Cannot %s definition [%s]. It has associated connection!Cannot make definition persistent9Cannot load definition list, because it is already loaded$Definition [%s] is not found in [%s]"Definition name [%s] is duplicated"Driver [%s] is not registered.

%sXDriver [%s] cannot be released.

Hint: Close all TADConnection objects and release poolsNTo register it, you can drop component [TADPhys%sDriverLink] into your project5Correct driver ID or define [%s] virtual driver in %seDriver ID is not defined.

Set TADConnection.DriverName or add DriverID to your connection definition

Capability is not supported

Transaction [%s] must be active

View [%s] is not a sorted view"Adapter interface must be suppliedUCannot set MasterSource for dataset [%s].

Nested datasets cannot have a MasterSourceMCannot set MasterSource for dataset [%s].

Circular datalinks are not alloweduCannot refresh dataset [%s].

Cannot open dataset [%s].

Hint: if that is TADMemTable, use CreateDataSet or CloneCursor to open dataset(Index [%s] is not found for dataset [%s],Aggregate [%s] is not found for dataset [%s]6Index [%s] definition is not complete for dataset [%s]:Aggregate [%s] definition is not complete for dataset [%s]7Cannot perform operation on unidirectional dataset [%s]LBookmark key fields [%s] are incompatible

with dataset [%s] key fields [%s] Record editing for dataset [%s] is disabled-Record inserting for dataset [%s] is disabled,Record deleting for dataset [%s] is disabled=Field [%s] specified within %s of DataSet [%s] does not exist

Invalid use of keyword

Invalid character found [%s]

'(' expected but [%s] found"')' or ',' expected but [%s] found

')' expected but [%s] found"IN predicate list may not be empty

Expected [%s].Arithmetic in filter expressions not supported>Operation cannot mix aggregate value with record-varying value

%s&Bookmark is not found for dataset [%s]

XVariable length column [%s] overflow.

Value length - [%d], column maximum length - [%d]

Invalid foreign key [%s]

Invalid unique key [%s]#Cannot change column [%s] data type

Invalid relation [%s](Cannot create parent view. Relation [%s]7Cannot change table [%s] structure, when table has rows;Found a cascading actions loop at checking foreign key [%s]

Record is not lockedFAssigning value [%s] is not compatible with column [%s] data type.

%s,Value [%s] is out of range of [%s] data typeuColumn or function [%s] is not found.

4Duplicate row found on unique index. Constraint [%s]/Cannot process - no parent row. Constraint [%s]2Cannot process - child rows found. Constraint [%s]

Cannot compare rowsÃšta type conversion is not supported

Column [%s] is not searchable=Row may have only single column of [dtParentRowRef] data typewCannot read data from or write data to the invariant column [%s].

Row is not nested)Column [%s] is not reference to other row'Column [%s] is not reference to row set&Cannot perform operation for row state4Cannot change updates registry for DatS manager [%s]"Too many aggregate values per view9Grouping level exceeds maximum allowed for aggregate [%s]

Invalid SQL date/time values

FireDAC Login#Name [%s] is duplicated in the list

Object [%s] is not found(Column [%s] type is unknown or undefined

Constraint [%s]

Cannot begin edit row'Cannot create child view. Relation [%s]

Cannot delete row Column [%s] must have blob value_Fixed length column [%s] data length mismatch.

Value length - [%d], column fixed length - [%d]

Column [%s] is read only

Cannot insert row into table"Column [%s] value must be not null

!Cannot modify a read-only dataset#Nested dataset must inherit from %s

Parameter '%s' not found

Unable to load bind parameters$Field '%s' is of an unsupported type

SQL not supported: %s

Execute not supported: %s1Operation not allowed on a unidirectional dataset

%s is not a valid BCD value

Invalid format type for BCD$Could not parse SQL TimeStamp string

6Size mismatch for field '%s', expecting: %d actual: %d Invalid variant type or size for field '%s'#Value of field '%s' is out of range

Field '%s' must have a value

Field '%s' has no dataset1Field '%s' cannot be a calculated or lookup field

Field '%s' cannot be modified

No index currently active0Field '%s' is not indexed and cannot be modified"Circular datalinks are not allowed/Lookup information for field '%s' is incomplete

DataSource cannot be changed0Cannot perform this operation on an open dataset"Dataset not in edit or insert mode1Cannot perform this operation on a closed dataset1Cannot perform this operation on an empty dataset

Invalid FieldKind Field '%s' is of an unknown type

Duplicate field name '%s'

Field '%s' not found#Cannot access field '%s' as type %s

Invalid value for field '%s'E%g is not a valid value for field '%s'. The allowed range is %g to %gE%s is not a valid value for field '%s'. The allowed range is %s to %s0'%s' is not a valid integer value for field '%s'0'%s' is not a valid boolean value for field '%s'7'%s' is not a valid floating point value for field '%s'6Type mismatch for field '%s', expecting: %s actual: %s

Not Acceptable(Request method requires HTTP version 1.1DThis authentication method is already registered with class name %s.$Error accepting connection with SSL.

Error creating SSL context. Could not load root certificate.

Could not load certificate.#Could not load key, check password.

SSL status: "%s"

File "%s" not found

Object type not supported.

Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.

Reply Code is not valid: %s4Failed attempting to retrieve time zone information.

QRequest rejected because the client program and identd report different user-ids.

Command not supported.

Address type not supported."%d: Circular links are not allowed

&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)

Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.

Invalid Port Range (%d - %d)

%s is not a valid service.

IPv6 unavailable:The requested IPVersion / Address family is not supported.

End of stream: Class %s at %d)UDP is not support in this SOCKS version.

Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.

Protocol not supported.

Socket type not supported."Operation not supported on socket.

Protocol family not supported.0Address family not supported by protocol family.

Connecting to %s.

Socket Error # %d

Operation would block.

Operation now in progress.

Operation already in progress.

Socket operation on non-socket.

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list

%s expected$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)

Invalid stream operation

Error*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)

Resolving hostname %s.

Invalid data type for '%s'

Line too long List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

%s on line %d

Error reading %s%s%s: %s

Failed to create key %s

Failed to get data for '%s'

Failed to set data for '%s'

ECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid property element: %s

Invalid property type: %s

Ancestor for '%s' not found

Cannot assign a %s to a %s

''%s'' expected

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

%s (%s, line %d)

Operation aborted(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

Invalid variant operation

Invalid NULL variant operation%Invalid variant operation (%s%.8x)

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time '%d.%d' is not a valid timestamp

'%s' is not a valid GUID value

I/O error %d

%original file name%.exe_1504_rwx_00400000_0026D000: