Trojan.NSIS.StartPage_fe93c109f6 – Adaware

not-a-virus:AdWare.Win32.OutBrowse.g (Kaspersky), Trojan.NSIS.StartPage.FD, Trojan.Win32.IEDummy.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: fe93c109f65be7d36349f613149623a5

SHA1: 47e7d43d9588161e6e8e22a9d1550dd33b1b134c

SHA256: e9b098acbffcf28142d5f587c5c00648cdd97c2f13da0f2ecb56b597dc043508

SSDeep: 12288:2qUnYdbT2wW c1fFbftgCin2JI6J8bc1YT/AAUHnOiNh:2qUnY03lgd2J0bqAU

Size: 567000 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2009-12-06 00:50:52

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

wmic.exe:228
FreeCoinsApp.exe:1760
%original file name%.exe:1736
RegisterInstallStart.exe:1488
wyUpdate4.exe:2704
wyUpdate4.exe:3068
wyUpdate4.exe:3244
ping.exe:2420
find.exe:2428

The Trojan injects its code into the following process(es):

rdms.exe:1616
FCUI.exe:2528
SystemMonitor.exe:2520
FCUpdater.exe:2512
FCMonitor.exe:2340

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process rdms.exe:1616 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91408415697 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\91408415697.txt (0 bytes)

The process wmic.exe:228 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91408415697.txt (238 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91408415697.txt (0 bytes)

The process FreeCoinsApp.exe:1760 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\gpi.bat (143 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\send_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\config\global.properties.xml (1638 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\close_btn.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\DAutils.dll (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\thumb_horizontal_middle_slice.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\arrow.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\popup_multi.png (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\noInternet.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\thumb_right.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\coins_icon.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\ns6.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\body_ad_purple.png (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\FreeCoins\FreeCoins.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\Interop.SHDocVw.dll (5568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\search_box.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\jquery.custom-scrollbar.css (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\loading_img.png (4704 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\query_link.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\body-2.png (2979 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\openThankYou.bat (340 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\notifications_bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\share_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\ok_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\SystemMonitor.exe.config (263 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert_1.png (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\arrow.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\jquery.custom-scrollbar.min.js (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Scroller\down.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tray_icon_on.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\aPop.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\BG_settings.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RunAppMonitor.bat (102 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\hover_block\hover_block_right.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\background_body.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\install_icons\FCA_icon_install_16.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\FCUI.exe (7168 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\InstallAddiotionals.bat (575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp (4232 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\left.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\redeemed_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\setting_tab\frequency_OFF_settings_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\track_left.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\email-30X1.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Share_bg.png (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\FCUI.exe.config (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\client.wyc (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_bg2.png (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\thumb_top.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\storageManager.js (2193 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\runApp.bat (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\desktop_icons\FCA_icon_48.ico (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\config\production.properties.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_content_footer.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\installPath.txt (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\lock.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\uninst.exe (1965 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\config\alerts.xml (651 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\share_btn_blue.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\coins_btn.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\Newtonsoft.Json.dll (7384 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\hover_block\hover_block_center_slice.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\alert_skin_4.html (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\alert_background.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\Newtonsoft.Json.xml (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_locked_popup\locked_popup_bg.png (4704 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Scroller\Thumbs.db (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\Newtonsoft.Json.dll (14768 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\index_skin_4.html (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\BG_alert.png (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\Stumbleupon32X32.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\SystemMonitor.exe (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\wyUpdate.exe (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\up.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\main_v4.css (4704 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\facebook_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\install_icons\FCA_icon_install_32.ico (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\wyUpdate4.exe (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_gray.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\body-1.png (2979 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\InstallNet35xp.bat (446 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\client.wyc (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\FCUpdater.exe (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\setting_tab\settings_body.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\redeem_now.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\right.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\jquery-1.9.1.min.js (6312 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\time_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\lifeCycleManager.js (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\verifyUninstall.bat (464 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\setting_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\settings_link.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\BG_popUP.png (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RegisterUninstall.exe (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_invite_popup\time_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\thumb_bottom.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\config\production.properties.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\DAutils.dll (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\json2.js (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\promotionManager.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\desktop_icons\FCA_icon_64x64.ico (48 bytes)
%Documents and Settings%\%current user%\Desktop\FreeCoins.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\hover_block\hover_block_left.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\track_bottom.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\promotionPopupUI.js (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\body-2.png (2979 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\pcc.bat (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\free_spin_icon_click.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RegisterUninstall.exe.config (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\jquery.cookie.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\coupons_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\verifyUninstall.bat (464 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\googlePlus32X32.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\search_noresults.png (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\borderItem.jpg (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\errorHandling.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\twitter32X32.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\coins_btn.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\mail_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Thumbs.db (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Scroller\body.png (2979 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Scroller\top.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\setting_tab\save_btn.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\lock.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\wyUpdate.exe (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\browsers.css (1428 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\redeemed_bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\setting_tab\frequency_ON_settings_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\install_icons\FCA_icon_install_48.ico (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\time_left_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\desktop_icons\FCA_icon_16.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_locked_popup\locked_popup_face.png (4704 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\minimize_app.png (2997 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\close_app.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\desktop_icons\FCA_icon_32.ico (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\coins_icon.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\SetupNET35.exe (49498 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\body-1.png (2979 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\gmail32X32.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\wyUpdate.exe (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RegisterInstallStart.exe (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_invite_popup\locked_popup_face2.png (4704 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\transparent.gif (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Share_icon.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\counter_all.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_logo.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\utils.js (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\FCUpdater.exe.config (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\image_2.jpg (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\left.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\thumb_left.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\email32X32.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\redeemed_history_bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\power_up_icon_click.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_empty.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\FCMonitor.exe.config (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_invite_popup\archive\locked_popup_bg.png (4704 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\ourScrollBar.css (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\coins_icon.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_locked_popup\invite_friends_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_icon.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\coins_btn_click.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\config\global.properties.xml (819 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\yahoo32X32.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\Newtonsoft.Json.xml (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\close_btn_fBack.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\config\production.properties.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\client.wyc (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\alertManager.js (2286 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\uiManager.js (4704 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\home_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\install_icons\FCA_icon_install_64x64.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\track_top.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\installPath.txt (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\header_image.png (6312 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_invite_popup\archive\invite_friends_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\config\alerts.xml (1302 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\right.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\facebook32X32.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\FCMonitor.exe (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\thumb_vertical_middle_slice.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\config\alerts.xml (651 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\down.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\track_right.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\share_btn_gray.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\config\global.properties.xml (819 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\DAutils.dll (3136 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\promotionPopup_skin_4.html (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\down.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\wyUpdate4.exe (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\up.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_body.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\ns7.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\close_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_bg.png (4704 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\email_bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\wyUpdate4.exe (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RegisterInstallStart.exe.config (546 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\alert_close.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\power_up_icon.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\jquery.custom-scrollbar.js (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\hover_block\hover_block_pointer.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\commManager.js (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\free_spin_icon.png (6 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\ns7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\ns6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp (0 bytes)

The process %original file name%.exe:1736 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.exe (398737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.dat (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rdms.zip (57028 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\Convert.dll (4583 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rdms.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp (0 bytes)

The process FCUI.exe:2528 makes changes in the file system.

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\FreeCoins\fcud.dat (0 bytes)
%Documents and Settings%\%current user%\Application Data\FreeCoins (0 bytes)

The process wyUpdate4.exe:2704 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\w010\desktopapp.wys (723 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\w010\desktopapp.wys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\w010 (0 bytes)

The process wyUpdate4.exe:3068 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\w333\fcmonitor.wys (497 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\w333\fcmonitor.wys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\w333 (0 bytes)

The process wyUpdate4.exe:3244 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\w521\fcupdater.wys (294 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\w521 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\w521\fcupdater.wys (0 bytes)

Registry activity

The process rdms.exe:1616 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\rdms.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}]
"(Default)" = "CBrowserExternal Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0]
"(Default)" = "SmartInstallerLib"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}]
"(Default)" = "IBrowserExternals"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\rdms.exe"
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\rdms.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 29 AE E8 F7 54 B0 37 3A 26 4A 69 0B 60 C6 33"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS]
"(Default)" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wmic.exe:228 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 45 A7 B1 95 20 71 D8 B4 E6 5A E4 41 E2 21 75"

The process FreeCoinsApp.exe:1760 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Free Coins Desktop App]
"DisplayName" = "Free Coins Desktop App 1.26"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Free Coins Desktop App]
"URLInfoAbout" = "http://www.freecoins.co"
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\uninst.exe"
"Publisher" = "Free Coins."

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"FCUI.exe" = "7000"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\FreeCoins]
"RegistrationStatus" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Free Coins Desktop App]
"DisplayVersion" = "1.26"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 26 38 70 DE 82 4E 5D E1 53 FA 21 F7 7E 41 D0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\FreeCoins]
"InstallPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins"

[HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION]
"FCUI.exe" = "7000"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"FreeCoinsUpdater" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\FCUpdater.exe"

"FreeCoinsStartup" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\FCMonitor.exe"

The process %original file name%.exe:1736 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 37 E4 E3 8A D3 EA C6 E7 59 5F 3E 64 0F 9E C7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process RegisterInstallStart.exe:1488 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 A7 84 21 A1 47 3C FC C6 ED 2B E9 30 A3 F0 E6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\FreeCoins]
"GoogleAnalyticsJsoned" = "{""cm"":""(organic)""

The process FCUI.exe:2528 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081920140820]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081920140820]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081920140820]
"CachePrefix" = ":2014081920140820:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "FCUI.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081920140820]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014081920140820\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1407762306"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 0A 73 1B 26 04 B9 04 7D 32 FF 8A 83 C7 32 E5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081920140820]
"CacheLimit" = "8192"

[HKCU\Software\FreeCoins]
"FreeCoinsUUID" = "1213d483-675f-429b-8b9c-7b4365d1e7f2"
"ver" = "1.26"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"FreeCoinsUpdater" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\FCUpdater.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"FreeCoinsStartup" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\FCMonitor.exe"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The process SystemMonitor.exe:2520 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 D1 10 BC 9D F5 E0 55 8A E9 D8 58 81 62 CF 1D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process wyUpdate4.exe:2704 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 A5 BD F9 47 23 FC 86 A4 01 F7 CC 4B F6 21 1F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process wyUpdate4.exe:3068 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 6D DC 32 28 86 3A E3 43 66 47 03 2D 67 F4 90"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process wyUpdate4.exe:3244 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 65 33 15 78 C4 A1 DF 67 77 F8 5D 82 98 88 F3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process ping.exe:2420 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 EF F5 D1 0D 69 EC 63 68 1C 4D 94 97 9D 5D ED"

The process FCUpdater.exe:2512 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 0D 14 B8 E5 AF 2D 7D 34 03 A9 73 6E A9 08 C0"

[HKCU\Software\FreeCoins]
"FreeCoinsIEExt" = "1"
"FreeCoinsFFExt" = "1"
"FreeCoinsInstall" = "2014-8-19-5-36"

The process FCMonitor.exe:2340 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 33 9B F3 EC 86 A8 85 EA 39 01 B6 B2 B8 E0 39"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process find.exe:2428 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC FF 25 4D E8 20 E2 0B 43 2F E4 C9 9E C2 2E 99"

Dropped PE files

MD5	File path
ab3c14a3c2884dcfe39c221bc3d7757f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCM\DAutils.dll
139d8945338e268d2455c4d3528b59a6	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCM\FCMonitor.exe
96bc18f8dee95af3771763dee0e15986	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCM\Newtonsoft.Json.dll
5f162857a195c2cea059622976035982	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCM\SystemMonitor.exe
37c753d5ab2dba14e7b7e1dc56b87c27	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCM\wyUpdate.exe
0776370846dfe1d108cbd098db162f35	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCM\wyUpdate4.exe
ab3c14a3c2884dcfe39c221bc3d7757f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCU\DAutils.dll
73f678bcd29cba21689dfbaa0e063374	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCU\FCUpdater.exe
37c753d5ab2dba14e7b7e1dc56b87c27	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCU\wyUpdate.exe
0776370846dfe1d108cbd098db162f35	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCU\wyUpdate4.exe
97156d3730ca295bceb65005e43e1556	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\DAutils.dll
462b4784eda015ee2222a685f54708fe	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\FCUI.exe
f2d9d327dd1c6f7242d279087d1b9a0c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\Interop.SHDocVw.dll
96bc18f8dee95af3771763dee0e15986	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\Newtonsoft.Json.dll
410be2d16ea77628b919414213734785	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\RegisterInstallStart.exe
aafb99a979d4cbe4c0505408bd826f87	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\RegisterUninstall.exe
9d40de3d6ebfcc6d8501c6629fa2b259	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\SetupNET35.exe
c1158f5765292618d0e23ff5b1b99e53	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\uninst.exe
37c753d5ab2dba14e7b7e1dc56b87c27	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\wyUpdate.exe
0776370846dfe1d108cbd098db162f35	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\wyUpdate4.exe
91ec4108ee17d0a6800f49d6755138df	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\914084156970\FreeCoinsApp.exe
2a5ef58458b77e20115182851d0e4bf9	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\Convert.dll
5f13dbc378792f23e598079fc1e4422b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\nsisunz.dll
b950b7d00028a589f3a6b9889de51782	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\rdms.exe
91ec4108ee17d0a6800f49d6755138df	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\EOKHFVZV\FreeCoinsApp[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Static Analysis

VersionInfo

Company Name:
Product Name: Setup.exe
Product Version: 1.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Setup.exeProduct Version: 1.0 Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46394	856b32eb77dfd6fb67f21d6543272da5
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	154712	1024	3.3278	7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata	192512	36864	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	229376	3120	3584	2.72195	ecb2f57811e1216779bf9790e5ace50c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 48
55f698dfa9f4d0becb76c70b86a35e89
37a35826b44a6f7dc08f2efa7dc5edcb
98074817f9a780ea48cfd72a1247d983
6cb1e085f1893765d316b2ac3d0a7cb7
35d0d82e99ab227a8036a61f77ee390e
243184caa5aecebf185a6b99d9c3e08e
de5df25bad894c285472140860b2dd84
74112916e3582d7bab8e654f188506b8
6b3c2dd4ebcede91f226d82c1c6089c6
eaba4aaf1128a9ca05a39f34231c52bc
000054aeade704f5ca8b1a0493550b71
41140783f703a6df7462369dbe3f852d
bc786b8de7507076f13911c5809f8659
611a21c471eac31ccb70dc393a7c66fb
a1829913b550e46c3544a0605e40f862
d988f8070ab8f0bfd3e40845d3300874
c0106ff9927efd05d3e74d3cd79f6797
c0b58298dee466313a5e17b969d070ee
824ba00bf5cc85f85979a5b617716eb4
0c303f04c92ab2c13e92e90a1f21794e
2c4293931465af9d6cd990a3e8bf60d8
1c54228ca5c48ccb1d09875d39541b5e
84bd722fea6da21d35d2b9c5aad0561a
7554f68b2e1e2fbff6083e995b0787ea
d4232c4e272ef986fe85195221a9ba1f
20283c332f55101dceb6b874952fb88a

Network Activity

URLs

URL	IP
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Flow?pubid=5492&distid=19036&productid=6303&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:02:CD:FB&netv=&d1=NUMBER&d2=NUMBER&d3=NUMBER&d4=NUMBER&d5=NUMBER&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&version=4.4
hxxp://freecoins.vo.llnwd.net/d/FreeCoinsApp.exe
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=2&distid=19036&leadp=6303&countryid=262&sysbit=32&dfb=0&hb=0&external=0&
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.5/jquery.min.js
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/topLine.jpg
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/topComp.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/bgImg.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/bottomLine.jpg
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Track?pubid=5492&distid=19036&productid=6303&subpubid=0&campaignid=0&networkid=1&reqid=134427026&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:02:CD:FB&netv=&d1=NUMBER&d2=NUMBER&d3=NUMBER&d4=NUMBER&d5=NUMBER&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&status=0&installedid=6303&offerscreenid=&offerorder=7&downloadduration=47937&installduration=47&issecond=0
hxxp://smartinstaller.elasticbeanstalk.com/Installer/TrackFinish?reqid=134427026&x=y&clickid=wHMQM6R5862BFPKD0S10G3CI
hxxp://www.freecoins.co/CA_Servlet/trackingServlet?getGAparams=1
hxxp://www.freecoins.co/CA_Servlet/trackingServlet
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=4&distid=19036&leadp=6303&countryid=262&sysbit=32&dfb=0&hb=0&external=0&
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/bodyImg.png
hxxp://www.google.com/collect
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/nextCase.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/button_over.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/button.png
hxxp://smartinstaller.elasticbeanstalk.com/installer/thankyou?productid=6303&pubid=5492&distid=19036&countryid=262&reqid=134427026&sysbit=32&dfb=0&hb=0
hxxp://pagead46.l.doubleclick.net/tag/js/gpt.js
hxxp://www.gamehub.ws/index.php?&productname=Free Coins
hxxp://partnerad.l.doubleclick.net/gpt/pubads_impl_46.js
hxxp://www.gamehub.ws/css/index.css
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.9.1/jquery.min.js
hxxp://www.gamehub.ws/js/jquery.cookie.js
hxxp://www.gamehub.ws/js/core-min.js
hxxp://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp
hxxp://www.freecoins.co/FreeCoinsLandingPage/themes/thankyou/images/free_coins_logo.png
hxxp://www.freecoins.co/FreeCoinsLandingPage/themes/thankyou/css/index.css
hxxp://ib.anycast.adnxs.com/tt?id=3092585
hxxp://ib.anycast.adnxs.com/tt?id=3092599
hxxp://www.freecoins.co/FreeCoinsLandingPage/themes/thankyou/images/desttop_bg.png
hxxp://www.freecoins.co/FreeCoinsLandingPage/themes/thankyou/images/bg_body.jpg
hxxp://flex.msn.com.nsatc.net/mstag/site/322eefce-0cd2-4a6e-ab4c-6b3b11ea2493/mstag.js
hxxp://ib.anycast.adnxs.com/bounce?/tt?id=3092599
hxxp://ib.anycast.adnxs.com/bounce?/tt?id=3092585
hxxp://ib.anycast.adnxs.com/tt?id=3095266
hxxp://flex.msn.com.nsatc.net/mstag/mstag.1003102000.js
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdc=1408415783&bdh=osT5ZqFe6gW_K4xKa51ktmZlemE.&bdref=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&bdtop=true&bdifs=1&id=3092585
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdc=1408415783&bdh=osT5ZqFe6gW_K4xKa51ktmZlemE.&bdref=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&bdtop=true&bdifs=1&id=3092599
hxxp://ib.anycast.adnxs.com/bounce?/tt?id=3095266
hxxp://a1961.g.akamai.net/p/a1/83/c9/56/a183c956bc259a9c8afeb3ac09ff6ece.jpg
hxxp://a1961.g.akamai.net/ANX_async_usersync.js
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdc=1408415783&bdh=osT5ZqFe6gW_K4xKa51ktmZlemE.&bdref=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&bdtop=true&bdifs=1&id=3095266
hxxp://flex.msn.com.nsatc.net/mstag/tag/322eefce-0cd2-4a6e-ab4c-6b3b11ea2493/analytics.js?ver=1312081600
hxxp://a1961.g.akamai.net/p/5e/a8/7b/e4/5ea87be43c79529da335f14443dd2ffe.swf
hxxp://pagead46.l.doubleclick.net/pagead/conversion.js
hxxp://a1961.g.akamai.net/p/5e/a8/7b/e4/5ea87be43c79529da335f14443dd2ffe.swf?clickTAG=http://nym1.ib.adnxs.com/click?VQq0ldW_lz-aRSWxEcOSPxsv3SQGgaU_mkUlsRHDkj9UCrSV1b-XP5LkLklgBMhNaH3NEBvel0AnuPJTAAAAAHcwLwAQCgAAXwAAAAIAAABIgQkBVuMGAAAAAQBVU0QAVVNEANgCWgCdGAAAW9wAAgUAAQIAAJAAoCPDbwAAAAA./cnd=%21jwaPPwj_95UCEMiCpggY1sYbIAI./referrer=http%3A%2F%2Fib.adnxs.com%2Fbounce%3F%252Ftt%253Fid%253D3092599/clickenc=http%3A%2F%2Fnetwork.adsmarket.com%2Fclick%2Fi2FvnGfKfJyQamrEXsp6w4pkcplfnYGZt2VtnGTKgJWLZpiWXqF6lo9m%3Fdp%3D3092599%26dp2%3Dnym1COj6tYaxw_fLQBACGJLJu8mEjIHkTSIPMTkzLjEzOC4yNDQuMjMxKAEwp_DKnwU.%26dp3%3DCP4553727_S2576_C17400136_Uhttp%3A%2F%2Fib.adnxs.com%2Fbounce%3F%252Ftt%253Fid%253D3092599
hxxp://r.msn.com.nsatc.net/?type=1&domainId=2745850&dedup=1&actionid=207232
hxxp://a1961.g.akamai.net/p/4b/6f/b7/39/4b6fb7395c34af84c2eee3bd1341e8c0.swf
hxxp://a1961.g.akamai.net/p/4b/6f/b7/39/4b6fb7395c34af84c2eee3bd1341e8c0.swf?clickTAG=http://nym1.ib.adnxs.com/click?MuYNBGdlYD9FrjRT5edZP8uhRbbz_aQ_Ra40U-XnWT8y5g0EZ2VgP5w9g2LjLK18aH3NEBvel0AouPJTAAAAAOI6LwAQCgAAXwAAAAIAAADAmN0AVuMGAAAAAQBVU0QAVVNEAKAAWAKdGAAAhM8AAgUAAQIAAJAAeyZ6OQAAAAA./cnd=%210wbyPwigy_ABEMCx9gYY1sYbIAI./referrer=http%3A%2F%2Fib.adnxs.com%2Fbounce%3F%252Ftt%253Fid%253D3095266/clickenc=http%3A%2F%2Fnetwork.adsmarket.com%2Fclick%2Fi2FvnGfKfJyPYXDEXsp6w4pmaZhjn32Zt2ppnmTKe5eNYmmajZx6nY9ka5o%3Fdp%3D3095266%26dp2%3Dnym1COj6tYaxw_fLQBACGJz7jJS2nMvWfCIPMTkzLjEzOC4yNDQuMjMxKAEwqPDKnwU.%26dp3%3DCP3941792_S2576_C14522560_Uhttp%3A%2F%2Fib.adnxs.com%2Fbounce%3F%252Ftt%253Fid%253D3095266
hxxp://ib.anycast.adnxs.com/a_usersync?cbfn=ANX_async_load
hxxp://pagead46.l.doubleclick.net/pagead/conversion/976381674/?random=1408415760152&cv=7&fst=1408415760152&num=1&fmt=2&value=0&label=PJzXCJ63zgcQ6s3J0QM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=1&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp
hxxp://www.google.com/analytics.js
hxxp://a.ssl.fastly.net/serve/52dfe62b6897d9bfcf00011e.js
hxxp://pagead46.l.doubleclick.net/pagead/viewthroughconversion/976381674/?random=415034412&cv=7&fst=1408415760152&num=1&fmt=2&value=0&label=PJzXCJ63zgcQ6s3J0QM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=1&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0
hxxp://www.google.com/collect?v=1&_v=j24&a=1198451114&t=pageview&_s=1&dl=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&ul=en-us&de=utf-8&dt=Thank You - For installing our free coins app!&sd=32-bit&sr=1276x846&vp=1256x693&je=0&fl=11.6 r602&_u=ME~&cid=1378333658.1408415761&tid=UA-46704880-1&z=1807395146
hxxp://ib.anycast.adnxs.com/px?t=2&id=157720&other=ADFuxS2HCsOBlbbe
hxxp://ib.anycast.adnxs.com/seg?t=2&add=1459541
hxxp://ib.anycast.adnxs.com/seg?t=2&add=1418586
hxxp://prod-pixel-collector-1097235636.us-east-1.elb.amazonaws.com/px/?id=157720&other=ADFuxS2HCsOBlbbe&a_id=7094
hxxp://prod-pixel-collector-1097235636.us-east-1.elb.amazonaws.com/seg/?add=1418586,1459541
hxxp://freecoins.vo.llnwd.net/updates/a/desktopapp.wys
hxxp://www.google.com/ads/conversion/976381674/?random=415034412&cv=7&fst=1408415760152&num=1&fmt=2&value=0&label=PJzXCJ63zgcQ6s3J0QM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=1&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=3530791356
hxxp://c.live.com.nsatc.net/c.gif?anx_uid=4654432947738082664&Red3=MSAN_pd
hxxp://ib.anycast.adnxs.com/a_usersync?c=9&cbfn=ANX_async_load
hxxp://ib.anycast.adnxs.com/pxj?bidder=108&action=SetMSCookies("MUID=1A7492F371996BC43D579468759968FA\|TOptOut=\|EANON=A%3d%26E%3dFFF%26W%3d1")
hxxp://ib.anycast.adnxs.com/pxj?bidder=108&action=SetMSCookies("MUID=2C0938180C976E9112D43E8308976D7B\|TOptOut=\|EANON=A%3d%26E%3dFFF%26W%3d1")
hxxp://www.google.com/ads/conversion/976381674/?random=415034412&cv=7&fst=1408415760152&num=1&fmt=2&value=0&label=PJzXCJ63zgcQ6s3J0QM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=1&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=3530791356&ipr=y
hxxp://freecoins.vo.llnwd.net/updates/m/fcmonitor.wys
hxxp://www.googleadservices.com/pagead/conversion.js
hxxp://ib.adnxs.com/seg?t=2&add=1418586
hxxp://ib.adnxs.com/seg?t=2&add=1459541
hxxp://c.bing.com/c.gif?anx_uid=4654432947738082664&Red3=MSAN_pd
hxxp://flex.msn.com/mstag/tag/322eefce-0cd2-4a6e-ab4c-6b3b11ea2493/analytics.js?ver=1312081600
hxxp://static.revenyou.com/offers/images/Theme8/button.png	198.232.124.224
hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1408415783&bdh=osT5ZqFe6gW_K4xKa51ktmZlemE.&bdref=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&bdtop=true&bdifs=1&id=3095266
hxxp://cdn.freecoins.co/updates/a/desktopapp.wys
hxxp://ib.adnxs.com/bounce?/tt?id=3092585
hxxp://www.google.com.ua/ads/conversion/976381674/?random=415034412&cv=7&fst=1408415760152&num=1&fmt=2&value=0&label=PJzXCJ63zgcQ6s3J0QM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=1&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=3530791356&ipr=y
hxxp://ib.adnxs.com/px?t=2&id=157720&other=ADFuxS2HCsOBlbbe
hxxp://data.getserverinfo.com/Installer/Track?pubid=5492&distid=19036&productid=6303&subpubid=0&campaignid=0&networkid=1&reqid=134427026&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:02:CD:FB&netv=&d1=NUMBER&d2=NUMBER&d3=NUMBER&d4=NUMBER&d5=NUMBER&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&status=0&installedid=6303&offerscreenid=&offerorder=7&downloadduration=47937&installduration=47&issecond=0	54.83.205.127
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png	74.125.142.95
hxxp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=19036&leadp=6303&countryid=262&sysbit=32&dfb=0&hb=0&external=0&
hxxp://cdn.adnxs.com/p/a1/83/c9/56/a183c956bc259a9c8afeb3ac09ff6ece.jpg	23.15.4.16
hxxp://ib.adnxs.com/tt?id=3095266
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js	74.125.142.95
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css	74.125.142.95
hxxp://cdn.adnxs.com/p/5e/a8/7b/e4/5ea87be43c79529da335f14443dd2ffe.swf	23.15.4.16
hxxp://www.google-analytics.com/collect
hxxp://ib.adnxs.com/bounce?/tt?id=3095266
hxxp://static.revenyou.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css	198.232.124.224
hxxp://cdn.freecoins.co/d/FreeCoinsApp.exe
hxxp://data.getserverinfo.com/Installer/Flow?pubid=5492&distid=19036&productid=6303&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:02:CD:FB&netv=&d1=NUMBER&d2=NUMBER&d3=NUMBER&d4=NUMBER&d5=NUMBER&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&version=4.4	54.83.205.127
hxxp://ib.adnxs.com/a_usersync?cbfn=ANX_async_load
hxxp://ib.adnxs.com/pxj?bidder=108&action=SetMSCookies("MUID=1A7492F371996BC43D579468759968FA\|TOptOut=\|EANON=A%3d%26E%3dFFF%26W%3d1")
hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1408415783&bdh=osT5ZqFe6gW_K4xKa51ktmZlemE.&bdref=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&bdtop=true&bdifs=1&id=3092585
hxxp://ib.adnxs.com/tt?id=3092585
hxxp://flex.msn.com/mstag/site/322eefce-0cd2-4a6e-ab4c-6b3b11ea2493/mstag.js
hxxp://static.revenyou.com/offers/images/Theme8/button_over.png	198.232.124.224
hxxp://pixel.prfct.co/seg/?add=1418586,1459541
hxxp://partner.googleadservices.com/gpt/pubads_impl_46.js
hxxp://cdn.adnxs.com/ANX_async_usersync.js	23.15.4.16
hxxp://2745850.r.msn.com/?type=1&domainId=2745850&dedup=1&actionid=207232
hxxp://flex.msn.com/mstag/mstag.1003102000.js
hxxp://ib.adnxs.com/pxj?bidder=108&action=SetMSCookies("MUID=2C0938180C976E9112D43E8308976D7B\|TOptOut=\|EANON=A%3d%26E%3dFFF%26W%3d1")
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js	74.125.142.95
hxxp://static.revenyou.com/offers/images/Theme8/bgImg.jpg	198.232.124.224
hxxp://data.getserverinfo.com/installer/thankyou?productid=6303&pubid=5492&distid=19036&countryid=262&reqid=134427026&sysbit=32&dfb=0&hb=0	54.83.205.127
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.5/jquery.min.js	74.125.142.95
hxxp://static.revenyou.com/offers/images/Theme8/topLine.jpg	198.232.124.224
hxxp://www.google-analytics.com/collect?v=1&_v=j24&a=1198451114&t=pageview&_s=1&dl=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&ul=en-us&de=utf-8&dt=Thank You - For installing our free coins app!&sd=32-bit&sr=1276x846&vp=1256x693&je=0&fl=11.6 r602&_u=ME~&cid=1378333658.1408415761&tid=UA-46704880-1&z=1807395146
hxxp://static.revenyou.com/offers/images/Theme8/bottomLine.jpg	198.232.124.224
hxxp://googleads.g.doubleclick.net/pagead/viewthroughconversion/976381674/?random=415034412&cv=7&fst=1408415760152&num=1&fmt=2&value=0&label=PJzXCJ63zgcQ6s3J0QM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=1&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0
hxxp://cdn.adnxs.com/p/4b/6f/b7/39/4b6fb7395c34af84c2eee3bd1341e8c0.swf?clickTAG=http://nym1.ib.adnxs.com/click?MuYNBGdlYD9FrjRT5edZP8uhRbbz_aQ_Ra40U-XnWT8y5g0EZ2VgP5w9g2LjLK18aH3NEBvel0AouPJTAAAAAOI6LwAQCgAAXwAAAAIAAADAmN0AVuMGAAAAAQBVU0QAVVNEAKAAWAKdGAAAhM8AAgUAAQIAAJAAeyZ6OQAAAAA./cnd=%210wbyPwigy_ABEMCx9gYY1sYbIAI./referrer=http%3A%2F%2Fib.adnxs.com%2Fbounce%3F%252Ftt%253Fid%253D3095266/clickenc=http%3A%2F%2Fnetwork.adsmarket.com%2Fclick%2Fi2FvnGfKfJyPYXDEXsp6w4pmaZhjn32Zt2ppnmTKe5eNYmmajZx6nY9ka5o%3Fdp%3D3095266%26dp2%3Dnym1COj6tYaxw_fLQBACGJz7jJS2nMvWfCIPMTkzLjEzOC4yNDQuMjMxKAEwqPDKnwU.%26dp3%3DCP3941792_S2576_C14522560_Uhttp%3A%2F%2Fib.adnxs.com%2Fbounce%3F%252Ftt%253Fid%253D3095266	23.15.4.16
hxxp://ib.adnxs.com/a_usersync?c=9&cbfn=ANX_async_load
hxxp://www.googleadservices.com/pagead/conversion/976381674/?random=1408415760152&cv=7&fst=1408415760152&num=1&fmt=2&value=0&label=PJzXCJ63zgcQ6s3J0QM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=1&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp
hxxp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=4&distid=19036&leadp=6303&countryid=262&sysbit=32&dfb=0&hb=0&external=0&
hxxp://www.google-analytics.com/analytics.js
hxxp://ib.adnxs.com/tt?id=3092599
hxxp://pixel.prfct.co/px/?id=157720&other=ADFuxS2HCsOBlbbe&a_id=7094
hxxp://cdn.wemempoclano.net/updates/m/fcmonitor.wys
hxxp://tag.perfectaudience.com/serve/52dfe62b6897d9bfcf00011e.js	23.235.44.130
hxxp://www.googletagservices.com/tag/js/gpt.js
hxxp://ib.adnxs.com/bounce?/tt?id=3092599
hxxp://static.revenyou.com/offers/images/Theme8/bodyImg.png	198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme8/topComp.png	198.232.124.224
hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1408415783&bdh=osT5ZqFe6gW_K4xKa51ktmZlemE.&bdref=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&bdtop=true&bdifs=1&id=3092599
hxxp://cdn.adnxs.com/p/5e/a8/7b/e4/5ea87be43c79529da335f14443dd2ffe.swf?clickTAG=http://nym1.ib.adnxs.com/click?VQq0ldW_lz-aRSWxEcOSPxsv3SQGgaU_mkUlsRHDkj9UCrSV1b-XP5LkLklgBMhNaH3NEBvel0AnuPJTAAAAAHcwLwAQCgAAXwAAAAIAAABIgQkBVuMGAAAAAQBVU0QAVVNEANgCWgCdGAAAW9wAAgUAAQIAAJAAoCPDbwAAAAA./cnd=%21jwaPPwj_95UCEMiCpggY1sYbIAI./referrer=http%3A%2F%2Fib.adnxs.com%2Fbounce%3F%252Ftt%253Fid%253D3092599/clickenc=http%3A%2F%2Fnetwork.adsmarket.com%2Fclick%2Fi2FvnGfKfJyQamrEXsp6w4pkcplfnYGZt2VtnGTKgJWLZpiWXqF6lo9m%3Fdp%3D3092599%26dp2%3Dnym1COj6tYaxw_fLQBACGJLJu8mEjIHkTSIPMTkzLjEzOC4yNDQuMjMxKAEwp_DKnwU.%26dp3%3DCP4553727_S2576_C17400136_Uhttp%3A%2F%2Fib.adnxs.com%2Fbounce%3F%252Ftt%253Fid%253D3092599	23.15.4.16
hxxp://cdn.adnxs.com/p/4b/6f/b7/39/4b6fb7395c34af84c2eee3bd1341e8c0.swf	23.15.4.16
hxxp://data.getserverinfo.com/Installer/TrackFinish?reqid=134427026&x=y&clickid=wHMQM6R5862BFPKD0S10G3CI	54.83.205.127
hxxp://static.revenyou.com/offers/images/Theme8/nextCase.jpg	198.232.124.224
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png	74.125.142.95
cm.g.doubleclick.net	74.125.226.153

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /FreeCoinsLandingPage/themes/thankyou/images/desttop_bg.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freecoins.co/FreeCoinsLandingPage/thankyou.jsp

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.freecoins.co

Connection: Keep-Alive

Cookie: JSESSIONID=E27F5481B9C47ACFB10FC15D06243E0B

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Accept-Ranges: bytes

ETag: W/"20943-1403623016000"

Last-Modified: Tue, 24 Jun 2014 15:16:56 GMT

Content-Type: image/png

Content-Length: 20943

Date: Tue, 19 Aug 2014 02:36:24 GMT

Connection: close

.PNG........IHDR...V.........5 ......pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......

<<< skipped >>>

GET /gpt/pubads_impl_46.js HTTP/1.1

Accept: */*

Referer: hXXp://data.getserverinfo.com/installer/thankyou?productid=6303&pubid=5492&distid=19036&countryid=262&reqid=134427026&sysbit=32&dfb=0&hb=0

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partner.googleadservices.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript

Last-Modified: Tue, 29 Jul 2014 17:42:15 GMT

Date: Mon, 11 Aug 2014 23:55:22 GMT

Expires: Tue, 11 Aug 2015 23:55:22 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 33549

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=31536000

Age: 614458

Alternate-Protocol: 80:quic

......n.....y..H.8..^E...H......"... .....3.'..e;>d,9......>..e`....!V.wuUu.v....0.... >.../~>.fl....|...b>..J..vk....q..eW,...XY....8M..7Ll ...0.|?p .y...p..|.b.....:.-.c...yN...i;........<.Sl...g.|8.7C>.C[........i.^..'.jM.....C..Kk......jH.q<....]k1..d8.#k.H.f.a.oJ....y~{..C....c..S.`[.2.Y.....r.U.k....ti.....U.H-....Y.-c....Q..Ug.-P.._.buQ.b.X.k......C..Eu;...j...bWB.6...eu.g.... ...[.v.....3$.s..SU.'..N...a`f] .p...i.....ata5......oy>h.9....<y....>.[l`...,.@@.Q..f.[.7.8L....3.y.=.......N>......y:..@...rr...#...q.3...,.".@..v...?U......l0Lr9..E....p4..z.k...Y.......y5......k.lJ.P.v...oN.PMy>....4....pw...........m]....L.ko....E.X..9[d.....(]6......y.7...r.6..i|... v[.w.rs.jZ.../^.m....h.....M.....,_...mai..../......5x.c.....q<g.H......q..\..D>......c.Z...m.xg..T.A.....J......1.0..q...t.sH....!K..4...=u...O.6X$.n..........t.R.......i..f...,........!^l.)@j.4......a6.`...A.%V\.L.,......C.....3......M.$..g.,O'.n..RN?.:...O.<;.....;..<.r:Z..u,.5Ze_.......1......_w........4...h.....?B.^..]....~.J....'3...j....9...u...e^`.~]._._...0..EZ[./ku_c...{\.....Z pC.Z._........)....~....~.....k...~o......9|w1.{........-...w,u",.9_:_..v../t.k.F.M......waY...0.z.\.T@~....T.5.y...x.c.....e@W57.83.A,.O...{x.'j;%.M....8..>?...#r..w...V.j.tX..o.6L.0{...}g...y...<.<......I.*...fk.._}|....k.b.@.d8..g..8.......B.......jbo.d.G..G.k.........i.A.[v=...._!......\.A.Z.....:...D\..{..paT,....,_.sW.bX......4.p..LF.t.Mf......x....{.....;0...6....:?o..:..3...>......?..9...>s.

<<< skipped >>>

GET /c.gif?anx_uid=4654432947738082664&Red3=MSAN_pd HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freecoins.co/FreeCoinsLandingPage/thankyou.jsp

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.bing.com

Connection: Keep-Alive

HTTP/1.1 302 Redirect

Cache-Control: private, no-cache, proxy-revalidate, no-store

Pragma: no-cache

Location: hXXp://ib.adnxs.com/pxj?bidder=108&action=SetMSCookies("MUID=1A7492F371996BC43D579468759968FA|TOptOut=|EANON=A%3d%26E%3dFFF%26W%3d1")

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"

Set-Cookie: ANONCHK=1; domain=c.bing.com; expires=Tue, 19-Aug-2014 06:36:27 GMT; path=/;

Set-Cookie: MUID=1A7492F371996BC43D579468759968FA; domain=.bing.com; expires=Thu, 18-Aug-2016 02:36:27 GMT; path=/;

Date: Tue, 19 Aug 2014 02:36:26 GMT

Content-Length: 0

HTTP/1.1 302 Redirect..Cache-Control: private, no-cache, proxy-revalidate, no-store..Pragma: no-cache..Location: hXXp://ib.adnxs.com/pxj?bidder=108&action=SetMSCookies("MUID=1A7492F371996BC43D579468759968FA|TOptOut=|EANON=A%3d%26E%3dFFF%26W%3d1")..Server: Microsoft-IIS/8.0..X-Powered-By: ASP.NET..P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"..Set-Cookie: ANONCHK=1; domain=c.bing.com; expires=Tue, 19-Aug-2014 06:36:27 GMT; path=/;..Set-Cookie: MUID=1A7492F371996BC43D579468759968FA; domain=.bing.com; expires=Thu, 18-Aug-2016 02:36:27 GMT; path=/;..Date: Tue, 19 Aug 2014 02:36:26 GMT..Content-Length: 0......

GET /c.gif?anx_uid=4654432947738082664&Red3=MSAN_pd HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://ib.adnxs.com/bounce?/tt?id=3092585

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.bing.com

Connection: Keep-Alive

Cookie: ANONCHK=1; MUID=2C0938180C976E9112D43E8308976D7B

HTTP/1.1 302 Redirect

Cache-Control: private, no-cache, proxy-revalidate, no-store

Pragma: no-cache

Location: hXXp://ib.adnxs.com/pxj?bidder=108&action=SetMSCookies("MUID=2C0938180C976E9112D43E8308976D7B|TOptOut=|EANON=A%3d%26E%3dFFF%26W%3d1")

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"

Date: Tue, 19 Aug 2014 02:36:27 GMT

Content-Length: 0

GET /ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css HTTP/1.1

Accept: */*

Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=19036&leadp=6303&countryid=262&sysbit=32&dfb=0&hb=0&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/css; charset=UTF-8

Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT

Date: Tue, 19 Aug 2014 02:21:22 GMT

Expires: Tue, 19 Aug 2014 03:21:22 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 6091

X-XSS-Protection: 1; mode=block

Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600

Age: 846

Alternate-Protocol: 80:quic

...........=k.....3...E...yl.=.=.....7@..6..~...e.#K.$.#A..=.!%J|iz...;@Z.:...y..}..........X.H~{G...O~......-.M^M....@o..c.....Og.s............!/.Ms.\\...'t.&qy..........hN.,fE..r*.V.f..O.>.."...G._.... s.WO8f....v...dJ>O...H ..o..>..! v.o~y...gg.....#.D.,?BwgQ...&.,B.h.%. .'.d.1...R...&.M...1..l.3.?.u..t.B.u...F....e....&q..7.bq.bv| ........... V..z;.j.A_.kr.I.J...e.z..A.yV0........0..5i.C.%,. .L..iY4Q.}...t......y..U.q.h.f..-K.....3.6...H..Y..|..u.....\d[T.........>......|...Y...T.*...<..X..F.S.:.4..G.<.r`k.&?........0.p.w gEcN..=.'8a...E......~...$OXJOy.s)...ud..\tQ.Z$$;..|.}g@G..m^...S2.gn.h......;V.yy.!...{4..U%D>x....{...2.SV....!Y<....3..e...cMTb.5.,f...r..$Or..%X...78.I.>..Y.99@.........U......4....5.......2.......UY.<.W EY.h.<.U.l2c.....V.J..T.^...owo.....(...|...Sh..~x..l..ovyY.7...M... ..v2.%.j....Np1_....4...M...9.~.,y.V..b.-...i.&i.q...W7......*1.QP.k:C..^.k6..T.\.u,..LW.(S<)5.............X...ZW...#.UC*.:nT;.....\<._.. J.YK.:9.H}3....U.B..$..W..f$l]^m....@..c..........0.h...l.q.,(."......l.%........:.A..y.'n.. ..j:.q2.]r..M...j.JSQ....i.8...J...".iZ.V.....5..'S:.*..C..V.Y.!S.k*.:FT.tv...1.P.A.e..r.h......-..uGZ6.(.....l..!5....z....2M!.?.G.........'....U>..-aH/ .E.D.T{J..C!...tK.!.a.v..~......$....5 ..xj.u...P...x.@ F{..S..R.O.<d#.E%PS.//......5fV.4...1..S.......mw..#..o Q. .....p_yI..ox.....UM.uP....b.v0GE.....A....X.!pX4.......Y-o..f9.....L.p$.........;..P...Q.b........mZe..$s..].8..t...M...o......X...S".>..1A*.....2h......D.j8Y..wL..^.| ....1...`C

<<< skipped >>>

GET /ajax/libs/jqueryui/1.8/jquery-ui.min.js HTTP/1.1

Accept: */*

Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=19036&leadp=6303&countryid=262&sysbit=32&dfb=0&hb=0&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript; charset=UTF-8

Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT

Date: Tue, 19 Aug 2014 01:40:59 GMT

Expires: Tue, 19 Aug 2014 02:40:59 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 51558

X-XSS-Protection: 1; mode=block

Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600

Age: 3269

Alternate-Protocol: 80:quic

............iw...0....d...-.@......."...x{,y.<....n.M....ZB...w...AP...9.L,.k_n..n.{.......V..G..<........}......n.........l..Y....z3..................E1.-.uz..........ZXI..rZm....../X...4.......@..Z......yUlB..U#..L...1p.>...2...].....M(...J.....e..I......5...9...e.....&.........W..y...f./..j..}^....r...n.._7.j.o..v.i./a.7uq......r.%.,......j9..Y.s......@..$...... \...H...=....?....y...}W..b].G..|-....wG.N.O<.H.Q...'w......H.....*.....?..Uo..n..Z=..U...I...*..,....J.@.b.....l.[@E1.....jq<..V.d.=.n......,..o... .gY.G....N%$f..u..."J.....xvrR..$.q..i....l..m7....p...]./!.......JF0..^.. ...Q.....H..q...._wr"9..S].I/_.....~M...Z..U5..^q.z..U...k..........Q.........v...[.v..`:UJvIo^-...........n.;..{o....p.CliS-J..w27...F.....v .{...t..........g._._...~z......wz.......gP.K.....W....w/.ym......B.cH....?~..~/.~..../...._.........4..s........x..z|...^|.../.._..?.z..............?.......?=......N......_<...3.n..I/..../ e.Rd../U...|...O.....Pi.~.....=.5..%~z...oh..?.._~J.?.?.....0....g.. ....0....W...x....W.k|)....h....n...7Y....c..l.Y..._...3.D.f.,n..G?.'h...*.l...ZN...R...q..F.;.*/f6T.q-3........Z.n..y\&.].......*.C..p..I.U.Z/....`..W..k<.Pn]....OtJR...P...j.n...z]W''..z.o.b.....m...K...u.)..%.v{.8p9..T....4U......X..U.o'...T.....D...G.tc.3o....8./.a.NK^...........q?I.0.....)-..m.\..m...@.0......\..{.>........D..n..Gp..)R:...>.D ....d.nV.......C....pWe.?Xl.B.....6} .Q.4...j....^.6q..3..>5w\.....'.@....&6...?ok..$.;....[...!Vo........vx}{s.L.dA...6......8.r......bt.>"a........0...I~;....

<<< skipped >>>

GET /ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png HTTP/1.1

Accept: */*

Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=19036&leadp=6303&countryid=262&sysbit=32&dfb=0&hb=0&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT

Date: Tue, 19 Aug 2014 02:35:29 GMT

Expires: Tue, 19 Aug 2014 03:35:29 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 3457

X-XSS-Protection: 1; mode=block

Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600

Age: 0

Alternate-Protocol: 80:quic

.PNG........IHDR.......d.....p..}...HIDATx...K..N................q..B....6...._.d.c.......*...V......|U.......w-...p..>Z..........`............`............`............`............`............`............`............`.......@.....:n.K>.u.....X..V..G........l.9......j6.x..xu..y...I... gZ.D.L...........4[OG.8.|d.....;.N[O..lz.M....{..ne.Z1..VlO...e..k.g.........k.6.r..........be'`t#..zu39.|[..6=9....4..H."...-Cd.D.z.3c.g...S.,..D7.h.H=O.F6.{7.....H6G...S.......U.9.%w....`C.....y.G^@......O..........0.l.....0.Z.4..H..[.k..Z..Z..zm].v.......J.$ZMZ..yK.....Z.4.Z.Z.Z.Gr..M..j.b..Z^.1c.E........,....6&.9....3)....[W.vH...a...k~....,.........1..k.R..........iWd....M.V..O)..?y.....W...._<....p.p....`............`..b.......:............:.............Xj)...w.....-?M.bE|[...I.eki......&.U.6.........l4.[..N.F.....|...qc.Zj.7.....;.f/..w..=......}L[...k.E.S/.x....3-...^.R....."Z.........[........:.;...n.Z..~.....;.....%w....P7...'R^....E[?.C...X.$.^Y.Yj...}...iS.O.....m........r%..4yy.r..I.....Io...'i..;..._....K.7.%.Q../.\......X....3;_........[...[..ti.........._.-..Z.l;j)e.L.lyf"Dm..^4...-.|G.E VdRD..M....S[.{.i6G...~/7V.h....M..;^.1~.}.;......=9.]S2....y.w|Y.#s(..X..;....:=....Y_#.\r......RkY.$.e.mk..n.E|..m|....kk...O.......'......-..n.z..XZ}m\H.._e.....V.x9........!.../.xs......f.......5.Zl .......x.....].?/..9r......h...]^}M....<....;..........p.p....`........}.....n..~....4............. ^=..kc...|j..4{u[.......H.2...Y1......R..|x.5M......j..4.%..x......!ij....bXcT..^ file.

Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\56OPVHOH\jquery.min[1].js (6004 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EOKHFVZV\DynamicOfferScreen[1].htm (2676 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHA2SI3U\DynamicOfferScreen[1].htm (850 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\46GJLOEK\bodyImg[1].png (1 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EOKHFVZV\FreeCoinsApp[1].exe (5452566 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHA2SI3U\jquery-ui.min[1].js (10698 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\46GJLOEK\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\56OPVHOH\jquery-ui[1].css (1411 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHA2SI3U\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\914084156970\FreeCoinsApp.exe (5234561 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\56OPVHOH\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHA2SI3U\button[1].png (458 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EOKHFVZV\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EOKHFVZV\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\56OPVHOH\button_over[1].png (921 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\46GJLOEK\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\46GJLOEK\jquery-ui-1.8.19.custom[1].css (11061 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\91408415697.txt (238 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\gpi.bat (143 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\send_btn.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\config\global.properties.xml (1638 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\System.dll (11 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\close_btn.png (9 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\DAutils.dll (1568 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\thumb_horizontal_middle_slice.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\arrow.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\popup_multi.png (87 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\noInternet.ico (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\thumb_right.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\coins_icon.png (12 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\ns6.tmp (6 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\body_ad_purple.png (6 bytes)%Documents and Settings%\%current user%\Start Menu\Programs\FreeCoins\FreeCoins.lnk (1 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\Interop.SHDocVw.dll (5568 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\search_box.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\jquery.custom-scrollbar.css (9 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\nsExec.dll (6 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\loading_img.png (4704 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\query_link.png (9 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\body-2.png (2979 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\openThankYou.bat (340 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\notifications_bg.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\share_btn.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\ok_btn.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\SystemMonitor.exe.config (263 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert_1.png (87 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\arrow.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\jquery.custom-scrollbar.min.js (42 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Scroller\down.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tray_icon_on.ico (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\aPop.js (6 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\BG_settings.png (15 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RunAppMonitor.bat (102 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\hover_block\hover_block_right.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\background_body.png (9 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\install_icons\FCA_icon_install_16.ico (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\FCUI.exe (7168 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\InstallAddiotionals.bat (575 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp (4232 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\left.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\redeemed_btn.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\setting_tab\frequency_OFF_settings_btn.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\track_left.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\email-30X1.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Share_bg.png (36 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\FCUI.exe.config (270 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\client.wyc (1568 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_bg2.png (87 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\thumb_top.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\storageManager.js (2193 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\runApp.bat (28 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\desktop_icons\FCA_icon_48.ico (27 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\config\production.properties.xml (1 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_content_footer.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\installPath.txt (73 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\lock.png (12 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\uninst.exe (1965 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\config\alerts.xml (651 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\share_btn_blue.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\coins_btn.png (6 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\Newtonsoft.Json.dll (7384 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\hover_block\hover_block_center_slice.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\alert_skin_4.html (4 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\alert_background.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\Newtonsoft.Json.xml (8368 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_locked_popup\locked_popup_bg.png (4704 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Scroller\Thumbs.db (9 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\Newtonsoft.Json.dll (14768 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\index_skin_4.html (56 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\BG_alert.png (33 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\Stumbleupon32X32.png (9 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\wyUpdate.exe (8368 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\up.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\main_v4.css (4704 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\facebook_btn.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\install_icons\FCA_icon_install_32.ico (12 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\wyUpdate4.exe (8368 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_gray.png (9 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\body-1.png (2979 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\InstallNet35xp.bat (446 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\client.wyc (1568 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\FCUpdater.exe (26 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\setting_tab\settings_body.png (15 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\redeem_now.png (6 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\right.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\jquery-1.9.1.min.js (6312 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\time_btn.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\lifeCycleManager.js (42 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\verifyUninstall.bat (464 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\setting_btn.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\settings_link.png (9 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\BG_popUP.png (21 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RegisterUninstall.exe (13 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_invite_popup\time_btn.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\thumb_bottom.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\config\production.properties.xml (1 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\DAutils.dll (1568 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\json2.js (51 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\promotionManager.js (63 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\desktop_icons\FCA_icon_64x64.ico (48 bytes)%Documents and Settings%\%current user%\Desktop\FreeCoins.lnk (1 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\hover_block\hover_block_left.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\track_bottom.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\promotionPopupUI.js (18 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\body-2.png (2979 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\pcc.bat (82 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\free_spin_icon_click.png (6 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RegisterUninstall.exe.config (270 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\jquery.cookie.js (6 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\coupons_btn.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\verifyUninstall.bat (464 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\googlePlus32X32.png (6 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\search_noresults.png (63 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\borderItem.jpg (30 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\errorHandling.js (6 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\twitter32X32.png (6 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\coins_btn.png (6 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\mail_btn.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Thumbs.db (27 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Scroller\body.png (2979 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Scroller\top.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\setting_tab\save_btn.png (9 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\lock.png (12 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\wyUpdate.exe (8368 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\browsers.css (1428 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\redeemed_bg.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\setting_tab\frequency_ON_settings_btn.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\install_icons\FCA_icon_install_48.ico (27 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\time_left_btn.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\desktop_icons\FCA_icon_16.ico (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_locked_popup\locked_popup_face.png (4704 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\minimize_app.png (2997 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\close_app.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\desktop_icons\FCA_icon_32.ico (12 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\coins_icon.png (12 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\SetupNET35.exe (49498 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\body-1.png (2979 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\gmail32X32.png (9 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\wyUpdate.exe (8368 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RegisterInstallStart.exe (26 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_invite_popup\locked_popup_face2.png (4704 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\transparent.gif (126 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Share_icon.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback_btn.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\counter_all.png (6 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_logo.png (9 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\utils.js (33 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\FCUpdater.exe.config (270 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\image_2.jpg (33 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\left.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\thumb_left.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\email32X32.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\redeemed_history_bg.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\power_up_icon_click.png (6 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_empty.png (9 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\FCMonitor.exe.config (270 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_invite_popup\archive\locked_popup_bg.png (4704 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\ourScrollBar.css (9 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\coins_icon.ico (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_locked_popup\invite_friends_btn.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_icon.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\coins_btn_click.png (6 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\config\global.properties.xml (819 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\yahoo32X32.png (6 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\Newtonsoft.Json.xml (8368 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\close_btn_fBack.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\config\production.properties.xml (2 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\client.wyc (1568 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\alertManager.js (2286 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\uiManager.js (4704 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\home_btn.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\install_icons\FCA_icon_install_64x64.ico (48 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\track_top.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\installPath.txt (73 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\header_image.png (6312 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_invite_popup\archive\invite_friends_btn.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\config\alerts.xml (1302 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\right.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\facebook32X32.png (6 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\thumb_vertical_middle_slice.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\config\alerts.xml (651 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\down.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\track_right.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\share_btn_gray.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\config\global.properties.xml (819 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\DAutils.dll (3136 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\promotionPopup_skin_4.html (20 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\down.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\wyUpdate4.exe (8368 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\up.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_body.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\ns7.tmp (6 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\close_btn.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_bg.png (4704 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\email_bg.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\wyUpdate4.exe (8368 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RegisterInstallStart.exe.config (546 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\alert_close.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\power_up_icon.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\jquery.custom-scrollbar.js (75 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\hover_block\hover_block_pointer.png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\commManager.js (21 bytes)%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\free_spin_icon.png (6 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.exe (398737 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.dat (8368 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\rdms.zip (57028 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsisunz.dll (211 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\Convert.dll (4583 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\w010\desktopapp.wys (723 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\w333\fcmonitor.wys (497 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\w521\fcupdater.wys (294 bytes)

Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]"FreeCoinsUpdater" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\FCUpdater.exe"[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]"FreeCoinsStartup" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\FCMonitor.exe"

Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Map

Strings from Dumps