Gen.Heur.SMHeist.3_f07b0838fe

by malwarelabrobot on December 25th, 2016 in Malware Descriptions.

Trojan-Dropper.VBS.Agent.hi (Kaspersky), Gen:Heur.SMHeist.3 (B) (Emsisoft), Gen:Heur.SMHeist.3 (AdAware), Backdoor.Win32.Xtrat.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Backdoor, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f07b0838fee1eb3e3d81758bdbd67ef8
SHA1: b83a1f5e1c4da4096f76b96e4140e873f5bff1c2
SHA256: 346ffd2de34fc4bf8d0377b3c26f7208faa6a80751cbff3a4efef8bc7e58b020
SSDeep: 98304:FAI d2mZYhDMIXFZ8EMhvKbZpVqJGfYahzZgvxp7kLk1fKjyt/GMLBYIw2MJTOu:Wt d2mZYlnFZ8EMhYAGAMZg5p7jfTdN8
Size: 5947780 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

aswOfferTool.exe:3048
aswOfferTool.exe:1656
aswOfferTool.exe:2856
FB_587C.tmp.exe:656
%original file name%.exe:2196
WScript.exe:3900
instup.exe:2036
instup.exe:3336
FB_53E9.tmp.exe:2360
avast_premier_antivirus_setup_online.exe:3504
rytr5674657gfhgjgj.eXe:992

The Trojan injects its code into the following process(es):

google.fr.exe:3908
svchost.exe:1700
iexplore.exe:1052

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process aswOfferTool.exe:3048 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\gcapi_14826084123048.dll (368 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\gcapi_14826084123048.dll (0 bytes)

The process aswOfferTool.exe:1656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\gtapi_14826084121656.dll (146 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\gtapi_14826084121656.dll (0 bytes)

The process aswOfferTool.exe:2856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\gcapi_14826084122856.dll (368 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\gcapi_14826084122856.dll (0 bytes)

The process FB_587C.tmp.exe:656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\google.fr.exe (678 bytes)

The process %original file name%.exe:2196 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (8250 bytes)
%Program Files%\AVAST Software\Avast Antivirus\avast_premier_antivirus_setup_online.exe (101262 bytes)
%Program Files%\AVAST Software\Avast Antivirus\Uninstall.exe (3878 bytes)
%Program Files%\AVAST Software\Avast Antivirus\M.vbs (6697 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\5.tmp (1008 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\4.tmp (4 bytes)
%Program Files%\AVAST Software\Avast Antivirus\Uninstall.ini (2 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (0 bytes)

The process WScript.exe:3900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\rytr5674657gfhgjgj.eXe (32685 bytes)

The process instup.exe:2036 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\avdump_x86_ais-8e8.vpx (591 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\AvDump32.exe (4185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\uat.vpx.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\servers.def.lkg (24 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\prod-pgm.vpx (446 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\avBugReport.exe (15799 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\avbugreport_ais-8e8.vpx (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\prod-vps.vpx (451 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-vps_win32-16122403.vpx (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\config.def.new (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\Instup.dll (78553 bytes)
C:\$Directory (1152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-iex-8.vpx (225 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\HTMLayout.dll (24822 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\selfdefense_x86_ais-8e8.vpx (434 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\AvDump64.exe (5441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\avdump_x64_ais-8e8.vpx (725 bytes)
C:\ProgramData\AVAST Software\Avast\avast5.ini (838 bytes)
C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\Setup.log (27530 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (4875 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\offertool_ais-8e8.vpx (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\servers.def.vpx (2 bytes)
C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\event_manager.log (794 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\Instup.dll (2668 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-jrog2-1319.vpx (841 bytes)
C:\Windows\System32\config\SYSTEM (4538 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\instup.exe (7733 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\aswOfferTool.exe (15278 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\selfdefense_x64_ais-8e8.vpx (513 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\servers.def (24 bytes)
C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\event_manager.log.tmp.cc4b2451-75b9-4c75-9742-0fb1c6e807d7 (3 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\uat.vpx.dll (0 bytes)

The process instup.exe:3336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\prod-vps.vpx (421 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-iex-0.vpx (212 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-jrog2-1.vpx (213 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\aswOfferTool.exe (146 bytes)
C:\ProgramData\AVAST Software\Avast\avast5.ini (588 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\uat.vpx.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\config.def.new (196 bytes)
C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\Setup.log (15534 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-vps_win32-16122402.vpx (298 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\prod-pgm.vpx (446 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\Instup.dll (2668 bytes)
C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\event_manager.log (671 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\HTMLayout.dll (291 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\uat.vpx.dll (0 bytes)

The process FB_53E9.tmp.exe:2360 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\x.html (0 bytes)

The process avast_premier_antivirus_setup_online.exe:3504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\prod-vps.vpx (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\setgui_ais-8e8.vpx (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\servers.def.vpx (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\config.def.vpx (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\Instup.exe (1783 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\HTMLayout.dll (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-setup_ais-c0308e8.vpx (97 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\Instup.dll (780 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\config.def (6 bytes)
C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\Setup.log (2384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-prg_ais-c0308e8.vpx (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\instcont_ais-8e8.vpx (891 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-vps_win32-16081802.vpx (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\prod-pgm.vpx (446 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-jrog2-11af.vpx (868 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-iex-7.vpx (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\uat.vpx (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\servers.def (48 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\instup_ais-8e8.vpx (780 bytes)

The process rytr5674657gfhgjgj.eXe:992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FB_587C.tmp.exe (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FB_53E9.tmp.exe (69 bytes)

Registry activity

The process aswOfferTool.exe:3048 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\GCAPITemp]
"test" = "te^"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Google\GCAPITemp]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\GCAPITemp]
"test"

The process aswOfferTool.exe:1656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\No Toolbar Offer Until]
"AVAST Software" = "20170624"

[HKLM\SOFTWARE\Google\Google Toolbar]
"test" = "test"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Google\Google Toolbar]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\No Toolbar Offer Until]
"AVAST Software"

[HKLM\SOFTWARE\Google\Google Toolbar]
"test"

The process FB_587C.tmp.exe:656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Environment]
"SEE_MASK_NOZONECHECKS" = "1"

[HKCU\Software\kSILlzCwXBSrQ1Vb72t6bIXtKRzHJ]
"US" = "@"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:2196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast Antivirus 12.3.3154.0]
"VersionMinor" = "3"
"NoRepair" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"GlobalAssocChangedCounter" = "47"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast Antivirus 12.3.3154.0]
"InstallDate" = "20161224"
"VersionMajor" = "12"
"DisplayName" = "Avast Antivirus 12.3.3154.0"
"UninstallString" = "%Program Files%\AVAST Software\Avast Antivirus\Uninstall.exe"
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast Antivirus 12.3.3154.0]
"DisplayVersion" = "12.3.3154.0"
"Publisher" = "AVAST Software"
"InstallSource" = "c:\"
"EstimatedSize" = "6513"
"URLInfoAbout" = "https://www.avast.com/en-us/index"
"HelpLink" = "Copyright (c) 2014 AVAST Software"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast Antivirus 12.3.3154.0]
"DisplayIcon" = "%Program Files%\AVAST Software\Avast Antivirus\Uninstall.exe"
"Language" = "1033"
"InstallLocation" = "%Program Files%\AVAST Software\Avast Antivirus\"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process instup.exe:2036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\instup_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\instup_RASMANCS]
"EnableFileTracing" = "0"

[HKCR\AvastPersistentStorage]
"InstupProgress_UpdateSetup_Main" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\instup_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\instup_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\instup_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\instup_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\AVAST Software\Avast]
"SetupLog" = "C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\Setup.log"

[HKCR\AvastPersistentStorage]
"InstupProgress_Description" = "Downloading file: servers.def.vpx"
"InstupProgress_UpdateSetup_Syncer" = "0"
"InstupProgress_Title" = "Updating the product"

[HKLM\SOFTWARE\Microsoft\Tracing\instup_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\instup_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 37 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\instup_RASAPI32]
"MaxFileSize" = "1048576"

"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process instup.exe:3336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\AvastPersistentStorage]
"InstupProgress_Installation_Syncer" = "100"
"InstupProgress_Installation_Main" = "0"
"InstupProgress_Description" = "Checking install conditions"

[HKLM\SOFTWARE\AVAST Software\Avast]
"SetupLog" = "C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\Setup.log"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\aswProbeKey]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process FB_53E9.tmp.exe:2360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\XtremeRAT]
"Mutex" = "PHypr4"

The process avast_premier_antivirus_setup_online.exe:3504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\AvastPersistentStorage]
"SfxInstProgress" = "0"

The process rytr5674657gfhgjgj.eXe:992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
66ea31bba02926125f360f7e02bc8344 c:\Program Files\AVAST Software\Avast Antivirus\Uninstall.exe
b6e6fad911f99b82bf177954930deabb c:\Program Files\AVAST Software\Avast Antivirus\avast_premier_antivirus_setup_online.exe
60025dd6a05f3380ba1b0bafd338c320 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\FB_53E9.tmp.exe
4ef923e6c6243ce0188de66de429e605 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\FB_587C.tmp.exe
edd855b165b286f79508a333b778f402 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\HTMLayout.dll
12b1037493b0b39d76a750029b14e662 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\Instup.dll
49b4a212a375cc583bfdfbaa5e389266 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\Instup.exe
00719052b2e70042e19e7162aecf8568 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\AvDump32.exe
7e55d04d833375d6c0b968360d49e979 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\AvDump64.exe
edd855b165b286f79508a333b778f402 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\HTMLayout.dll
12b1037493b0b39d76a750029b14e662 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\Instup.dll
31cd6d713c3209701ad908027231641c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\aswOfferTool.exe
907dd55be33c3c8bd9673ef209bfd014 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\avBugReport.exe
49b4a212a375cc583bfdfbaa5e389266 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\instup.exe
907dd55be33c3c8bd9673ef209bfd014 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\avbugreport_ais-8e8.vpx
7e55d04d833375d6c0b968360d49e979 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\avdump_x64_ais-8e8.vpx
00719052b2e70042e19e7162aecf8568 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\avdump_x86_ais-8e8.vpx
49b4a212a375cc583bfdfbaa5e389266 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\instcont_ais-8e8.vpx
12b1037493b0b39d76a750029b14e662 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\instup_ais-8e8.vpx
31cd6d713c3209701ad908027231641c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\offertool_ais-8e8.vpx
89d228621266365f1d82d73ba48a9d0e c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\selfdefense_x64_ais-8e8.vpx
9fd8268dcf87fafa76757f604296cb0d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\selfdefense_x86_ais-8e8.vpx
edd855b165b286f79508a333b778f402 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\setgui_ais-8e8.vpx
4ef923e6c6243ce0188de66de429e605 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\google.fr.exe
7b49fea8cb10f38387e3f89a95096beb c:\Users\"%CurrentUserName%"\AppData\Local\Temp\rytr5674657gfhgjgj.eXe
60025dd6a05f3380ba1b0bafd338c320 c:\Windows\InstallDir\google.fr.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: AVAST Software
Product Name:
Product Version:
Legal Copyright: AVAST Software
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 12.3.3154.0
File Description: Avast Antivirus 12.3.3154.0 Installation
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 148684 148992 4.57091 5e14e4ede2e2215bc7d72837b9871f8f
DATA 155648 10388 10752 2.62963 abafcbfbd7f8ac0226ca496a92a0cf06
BSS 167936 4341 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 176128 6040 6144 3.3864 a4e0ac39d5ed487ceea059fa23dfce5e
.tls 184320 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 188416 24 512 0.14174 c4fdd0c5c9efb616fcc85d66056ca490
.reloc 192512 6276 6656 4.56552 867a1120317d51734587a74f6ee70016
.rsrc 200704 4200 4608 3.30561 dc97f4c1541feda16ef84cf7044f3d17

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www-google-analytics.l.google.com/collect?an=Premier&av=12.3.3154&cd=stub-extended&cd3=Online&cid=88954422-abef-43c9-a4a1-44e879ebb6a2&dt=Installation&t=screenview&tid=UA-58120669-3&v=1
hxxp://v7event.stats.avast.com/cgi-bin/iavsevents.cgi? 46.4.34.3
hxxp://shepherd.ff.avast.com/? 77.234.43.107
hxxp://a1639.g1.akamai.net/iavs9x/servers.def.vpx
hxxp://a1639.g1.akamai.net/iavs9x/prod-pgm.vpx
hxxp://a1639.g1.akamai.net/vpsnitro/prod-vps.vpx
hxxp://a1639.g1.akamai.net/vpsnitro/part-iex-8.vpx
hxxp://a1639.g1.akamai.net/vpsnitro/part-jrog2-1319.vpx
hxxp://a1639.g1.akamai.net/vpsnitro/part-vps_win32-16122403.vpx
hxxp://a1639.g1.akamai.net/iavs9x/avbugreport_ais-8e8.vpx
hxxp://a1639.g1.akamai.net/iavs9x/avdump_x64_ais-8e8.vpx
hxxp://a1639.g1.akamai.net/iavs9x/avdump_x86_ais-8e8.vpx
hxxp://a1639.g1.akamai.net/iavs9x/offertool_ais-8e8.vpx
hxxp://a1639.g1.akamai.net/iavs9x/selfdefense_x64_ais-8e8.vpx
hxxp://a1639.g1.akamai.net/iavs9x/selfdefense_x86_ais-8e8.vpx
hxxp://a1639.g1.akamai.net/vpsnitrotiny/prod-vps.vpx
hxxp://a1639.g1.akamai.net/vpsnitrotiny/part-iex-0.vpx
hxxp://a1639.g1.akamai.net/vpsnitrotiny/part-jrog2-1.vpx
hxxp://a1639.g1.akamai.net/vpsnitrotiny/part-vps_win32-16122402.vpx
hxxp://v7event.stats.avast.com/cgi-bin/iavsevents.cgi 46.4.34.3
hxxp://g9421556.iavs9x.u.avast.com/iavs9x/avdump_x86_ais-8e8.vpx 212.30.134.147
hxxp://www.google-analytics.com/collect?an=Premier&av=12.3.3154&cd=stub-extended&cd3=Online&cid=88954422-abef-43c9-a4a1-44e879ebb6a2&dt=Installation&t=screenview&tid=UA-58120669-3&v=1 216.58.214.238
hxxp://77.234.43.107/?
hxxp://p9849275.vpsnitrotiny.u.avast.com/vpsnitrotiny/part-jrog2-1.vpx 212.30.134.147
hxxp://p9849275.vpsnitrotiny.u.avast.com/vpsnitrotiny/prod-vps.vpx 212.30.134.147
hxxp://h1708605.vpsnitro.u.avast.com/vpsnitro/part-vps_win32-16122403.vpx 212.30.134.146
hxxp://g9421556.iavs9x.u.avast.com/iavs9x/selfdefense_x86_ais-8e8.vpx 212.30.134.147
hxxp://w2920311.vpsnitro.u.avast.com/vpsnitro/part-iex-8.vpx 212.30.134.146
hxxp://p9849275.vpsnitrotiny.u.avast.com/vpsnitrotiny/part-iex-0.vpx 212.30.134.147
hxxp://k7677977.iavs9x.u.avast.com/iavs9x/servers.def.vpx 212.30.134.137
hxxp://g9421556.iavs9x.u.avast.com/iavs9x/avbugreport_ais-8e8.vpx 212.30.134.147
hxxp://k8056924.vpsnitro.u.avast.com/vpsnitro/part-jrog2-1319.vpx 212.30.134.146
hxxp://g9421556.iavs9x.u.avast.com/iavs9x/offertool_ais-8e8.vpx 212.30.134.147
hxxp://h0356377.vpsnitro.u.avast.com/vpsnitro/prod-vps.vpx 212.30.134.146
hxxp://g9421556.iavs9x.u.avast.com/iavs9x/avdump_x64_ais-8e8.vpx 212.30.134.147
hxxp://r4205011.vpsnitrotiny.u.avast.com/vpsnitrotiny/part-vps_win32-16122402.vpx 212.30.134.147
hxxp://v4202226.iavs9x.u.avast.com/iavs9x/prod-pgm.vpx 212.30.134.137
hxxp://g9421556.iavs9x.u.avast.com/iavs9x/selfdefense_x64_ais-8e8.vpx 212.30.134.147
hxxp://h1708605.iavs9x.u.avast.com/iavs9x/prod-pgm.vpx 212.30.134.147
auth.ff.avast.com 77.234.43.98
mansoor-mans.ddns.net 188.55.244.72
ssl.google-analytics.com 172.217.20.168


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /vpsnitrotiny/part-jrog2-1.vpx HTTP/1.1
Host: p9849275.vpsnitrotiny.u.avast.com
User-Agent: avast! Antivirus
Accept: */*


HTTP/1.1 200 OK
Last-Modified: Sat, 24 Dec 2016 16:40:07 GMT
ETag: "585ea4e7-d5"
Server: nginx
Content-Type: application/octet-stream
Content-Length: 213
Accept-Ranges: bytes
Cache-Control: max-age=33
Expires: Sat, 24 Dec 2016 19:40:42 GMT
Date: Sat, 24 Dec 2016 19:40:09 GMT
Connection: keep-alive
ASWsetupFPkgFilem...u...x..pt.Ne``.s.ue..YE..F...n.@N..m......0(xp....
....~}r{........]3.X>........,....,.y........\......0..`..9.@......
.k0ak-.o.../rP..Q......nI.?J^0...&l.K.s.I.#Q.@.c ...<....{2F{.i$.."
.ASWSig2B..



GET /iavs9x/avdump_x86_ais-8e8.vpx HTTP/1.1
Host: g9421556.iavs9x.u.avast.com
User-Agent: avast! Antivirus
Accept: */*


HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 225164
Last-Modified: Fri, 19 Aug 2016 08:49:03 GMT
ETag: "57b6c7ff-36f8c"
Accept-Ranges: bytes
Date: Sat, 24 Dec 2016 19:40:03 GMT
Connection: keep-alive
ASWsetupFPkgFil3....,o..].....&..p.........../D.N..MhC.T.....n........
.L.V187y.].'.U..G6P`}6.._..f..;..<.....G../..(.......8cZ...........
bi.....L#.....MuI...}v#.......u...XD4...6......".{.L.. .].RC.'...i.`..
.....Jn?i\.rk......j.i6b.aI..-.I.._H.....H.;....:..EQ.!<l..s......`
x....\.%O...>.z....Y~..%..5.....X.2.L.f.,..tS}/4.s..vD.Tt........T.
.).Q..Mx...PI....1K.. . Zf....L..IombRS.....q..8H.J...x.7A.. w0$.:A;..
0...X.r6$c.....-b..9...M..yBkmv....u..E.3..7#H.=..........s y.../.NNp.
......]...../.........k..K..>A|R'0.<..Ip....f>2.*............
.6..7i.R....9.G... ..L.'...."ju..U.P..aZ.......b.k_......R..l.......`L
.@.`...@....p.zmU..`^.j...lo.Z.......L......}...6Z......'{.j....'`G2.n
i.-.o...-....j..t......-..D..9..wAXv........E;*NP...:.....z.J;..pr....
B.C.J.5V..v....9..d...F....|.b...s.&...O`cZ.5.`<...._....Jy.T.....u
..).4-$.n.\lYU....... N...m.ba...o........Cg......d...E.....8.i...;..B
kZ...x.n.<F.....j3..7...}A....?.,....6n.O..A....D....u^p......u0w%f
]...'!..4.z..Bc.......;...6..u-.....Q.jp'[L......$..@.;.2...;}l-......
...s... .M.. ..$.6a......._.....*WFh.Uz.-/:.<....z..k...j$..mDE.D.m
.....".\....s.........n=.I...[\M..".]Nh...u[......P\..i.:L8...H.I-@{r.
........A*Z.e.y`.@)I.......^.3:.O.....8.....6.......0.<.6C?.....m..
u....6/.....Z.....3.yi..;#..s..a9`Gtn-p.GrY"..6q..... ..T.....3..E..'k
#..%.T....O.~.d.... ...sb8... .....x...L....L.r.F.?....(Jf.0.........!
c..p.k.V.dL8...C9..w.g.L......;S[..#.#.A0q..... B..._...p..M.......J&l
t;7ph.%&.K.n@k3ZI.6..no....]10...I.02.k.....v..j..C........s~."Zg6
<<< skipped >>>


GET /iavs9x/selfdefense_x86_ais-8e8.vpx HTTP/1.1
Host: g9421556.iavs9x.u.avast.com
User-Agent: avast! Antivirus
Accept: */*


HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 196135
Last-Modified: Fri, 19 Aug 2016 08:49:25 GMT
ETag: "57b6c815-2fe27"
Accept-Ranges: bytes
Date: Sat, 24 Dec 2016 19:40:06 GMT
Connection: keep-alive
ASWsetupFPkgFil3........].....&..p.........../D.N..I...r,.`....}..9...
.I..DS.(......}......P.>....<..#|,..??....v.`..<./wD....@c.`.
.....l8#!....Bb{..8..X_..!..m...EB...E./....dFi.ta.. r'ugU92dt...'....
.T..%.D..@.<...~.>O..g..X."$...B.C.....h6 7.1.X.Z.'."6....V.1...
...........QnCD$..$.......a.<...F..FfXo9:.....g%...'.BH..%n....C.Qm
.....{...tC..E.B^.|H....j.!......q....R.....|.U..>v.0.%.D.5.m `.nZ7
~n..7.2.c.?.^.......X........O:.......;3x..5....g.;...CgaMg...JV......
...5....S. .>=........7....j*|.o.W.9..5Gu..B....@M$D..f.}.J.*X..0..
K.Yxx.h(~.(5>.h......xCEJ.qx|,\A.....T..-.f%..({.......}.....XM.r..
.2..Y.Yi.?1....y.[KM.{......E........>y.(......1...o ...{U.......Zz
.|E..}(dC.|....y..D...f....D.IK..J.E.-!.....-ft...I...J1...5....>.;
.DX..[/.....d.[{N.{7.K.......H$.M..z..y...U..sO.]i.........)l....<.
"~.Ah..a..9.-..o}.v....3..8rwUE..L..C.d.k...2.p..z.`..wj`.AcI...V...o.
.'...f...l|p*<.G'.T.7....7<.7=H...!O...........f_.O... i.C\.O\..
u._.!x.wH..t.......L.c...,8..Q.a.e.....8...J..J.?._.p@....&Z.i..y"/.b.
D3,.._....:...m..c......\)j.*....&.........s.....~.m.......$..Iwv..p..
%...".TU.T.u!.b.D..h.n..O7.D....7..d.O.lc...M..9%.s.a...$.....E....cY.
.J.C?0Z.>. .w!...m.....g&. u.K.......?.Q.R..L.F#.....\..m.cV.?M...7
.s#._m.X...{..UG-...f.8 ..O.....dbY..{.l.z.......q..#.p..K#..>...3h
..]..*%...*.mr...7E.....@.n...A.......mq....Eh...vK.....N{........P..q
.o.....^.k...B.:.._....})........h|..I.hw%.g.....#o...>..z....O...o
[...A...}.ve.~..L..G.Z.....B$.o....S.H.."j...d.-...E...z9.>....
<<< skipped >>>


GET /vpsnitro/part-jrog2-1319.vpx HTTP/1.1
Host: k8056924.vpsnitro.u.avast.com
User-Agent: avast! Antivirus
Accept: */*


HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 841
Last-Modified: Sat, 24 Dec 2016 16:28:14 GMT
ETag: "585ea21e-349"
Accept-Ranges: bytes
Date: Sat, 24 Dec 2016 19:40:01 GMT
Connection: keep-alive
ASWsetupFPkgFile........x.-.yL.q...O.]...b..e.9...fe.f....\....d6...t(
..!.._D...Bn.E(........k...|?.......4..AdF........#..&GNd....i.....?~M
`..;#.d.....6.I.cmP....q].!Y-..9I.O...E/.=.BI.........1... z..z.D&;J..
.D.....2H....E|0%X..].E...'...<...U.`.....f....E....].,..;.......z.
v...".X.{.U{\.#...X.a9...?..........L.7..,....D~.V....w....c.D.../.g..
..a...vc........1......0.U.....[...y;4.....k.t.i.....U|....E^a...4.._.
..X..4.S\N.Op...c...E.?.....S..<....G...#r.wp..Z.=...'.......<.5
N=&....y...:.......e."...k...r....j. ......{x.....".b^.....s^.........
y7....R.<.V..r...2.N}..M.%..y..6./..^.m.W..9..N......|..| .q.>.?
f...3.z...|.&..=......>y....<...q..p.rq1.c..-...O....f...db.udh.
.....^.#M........S....n....e......f....v...6..V..........S.......c....
..w=.%.:.s-.p...2q., ..#. ..K....f....ia...."...j.4.|vh6.........p....
.XA@..{......&ASWSig2B..



POST /? HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Avast SimpleHttp/3.0
Content-Length: 87
Host: 77.234.43.107

data=CAMQ/////w8Y/////w8g/////w8qAIgBANoTBmlhdnM5eA==
HTTP/1.1 200 OK
Config-Name: avast_paid-products_low-value-countries_premier_szb-new-version_production-2ae52425519c67c5eb684b44a6b4c5f6a5caa285d2358eb0ace07d13944877c2
Config-Version: 1324
Content-Type: text/plain
TTL: 86400
TTL-Spread: 43200
Content-Length: 6656
Connection: close
[GrimeFighter]..LicensedClean=1..UseGF1License=1..info2_licensed_perio
d=3600..info2_unlicensed_period=3600..[Instup.GA]..FractionDivisor=-1.
.FractionRemainder=1..[GA]..gaFractionDivisor=-1..[Analytics.Burger]..
SendingPeriodSeconds=3600..BlackList=20.*;1.1.1;1.1.2;1.1.3;1.1.5;1.1.
6;1.1.9;1.1.10;1.2;1.6;1.8.1;1.9..[StreamFilter]..TcpSpdy=0..[Bodyguar
d]..LeakedServer=digibody.ff.avast.com..LeakCheckInterval=0..[Instup.S
ubmits]..SendBurger=1..HttpOnlyAsFallback=1..[Ffl2]..authServer=auth.f
f.avast.com..[Pam]..SyncServer=pam-syncs.ff.avast.com..FFLAuthServer=a
uth.ff.avast.com..OnlineKeyServer=pam-airbond.ff.avast.com..AirBondSer
ver=pam-airbond.ff.avast.com..[WebmailSignature]..GmailEnabled=0..Outl
ookEnabled=1..YahooEnabled=1..MaxRequestSize=16384..[Extensions]..FFSP
=sp@avast.com..FFPAM=jid1-r1tDuNiNb4SEww@jetpack..GCSP=eofcbnmajmjmplf
lapaojjnihcjkigck..GCPAM=emhginjpijfggbofeediiojmdlmlkoik..GCAOS=gomek
midlodglbbmalcneegieacbdmki..FFAOS=wrc@avast.com..IEPAM=0A4E4748-5FEC-
4098-88FA-080F11FF7B92..IEAOS=8E5E2654-AD2D-48bf-AC2D-D17F00898D06..GC
ASP=mbckjcfnjmoiinpgddefodcighgikkgn..GCWTU=chfdnecihphmhljaaejmgoiahn
ihplgn..GCWTU3=lkmdocpbnblchppecickbipihlkehdfg..GCAST=ndibdjnfmopecpm
kdieinmbadjfpblof..GCASG=ndibdjnfmopecpmkdieinmbadjfpblof..FFASP=886A6
486-37B3-4BCD-891B-FD0E325E7b1A..IEWTU=95B7759C-8C7F-4BF1-B163-73684A9
33233..FFWTU3=avg@wtu3..FFAST=avg@security..FFASG=avg@safeguard..[Comp
onents]..[SecureLine]..[Alpha]..AldServer=alpha-license-dealer.ff.avas
t.com..IqsServer=alpha-iqs.ff.avast.com..[common]..ConfigName=paid
<<< skipped >>>


GET /iavs9x/avbugreport_ais-8e8.vpx HTTP/1.1
Host: g9421556.iavs9x.u.avast.com
User-Agent: avast! Antivirus
Accept: */*


HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 811029
Last-Modified: Fri, 19 Aug 2016 08:49:01 GMT
ETag: "57b6c7fd-c6015"
Accept-Ranges: bytes
Date: Sat, 24 Dec 2016 19:40:01 GMT
Connection: keep-alive
ASWsetupFPkgFil38.#.._..].....&..p.........../D.N..x....si...pp.1s.%..
.1.....}.P`..M..6..M.K8agO..p*.'.T(....f.eJ...Z..r....W..{ k....vj.=..
.....?..G.6......4..F..w.N.b..,~.....~......&*,y/...pR.%.. .P.V&Z....'
t ..tY*TG....;...w^.>.K.WUH.K..U0..}.$..r..R.z*.A.m...].~..O..Yu...
g..... ..Fx.;h#K..p...m....]...x.sk....,.Z.Fq.v/r@..{y1/.7.Y".cP[...X.
?..0K.Q.cZ...9/..n=>.3^.....;<...Q.b.`(.mm...Yl...<.I...a...y
..8r....C....D...]J........7tU.x.Y.bT.z..|>......M...e.9n....&.....
.9B...".e.]?8.}.%D@...d.X../..O.....`.... ..[~X.s2..x.....X..\.R...S..
..Vk..Yo.."?.T..(\........i.m..*....<..!..Mzk.e.D...d...rg1G..7....
.[L....r.o.SP.|q.....O,..]..}8.=....*. ...R8wm..|..r..D&b.,H).Mx..y.J.
<.. 2lK.E.....w..k.X..2U07......`.[_/...Z80...V.H...}l:P=.....-....
`[pIE .........U.'b..V.a.Z.....l. ..X..t.o....v.~%Vn...t..K......%y1.1
....1W...J.?.O.>.,....T._...?!8..r...`...l..T.`C...].%%W....K..r.s.
.g.].........L'o7t.~.%L.r},\.....=..t....A .i2.H..B .....;dB.U.5......
.9..............i..a......3?F..M'xU...c".B.# .1q...!..s.vs....V.7.C_#`
.\&n....^o2. P.........S...".z&'..x...c^\}F..4X.)S.E...hX9`.."C.JI..A.
.d_..C.(..s..,?.;.....]k....C..mWN. ..........$...w.......BO^.........
.-.......x.n?]...N"H#.H..L.....*F.D4.#.!. ...Z...`;..-M.N.6.4...{.....
.....1........r......`J...Cd.G...j........"....rdQ..\..$......K...IH..
04Ig....1.....Q.R....j..\)8....@dK.F...RphY..j.....x.8aaV.7.1..5..`.2.
_[....70...w..V......[.......f..J...;.!....;.....o.?..B.h%f..H....L..3
'.M.I>..u.........5K... .-/.1.....td.C......5....0L./.*......^X
<<< skipped >>>


GET /vpsnitro/prod-vps.vpx HTTP/1.1
Host: h0356377.vpsnitro.u.avast.com
User-Agent: avast! Antivirus
Accept: */*


HTTP/1.1 200 OK
Server: nginx
Last-Modified: Sat, 24 Dec 2016 16:28:17 GMT
ETag: "585ea221-1c3"
Content-Type: application/octet-stream
Content-Length: 451
Accept-Ranges: bytes
Cache-Control: max-age=46
Expires: Sat, 24 Dec 2016 19:40:46 GMT
Date: Sat, 24 Dec 2016 19:40:00 GMT
Connection: keep-alive
ASWsetupFPkgFile....c...x.s..r.```....p..o..m .....8.1(..(.......3S ..
}a.0..`. ....|\.@.. v.....f./. ...h.{..wE..W.......'zJ.....lo...{t..-4
M9{_Ol.2......,F._..:'x..x....[...rI..%.@:.(?....8...Ia.k<......DYH
.g.w...s.../_...W.............e.-.z0a........L...ptx....t.3....]....e.
. .pB....y.p.0.....#..p....<a.e.D|....=...l...../b.....~..J;..&W..&
gt;.B!...7b..r.Y....x}.x.4..{......z..!.!.-p... ......GZ)..P...t..bO.d
g.2Ni.g...6.=..V.d.]._s....Q..*.ASWSig2B..



GET /iavs9x/prod-pgm.vpx HTTP/1.1
Host: h1708605.iavs9x.u.avast.com
User-Agent: avast! Antivirus
Accept: */*


HTTP/1.1 200 OK
Server: nginx
Last-Modified: Fri, 19 Aug 2016 08:49:43 GMT
ETag: "57b6c827-1be"
Content-Type: application/octet-stream
Content-Length: 446
Accept-Ranges: bytes
Cache-Control: max-age=59
Expires: Sat, 24 Dec 2016 19:40:59 GMT
Date: Sat, 24 Dec 2016 19:40:00 GMT
Connection: keep-alive
ASWsetupFPkgFile....^...x.s..r.```....p..o..m .....8.1(..(......2.....
%..9.B......a.A.,@...f.7.W?.;....-.....v..Ud.....M.....,..<zjR.....
.o.l.v..........nI... W._n.-w............B<}Af......"V ].ZRZ.r.'...
El5.p.q}Y..l.}G...3.%m...h.0K...]hp.............6.......# }ge...H_....
....0...]......d...4.D....f...?..u.^%1..}].F.pj..[N....w.m}.&.R.7..j.k
.Js.)!..-..&.9qfu.......`.J.......A{.......$ ....O.*..j..Q.)..>....
{.6....k.F....Gv.....a..FM.ASWSig2B..



POST /? HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Avast SimpleHttp/3.0
Content-Length: 39
Host: 77.234.43.107

data=CAMQDBgDIOgRKgCIAQDaEwZpYXZzOXg=
HTTP/1.1 200 OK
Config-Name: avast_paid-products_low-value-countries_premier_szb-new-version_production-2ae52425519c67c5eb684b44a6b4c5f6a5caa285d2358eb0ace07d13944877c2
Config-Version: 1324
Content-Type: text/plain
TTL: 86400
TTL-Spread: 43200
Content-Length: 6656
Connection: close
[GrimeFighter]..LicensedClean=1..UseGF1License=1..info2_licensed_perio
d=3600..info2_unlicensed_period=3600..[Instup.GA]..FractionDivisor=-1.
.FractionRemainder=1..[GA]..gaFractionDivisor=-1..[Analytics.Burger]..
SendingPeriodSeconds=3600..BlackList=20.*;1.1.1;1.1.2;1.1.3;1.1.5;1.1.
6;1.1.9;1.1.10;1.2;1.6;1.8.1;1.9..[StreamFilter]..TcpSpdy=0..[Bodyguar
d]..LeakedServer=digibody.ff.avast.com..LeakCheckInterval=0..[Instup.S
ubmits]..SendBurger=1..HttpOnlyAsFallback=1..[Ffl2]..authServer=auth.f
f.avast.com..[Pam]..SyncServer=pam-syncs.ff.avast.com..FFLAuthServer=a
uth.ff.avast.com..OnlineKeyServer=pam-airbond.ff.avast.com..AirBondSer
ver=pam-airbond.ff.avast.com..[WebmailSignature]..GmailEnabled=0..Outl
ookEnabled=1..YahooEnabled=1..MaxRequestSize=16384..[Extensions]..FFSP
=sp@avast.com..FFPAM=jid1-r1tDuNiNb4SEww@jetpack..GCSP=eofcbnmajmjmplf
lapaojjnihcjkigck..GCPAM=emhginjpijfggbofeediiojmdlmlkoik..GCAOS=gomek
midlodglbbmalcneegieacbdmki..FFAOS=wrc@avast.com..IEPAM=0A4E4748-5FEC-
4098-88FA-080F11FF7B92..IEAOS=8E5E2654-AD2D-48bf-AC2D-D17F00898D06..GC
ASP=mbckjcfnjmoiinpgddefodcighgikkgn..GCWTU=chfdnecihphmhljaaejmgoiahn
ihplgn..GCWTU3=lkmdocpbnblchppecickbipihlkehdfg..GCAST=ndibdjnfmopecpm
kdieinmbadjfpblof..GCASG=ndibdjnfmopecpmkdieinmbadjfpblof..FFASP=886A6
486-37B3-4BCD-891B-FD0E325E7b1A..IEWTU=95B7759C-8C7F-4BF1-B163-73684A9
33233..FFWTU3=avg@wtu3..FFAST=avg@security..FFASG=avg@safeguard..[Comp
onents]..[SecureLine]..[Alpha]..AldServer=alpha-license-dealer.ff.avas
t.com..IqsServer=alpha-iqs.ff.avast.com..[common]..ConfigName=paid
<<< skipped >>>


GET /vpsnitro/part-iex-8.vpx HTTP/1.1
Host: w2920311.vpsnitro.u.avast.com
User-Agent: avast! Antivirus
Accept: */*


HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 225
Last-Modified: Sat, 24 Dec 2016 16:28:14 GMT
ETag: "585ea21e-e1"
Accept-Ranges: bytes
Date: Sat, 24 Dec 2016 19:40:00 GMT
Connection: keep-alive
ASWsetupFPkgFile........x..pt..```.s.u.....9...y....n.@....Z.K!.. .Jn.
..s.O|.s..)...U...*._......g.B..4..KrE....{.zp?.........,.4.d..w..v ..
...8......@(3...-.^L.......F_...K-E`n....C..kK....-7'8)5.......?.:.Zj.
L._...IASWSig2B..



GET /iavs9x/prod-pgm.vpx HTTP/1.1
Host: v4202226.iavs9x.u.avast.com
User-Agent: avast! Antivirus
Accept: */*


HTTP/1.1 200 OK
Server: nginx
Last-Modified: Fri, 19 Aug 2016 08:49:43 GMT
ETag: "57b6c827-1be"
Content-Type: application/octet-stream
Content-Length: 446
Accept-Ranges: bytes
Cache-Control: max-age=11
Expires: Sat, 24 Dec 2016 19:40:20 GMT
Date: Sat, 24 Dec 2016 19:40:09 GMT
Connection: keep-alive
ASWsetupFPkgFile....^...x.s..r.```....p..o..m .....8.1(..(......2.....
%..9.B......a.A.,@...f.7.W?.;....-.....v..Ud.....M.....,..<zjR.....
.o.l.v..........nI... W._n.-w............B<}Af......"V ].ZRZ.r.'...
El5.p.q}Y..l.}G...3.%m...h.0K...]hp.............6.......# }ge...H_....
....0...]......d...4.D....f...?..u.^%1..}].F.pj..[N....w.m}.&.R.7..j.k
.Js.)!..-..&.9qfu.......`.J.......A{.......$ ....O.*..j..Q.)..>....
{.6....k.F....Gv.....a..FM.ASWSig2B..



GET /iavs9x/avdump_x64_ais-8e8.vpx HTTP/1.1
Host: g9421556.iavs9x.u.avast.com
User-Agent: avast! Antivirus
Accept: */*


HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 253194
Last-Modified: Fri, 19 Aug 2016 08:49:02 GMT
ETag: "57b6c7fe-3dd0a"
Accept-Ranges: bytes
Date: Sat, 24 Dec 2016 19:40:03 GMT
Connection: keep-alive
ASWsetupFPkgFil3........].....&..p.........../D.N..XOg..si...pp.1s.%..
.1.....}.P`..M..6..M.K8agO..p*.'.T(....f.eXR=.h.q..-.k.M."...vws...v..
m.RP.....f.J9EH>I...c .......Xl5..b..\.H.g1..0.'...Hy......K.K.Y...
.mb..R.w...B.GS.i!l......Md.....<9....^}...J.,`.......kq.P&..w0\.#.
....[hS.$8`..........:...........zf7O..[.b..e.c{F....4p..`...].....~-L
m........gK..:."qa...M.vd.I,...]t.B........l...'.{..Zl..B.......w.[.._
.Du..&!......m...m.....Jg...Fd..M!.DZ..L.}U....Mz.....K......>.....
`...._3C..$..n8.x.r.hFE..)..mT.AOA....n.==.... ....r.".>/..S..J.r.$
.-...cd|........f.c...%4......%T3?...:h...8<.?..X.....R..@.....3W}S
.P....B...W._.3.........../.|.....Y.`#......>.h...N.:FNG.:..M9. .05
..( !...@H@"W<..G.,o.g..I...}..1T5P|.......$...J.<..J...C..1...n
y.Q,..E...&}t(oF.C.t..HG.sUn...}.O...,...u...7....N......H...gX.....&g
t;.%.m....b.V......q@...kd.tt..{..{....0K..$...z....q&.............dZ;
]0$..D..s{0.eh.N.-8u.1.=`.?.<S].u......".e6.g....u6d..v.....< .f
....X....S.._0..a7.C....O.H......I..U&v..j..J...g.......z..>....j..
..R.S.2..UF...........9.{.|J$..]T...~..VVl\.. ....w....n.x-G....?.9...
.?......4 ..{ ....N......x.Uz.R..].....7.....nth.....~.ND..W........&.
..d...z..]$.B............QY.~af.L..h...F'.i.6oJA(%.Wc\i.6.AO...... P..
.....Cd-...MN...V.j.S..1<C.#.....<.$n..S...KT.&D...=8H.(.0"K.qm"
iT.K.f.x.7.A.....Qcufx\.......`@....)'.g.'....R|..y.p<... r....:fYY
...._.\{..^y}5>.G ...'O\.8R/.....o..._.....s.....}...b..<..DM.~.
?.7.p.4.:d.!}qi...Fa]...........].%:\.;.....X6K.....]..K...0,..[j.
<<< skipped >>>


GET /vpsnitrotiny/part-vps_win32-16122402.vpx HTTP/1.1
Host: r4205011.vpsnitrotiny.u.avast.com
User-Agent: avast! Antivirus
Accept: */*


HTTP/1.1 200 OK
Last-Modified: Sat, 24 Dec 2016 16:40:07 GMT
ETag: "585ea4e7-12a"
Server: nginx
Content-Type: application/octet-stream
Content-Length: 298
Accept-Ranges: bytes
Cache-Control: max-age=40
Expires: Sat, 24 Dec 2016 19:40:49 GMT
Date: Sat, 24 Dec 2016 19:40:09 GMT
Connection: keep-alive
ASWsetupFPkgFile........x..pt.Nc``.s.ue..e....F...n.@....JE?...H......
...."....[...n)~.c...._&...\<ba.S..]....._y..f....(..5(......72..m.
......<3.a......f'?.).O....w?.|8.m.0.........)...r.z....g&.W.......
.3w.6....e.la@....%.PIN..=..s-/.Lg.i.U......c..(F....o,........h..F.P#
.[.H.L.1..!.IO..ASWSig2B..



GET /vpsnitrotiny/prod-vps.vpx HTTP/1.1
Host: p9849275.vpsnitrotiny.u.avast.com
User-Agent: avast! Antivirus
Accept: */*


HTTP/1.1 200 OK
Last-Modified: Sat, 24 Dec 2016 16:40:07 GMT
ETag: "585ea4e7-1a5"
Server: nginx
Content-Type: application/octet-stream
Content-Length: 421
Accept-Ranges: bytes
Cache-Control: max-age=33
Expires: Sat, 24 Dec 2016 19:40:42 GMT
Date: Sat, 24 Dec 2016 19:40:09 GMT
Connection: keep-alive
ASWsetupFPkgFile....E...x..p..ib``...pe.....~..0f.kP0.........W@.`Ow. 
m..N.,.f...!S..2..u.......mq....{G&...I..*..Wj.r..d.,\s....*.r..: _..x
...|.$."...6.KX.tVQ~...-p..5.H.....l.........4..>.|h...y.w.....m...
..}....w....R..,.7m&H-c.6r.f.Ty.\i..k:........N.3.<3....&.!1.{.....
..f...XW..O...%....H....p........u8.-..}.....k...(.G..`.Ye8....O.O....
.._...P......9..H[.0..|E.r.#.6..`.V.$s.........o....l6.G{...$.. .6f[.A
SWSig2B..



POST /cgi-bin/iavsevents.cgi HTTP/1.1
Host: v7event.stats.avast.com
User-Agent: avast! Antivirus
Accept: */*
Content-MD5: qncYSVIJaU gO3AFDztlgg==
Content-Type: iavs4/stats
Content-Length: 293

InstupVersion=12.3.3154.
edition=1
event=install_intr
guid=88954422-abef-43c9-a4a1-44e879ebb6a
midex=000000000000000000000000000000002d13e766ec0058428680dd00adcbeb6
operation=
os=win,6,1,2,7601,1,3
stat_session=d7563c3c-0a22-4cae-81e3-2aa806c61c1
statver=2.3
statsSendTime=148260841

HTTP/1.1 204
Server: nginx
Date: Sat, 24 Dec 2016 19:40:11 GMT
Content-Type: text/html
Connection: keep-alive



GET /iavs9x/offertool_ais-8e8.vpx HTTP/1.1
Host: g9421556.iavs9x.u.avast.com
User-Agent: avast! Antivirus
Accept: */*


HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 1163694
Last-Modified: Fri, 19 Aug 2016 08:49:23 GMT
ETag: "57b6c813-11c1ae"
Accept-Ranges: bytes
Date: Sat, 24 Dec 2016 19:40:04 GMT
Connection: keep-alive
ASWsetupFPkgFil3P'!.N...].....&..p.........../D.N..MhC.T.....n........
.L.V187y.].'.U..G6P`}6.._..f..;..<.....G../..%....SV.^Ci.J.]..65h."
A...Z./..l.Y....F..`.:][..........hM.Y.........%d.r.u.A...yG.......ix.
..KME...I..A6..&[..o..1.r..c.....bv3_....0..HN.......!Hf..^.Z......g.=
.7..k.@.5....&.......0Vl.A:y...D.V!.6....@.r.......A..Ek...d..\.%>.
L.s.Z......Oh....3|.....0....W.x.j!*..}..j;5.....c..\.B....w...tF.R)..
.....bJra.....77j.S....H.)...:$B.!.F.........O.....T.)..T.f^X{G....h.S
l...c..q..l..pJ.0....<....2kt....Z.W!.{9......`?....[...&.....Uvd..
..~%@....>g#.R.wE....T.&;E...U.]175<.....[...{..<(...p.Iy..c.
.N....<. ..c./.{AY. ..C.maz#}?.k*......'i..7p....'..........K.<.
.r..WIIE.hX'...9....v........j..........\p9...*\..CJU..F...b5....T..e'
...<..l...V..hPj.........;.d..$.._(:V.8.L.....~..%.$..oX.....A.IY./
.....G.....{..P,^6.9....Zo.b.O\.ar.>#R..{..%!h%.....@...:..)q,d....
..._..F..;.........;.k.b}.....^....f..S*.~..X.#=.S....% z.[..E..?`.y..
.gnx.i?g.q...S-\.........[.,..9lj.f.!v...j...Y.#..s...T%U....[}G......
.R,....;y.....J}...Y......]Ssl....y....:..R|...C.mI...7.<.d..<:3
#.....".zn........4EN..7"k9....U.....U..' ..B.....d.yMK...D....).v....
..x.s..1.`.....x.:...8L.b...6...LtA..~%....I............^....... p.#\.
...$..{.....]..b ..a.o..>..O.._.6C#...3.5`.L....i.....:............
..q]......`....y.?...!.......}.?pk.s..k.e.F.....$...N.] !.S..h.....P.L
-...B....<........L.S..C=.........{......3.,o...96^....=.... ...E..
...g.:#.<.gsb%i..f...R.-.k".../U..QA...'......>....oT.I.i...
<<< skipped >>>


GET /vpsnitrotiny/part-iex-0.vpx HTTP/1.1
Host: p9849275.vpsnitrotiny.u.avast.com
User-Agent: avast! Antivirus
Accept: */*


HTTP/1.1 200 OK
Last-Modified: Sat, 24 Dec 2016 16:40:07 GMT
ETag: "585ea4e7-d4"
Server: nginx
Content-Type: application/octet-stream
Content-Length: 212
Accept-Ranges: bytes
Cache-Control: max-age=17
Expires: Sat, 24 Dec 2016 19:40:26 GMT
Date: Sat, 24 Dec 2016 19:40:09 GMT
Connection: keep-alive
ASWsetupFPkgFilep...t...x..pt..```.s.u.....9...y....n.@>...........
.o.^...u..i\......_.\...........................U=.%wF\(.5(.d...0f`..G
.%k4...6e.Y..T..Fh.^...o..)..B.EG...`.O.()z;u.&.m.dk|...:..%..7.,..ASW
Sig2B..



GET /collect?an=Premier&av=12.3.3154&cd=stub-extended&cd3=Online&cid=88954422-abef-43c9-a4a1-44e879ebb6a2&dt=Installation&t=screenview&tid=UA-58120669-3&v=1 HTTP/1.1
Connection: Keep-Alive
User-Agent: Avast SFX/1.0
Host: VVV.google-analytics.com


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Tue, 20 Dec 2016 16:03:33 GMT
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
Cache-Control: no-cache, no-store, must-revalidate
Age: 358579
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Tue, 20 Dec 2016 16:03:33 GMT..Pragma: no-cache..E
xpires: Mon, 01 Jan 1990 00:00:00 GMT..Last-Modified: Sun, 17 May 1998
 03:00:00 GMT..X-Content-Type-Options: nosniff..Content-Type: image/gi
f..Server: Golfe2..Content-Length: 35..Cache-Control: no-cache, no-sto
re, must-revalidate..Age: 358579..GIF89a.............,...........D..;.
.



GET /vpsnitro/part-vps_win32-16122403.vpx HTTP/1.1
Host: h1708605.vpsnitro.u.avast.com
User-Agent: avast! Antivirus
Accept: */*


HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 3868
Last-Modified: Sat, 24 Dec 2016 16:28:17 GMT
ETag: "585ea221-f1c"
Accept-Ranges: bytes
Date: Sat, 24 Dec 2016 19:40:01 GMT
Connection: keep-alive
ASWsetupFPkgFile........x.}..tM....;...... $..L.T.A.Ab&!1.5. .yH.ik...
..k.P3.gh.kii(-m..<T....~...Z.....o=....9{..._.o.").&...m.....>.
W..a...IKh..)Z....mv.....@.gI..Zs.....%]R.N.4.Y...g.L..?.hJ...Y...u~].
..co.Yp..U;v6Y.9>5..*.o..2q.u....V....(2..2.,s....y....E...7.....m2
.\s.$...)V..^.0....r.L.....4.WS.L...6.....N....o.\.J..L.{.Yd"8p...0w.Y
r.J..2....Y...o..X..F.d....e...k.7.....hPR-2..k...`..,2..7.)...%....?a
.....N....j........~..C....6...?k.....l2@.....*..I?...N...S.&}..U..,.Z
..LpSW..V.=.,..o.9.S'w2,..n......^......'..3.-....`..`.b.t.k.......S:.
.V.t....$..9.).j..\.A..&..z..Ni........pJ[0..I.......^]..Dp}M.$....I..
m.......H .m......HK...SZ../i..j.W......C..!o...z.@.4../.I.x .)..m.l.*
83.).U.V.i.....W@..*...T.y..,r.K.}.C..KV:....w...w}...`.....O..RS..(..
.........9...(.%.j..vH..k9.T.?~l.*.....2...!...u.R......j~...`.M.D....
!..~..I9..d.D.._3IY.|.H..Rh.....Y".x.v.W..0K).v.UJ.7c,..v\b.P....R...p
H....]|..?.....2.G.C.M....f..cc.....w.........;`..5//.....r.K}....T.v.
S.`..f...f.Slj.......s..<}..fp.`...N...u{.!/0..Z8./p.a.<.....3..
5......Y.).....qB.7.........M\X...].9G..2f....{o.x.^.....q....~.l.....
>,|Z....ys;.&U..yLQN._. ...Ou::1..!"U......{.$...Sl...-.....Ze..o.S
....Y.Mp..K........<...`.y....n..L...~2.t.8e:..Sm..YTR.....d.h.Ye2.
.U...c.Yd.h.u.D...:.L.b..0~.[..W..d.x.B..../..l..'.2..l.]..w..i.z..e..
.D......'#.1].e8xq.W....>...@..Q...-.....e0... ..!.n....VR^.k.....=
...?8 6X....a.....'}.{1>...J..L...........X.A3.Gg.$..U:\z.{.=..,X..
....n..N..*]...B..X....`.....\.&D:..5.I.....T.?6..meX...U.....g...
<<< skipped >>>


GET /iavs9x/selfdefense_x64_ais-8e8.vpx HTTP/1.1
Host: g9421556.iavs9x.u.avast.com
User-Agent: avast! Antivirus
Accept: */*


HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 220901
Last-Modified: Wed, 23 Nov 2016 10:00:38 GMT
ETag: "583568c6-35ee5"
Accept-Ranges: bytes
Date: Sat, 24 Dec 2016 19:40:05 GMT
Connection: keep-alive
ASWsetupFPkgFil3.....^..].....&..p.........../D.N..iO...T..w{...]..s..
.R..}.;W.^..HN.g..2.3........t..#Ft.4..2.5..rm}.U.......x...N...$2 9.1
...i6.l.8..[....?......:...M......V.......[%/-.F.C.._....E.....!588os.
...y..|...N....-=b......S....B..*..........q2.a..:{..?..l...<f/..d.
...H.x..l@| ....D.....E#.|.f./..}.....f..........{.....j.A.....p.>.
...M.......]X..y..hE.....~S..).N.....@.........8..6i..dX...2....@`....
g...MB...y..kK..{ .S._.. .......?....OE...C..5.,......,...C..6m...R%..
b<.q^f......E.b@....(.~~.'u.l.M..-z..5..nN...,f....H"vIAp..f.hS&...
.. B.~<..j.y.@.....S%.......%....k@.....A$r;9G.........MI.8.\..s..#
....F........H..?R.l.....RF.%...........)..P..|;.{...!@N.bO..*.5x.rW..
Y..9K...t..l`]....<...J-QO...B%.........q...wD......V...D....5.s...
...sTn...../.....b.H.J..8.w..A..KL.8.$.YV.R.//# ......;.m....[H...ZL#.
[!;...5.P%.k9......V..R>\.9>...C..1....w.f.E97..,...?i..........
.Y..$..{.Ba..../...@N.}w..J..jW.S..`...E. .Lz.Q;4..mz. N].......r.N...
s.C" .XW....>.#.!..M..Y...8.{.9...d.o.....WziB.q..o.......D...'..e.
V^..(...C.....g.F$:"..C...>...`L)a.5...@p....l5...aia.]'........"..
1....4j..Y8D.p]........(|W......-.i........?o@"......j........n..5....
.3l..._.B.2L9.x.......3;.*....a.F......K...g.q.O..H3...,Z;..........y.
7......L7.1...H...C..V.dL3....t!..U.I....T....p..06.....$..)..=.z.....
_...F'...&VE.^.\j.f..c..h....|7....8.V..#\d...8.....\.K......c.....:.B
..K..W..b.......w..6..C.e.B........:.)...q.Pi._............{M. .}{\;^.
....s=x..,wm...-$.1.I.I..$m..T....1Y.w`~.... [..P......q......m ..
<<< skipped >>>


GET /iavs9x/servers.def.vpx HTTP/1.1
Host: k7677977.iavs9x.u.avast.com
User-Agent: avast! Antivirus
Accept: */*


HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 2869
Last-Modified: Tue, 21 Jun 2016 10:45:50 GMT
ETag: "57691ade-b35"
Accept-Ranges: bytes
Cache-Control: max-age=32
Expires: Sat, 24 Dec 2016 19:40:31 GMT
Date: Sat, 24 Dec 2016 19:39:59 GMT
Connection: keep-alive
ASWsetupFPkgFile.a......x....s.:...3..!.ww.G.H...`..m.&]O..s..N.......
.i...@...k...........q.. K...4..(....".......'...S.u.......Ih...`.9./.
..|...".ALY?...O.......y.$...%4../.FA..H..G..,...x..mC...&.F...Y...s`.
.....F...g...h..9{'NF.`{~....p..{....x..]..V.w~...48.M.f.....A..~...ED
....-.....d!.N.d.q..<]m..f.?U?O..8..]|..f.S.=..U.......... ........
.....U....gC,j...X...........2,......w9^....._..5eG..K.t........0Q....
......E......L?......./a...cc.9p.......?Q'....Q....O.....,.....~.>.
.qk.k.K.....j."a...=(...=(...=(...=(..Y{.....n-nLn.K..?.n07:7.e...W...
O\^.T.u.[MX$,..pkqcr._v.....#..>..e...<..$..N...#......^..p..t.,
..c....(..d...(...@xp.....~~.il.4.......[...Y$Yj-...]^.....Ya.uJ)/?.j.
..(.gu..E.j.._.c.=.~.a..Q.......n.a....`.J v%.<v.?..J.........9*M..
..$.0..Kxw..-........pcpc......o...n].<...G..............Mu<..H.
..............u6.....w.z.............z5J........3..f#.g.{........Vc...
..l.t3..Q...5.:nT.~|.x.n....g..N.v.......w.i.......3.....!.~...3..^.)w
A.. J.7..7....<.OiZ.....v.L.Wv...o....?{|....Y]......M.........*...
........9....{}.].....@......g....,..v.<..S.tr.7.,...Y..c.I.c...k6.
......9.x...a.....w7...1.../..|~|....o..7....\.l.`K....!@..".b........
.S>vO.N"c..tz......x%kP.jF#7Xr......O..6.......n/..,..c.4}.k#K.....
H5.........._...)H..".Ar.....T.z......D..`.R..]r0:.NxW..{2w=..|..O4.y.
.P..0.../U.z...........ppIa......N..D.z....,O...]...S.;.].=.......0.y.
...K...G..s.??...C.....l...</p..kKG.c6.......O..g.....<.....6;..
......{..k.VXUdER.f|...M.....Tj}7...XV....x.......Y3G......d......
<<< skipped >>>


POST /cgi-bin/iavsevents.cgi? HTTP/1.1
Connection: Keep-Alive
Content-Type: iavs4/stats
Content-MD5: jD3D40DKHlsozBl3CT2Htw==
User-Agent: Avast SimpleHttp/3.0
Content-Length: 356
Host: v7event.stats.avast.com

SfxCreated=148171082
SfxName=avast_premier_antivirus_setup_online.ex
SfxSize=630627
SfxVersion=12.3.3154.
edition=1
event=stu
guid=88954422-abef-43c9-a4a1-44e879ebb6a
midex=000000000000000000000000000000002d13e766ec0058428680dd00adcbeb6
os=win,6,1,2,7601,1,3
stat_session=d7563c3c-0a22-4cae-81e3-2aa806c61c1
statver=2.3
statsSendTime=148260839

HTTP/1.1 204
Server: nginx
Date: Sat, 24 Dec 2016 19:39:53 GMT
Content-Type: text/html
Connection: keep-alive
HTTP/1.1 204..Server: nginx..Date: Sat, 24 Dec 2016 19:39:53 GMT..Cont
ent-Type: text/html..Connection: keep-alive..







The Trojan connects to the servers at the folowing location(s):







avast_premier_antivirus_setup_online.exe_3504:




.text
`.rdata
@.data
.didat
.rsrc
@.reloc
CMDL
CMDP
w%s( 
j.Yf;
_tcPVj@
.PjRW
WINHTTP.dll
VERSION.dll
USER32.dll
GDI32.dll
ADVAPI32.dll
SHELL32.dll
ole32.dll
address family not supported
broken pipe
function not supported
inappropriate io control operation
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
InitOnceExecuteOnce
gdiplus.dll
MaxPolicyElementKey
pExecutionResource
operator
operator ""
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
?#%X.y
%S#[k
GetModuleHandleW (%s)
GetProcAddress (%s)
16:03:05
%s %d %d
%d:%d:%d
cmnbsInit %d
kernel32.dll
GetNamedPipeClientProcessId
GetNamedPipeServerProcessId
https
Unable to retrieve a path of the known folder (%d)!
InvokeMainViaCRT
ExitMainViaCRT
Microsoft.CRTProvider
d:\DEV\AvastNitro\BUILDS\Release\x86\SfxInstPaid.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPB
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.cfguard
.rdata
.rdata$r
.rdata$sxdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.didat$5
.rsrc$01
.rsrc$02
WinHttpOpen
WinHttpConnect
WinHttpOpenRequest
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpCloseHandle
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
RegEnumKeyExW
GdiplusShutdown
WinHttpCrackUrl
WinHttpSetOption
WinHttpSetTimeouts
WinHttpReadData
WinHttpAddRequestHeaders
WinHttpSetStatusCallback
WinHttpSetCredentials
WinHttpQueryHeaders
GetWindowsDirectoryW
GetProcessHeap
KERNEL32.dll
GetCPInfo
.?AVstl_condition_variable_concrt@details@Concurrency@@
.?AVstl_critical_section_concrt@details@Concurrency@@
.?AVunsupported_os@Concurrency@@
.?AVinvalid_operation@Concurrency@@
.?AUITopologyExecutionResource@Concurrency@@
.?AVinvalid_scheduler_policy_key@Concurrency@@
.?AVinvalid_oversubscribe_operation@Concurrency@@
.?AVExecutionResource@details@Concurrency@@
.?AUIExecutionResource@Concurrency@@
.?AUIExecutionContext@Concurrency@@
.?AU_Crt_new_delete@std@@
CKv.AKv^AKv
2DX9%c`
{BT"p.PD
0.XAh
B%S' 
"w%u8D)
Cðr
4ppaaaae%CG
RRRa`pppt4%c
5`ptaat4t4pt%c
CG%'CG%CG%gCg
aeÊg
RRCcW5Ì
`aee%cGêaacG
|''',',',
"''''""'"
.et<wz
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
3#4 434;4
: :$:(:,:0:4:8:\:
4&6 6:6:7
?'?.?9?@?
3%3s3
12u2
7 71797?7
5 575@5[8
: :$:(:,:0:4:8:
7r7s7
9,:5:@:{:
6i6D6
? ?$?(?,?0?4?8?<?
? ?$?(?,?
5$5(585<5
5$5,545<5
1,181@1`1|1
combase.dll
advapi32.dll
minkernel\crts\ucrt\inc\corecrt_internal_strtox.h
__crt_strtox::floating_point_value::as_double
__crt_strtox::floating_point_value::as_float
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
Software\Microsoft\Windows\CurrentVersion\SharedDLLs
OpOnReboot: MoveFileEx('%s') successfully performed.
OpOnReboot: MoveFileEx('%s') failed, code %s
OpOnReboot: Direct delete of file '%s' successfully performed.
OpOnReboot: Cannot directly delete file '%s', code %s
0000-00-00 00:00:00
[%s] [%-7s] [%-15s] [%5lu:%5lu] %s
Failed to open the log file "%s" with error 0xlx!
GetValueImpl: cannot get value '%s\%s', code %s
SetValueImpl: cannot set value '%s' = '%d', code %s
servers.def
config.def
CustomInstallation.ini
Cannot get signature of archive '%s' (code 0x%x)
Error in signature of archive '%s' (code 0x%x)
Unknown signature type of archive '%s'
Error opening archive '%s'
Incorrect content length of archive '%s'
Archive '%s' is too small
Incorrect magic of archive '%s'
Cannot load map block of archive '%s'
Error loading map of archive '%s' (code 0x%x)
Error in unpacked map data of archive '%s'
SFX archive '%s' sucessfully loaded.
Unpacking %s
Error saving %s to a file '%s', code %d (0x%X)
license.avastlic
bcc.cfg.tmp
Avast for business public key
bcpub.key.tmp
rid.bin
Error saving embedded recommendation ID to a file '%s', code %d (0x%X)
pairing.bin
Error saving embedded ticket ID to a file '%s', code %d (0x%X)
prod-pgm.vpx
prod-vps.vpx
uat.vpx
Error extracting file '%s' (code 0x%x)
C:\TEMP
"%s" %s
Cannot get exit code of process '%s' (code 0x%x)
Error creating process '%s' (code 0x%x)
Reboot: Restarting windows...
Reboot: InitiateSystemShutdownEx returned 0xX
VVV.google-analytics.com
ntdll.dll
instup.exe
Instup.dll
Reboot.txt
bpubkey
\\.\ASWSP_Open
Logs\Setup.log
Running SFX '%s'
The installer has detected corrupted Avast Antivirus installation on this computer (service '%s' is running), thus this installer cannot continue. Use the 'avastclear.exe' utility to fix the problem or contact the avast! support team.
Avast was not detected but service '%s' is running. There is a corrupted avast installation, thus this installer cannot continue.
The installer cannot open the SFX archive '%s'. (code 0x%x)
Cannot open the SFX archive '%s' (code 0x%x)
_av_iup.tm~
~aswOfferTool.exe
GuiCust.dll
The installer cannot extract servers.def with error %s!
\servers.def
The installer cannot extract VPX files to '%s' (code 0x%x)
Cannot extract VPX files to '%s' (code 0x%x)
setup.ovr
avast.setup
Starting installer/updater executable '%s'
The stub cannot run installer/updater executable '%s' (code 0x%x)
Installer/updater executable '%s' finished (process return code 0x%x)
Leaving Avast SFX stub guarded code section (return code 0x%x)
hu/hu/hu hu:hu:hu START: Avast SFX stub executable
hu/hu/hu hu:hu:hu END: Avast SFX stub executable, return code %d (0xlx)
win,%d,%d,%d,%d,%d,%s%s
Unable to retrieve stats URL from file '%s' with error 0x08lx!
The operation completed successfully
Operation was cancelled
Proxy login needed
HTTP error
Retrying operation
%d (0xX)
SnxReboot.txt
FwReboot.txt
Stats.ini
Urls
LastVpsUrl
LastPgmUrl
defs\aswdefs.ini
ais_shl_web
alc_shl_web
ais_cmp_webrep
alc_cmp_webrep
setup.ini
product.groups
product.parts.current
product.parts.latest
Components.ini
ais_web_sh
ais_webrep
ais_cmp_webrep_x64
ais_webrep_x64
ais_cmp_webrep_chrome
ais_cmp_webrep_ff
ais_cmp_webrep_ie
.current
.latest
.groups
KERNEL32.DLL
%SystemRoot%
avast5.ini
aswCmnOS.dll
%s\Oem\%s
KeyFolder
ReportFolder
report
CertificateFile
HKEY_LOCAL_MACHINE
\UXTHEME.DLL
\MSCTF.DLL
JHOOK.DLL
X86\JHOOK.DLL
\LIB\NVDAHELPERREMOTE.DLL
user32.dll
\\.\PhysicalDrive%u
\\.\Scsi%u:
\\.\AswHWID
f\\.\aswSP_Handler
\\.\ASWSP
daavmGlob.cnt
aavmGlob.mtx
aavmRefr.now
aavmSema.apc
asw.script_blocking.conf_data
asw.script_blocking.conf_data_protect
aswAavmUp.evt
aswArPotTest.evt
aswLogDebug.mtx
AswMailSvc.Evt
aswUpdateNow.evt
Avast5.ChestMutex
AvWsCfgChg.evt
AvWsTrm.evt
vpsNew.sig
vpsUpdat.sig
Avast5.XLayer.AavmMutex
AswProxyCfgChg.evt
AswProxy.evt
avResWss64.mtx
avResE2K64.mtx
avResSPM64.mtx
avResMai64.mtx
NTDLL.DLL
\\?\UNC
\\.\%s
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_USERS
Unable to crack the URL '%s' into components!
Unable to crack the URL '%s' into components! Scheme is missing.
Unable to crack the URL '%s' into components! Hostname is missing.
Unable to initialize a WinHTTP connection!
Avast SimpleHttp/3.0
Unable to initialize a WinHTTP session!
Unable to set WinHTTP protocols (lx)!
Unable to set WinHTTP timeouts!
Unable to open file '%s'!
Unable to initialize WinHTTP request!
Unable to set WinHTTP context!
Unable to set WinHTTP status callback!
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
?:\Program Files\AVAST Software\Avast Antivirus\avast_premier_antivirus_setup_online.exe
%Program Files%\AVAST Software\Avast Antivirus\avast_premier_antivirus_setup_online.exe
12.3.3154.0
SfxInst.exe

instup.exe_2036:




.text
`.rdata
@.data
.rsrc
@.reloc
j.Yf;
_tcPVj@
.PjRW
AKv.AKv
address family not supported
broken pipe
function not supported
inappropriate io control operation
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
InitOnceExecuteOnce
%b %d %H : %M : %S %Y
%m / %d / %y
%I : %M : %S %p
%H : %M : %S
%d / %m / %y
0123456789-
MaxPolicyElementKey
pExecutionResource
operator
operator ""
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
?#%X.y
%S#[k
avBugReport.exe
GetModuleHandleW (%s)
GetProcAddress (%s)
0xx (%d)
Unable to retrieve a path of the known folder (%d)!
GetNamedPipeClientProcessId
GetNamedPipeServerProcessId
InvokeMainViaCRT
ExitMainViaCRT
Microsoft.CRTProvider
d:\DEV\AvastNitro\BUILDS\Release\x86\InstCont.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPB
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.cfguard
.rdata
.rdata$r
.rdata$sxdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.rsrc$01
.rsrc$02
VERSION.dll
PSAPI.DLL
GetProcessHeap
GetWindowsDirectoryW
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExW
ADVAPI32.dll
SHELL32.dll
Instup.dll
RPCRT4.dll
SHLWAPI.dll
GetCPInfo
.?AVstl_critical_section_concrt@details@Concurrency@@
.?AVstl_condition_variable_concrt@details@Concurrency@@
.?AVwindows_file_codecvt@@
.?AVunsupported_os@Concurrency@@
.?AVinvalid_scheduler_policy_key@Concurrency@@
.?AVinvalid_oversubscribe_operation@Concurrency@@
.?AVinvalid_operation@Concurrency@@
.?AUITopologyExecutionResource@Concurrency@@
.?AVExecutionResource@details@Concurrency@@
.?AUIExecutionResource@Concurrency@@
.?AUIExecutionContext@Concurrency@@
.?AV?$Exportable@VIEventConnection@mi@asw@@@mi@asw@@
.?AVExportedFromModule@mi@asw@@
.?AVIExportable@mi@asw@@
.?AU_Crt_new_delete@std@@
.?AV?$Exportable@VILogger@log@asw@@@mi@asw@@
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
8#9 939;9
: :$:(:,:0:4:8:\:
0"1-191?1
0 1$1(1,1014181
2%2s2
5%5s5
3=3
9 9$9(9,90949
2$2(2,2024282<2
<$<,<8<@<`<|<
combase.dll
advapi32.dll
minkernel\crts\ucrt\inc\corecrt_internal_strtox.h
__crt_strtox::floating_point_value::as_double
__crt_strtox::floating_point_value::as_float
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
\\.\ASWSP_Open
avast! Self-Defense trust was not acquired. Code %s
Cannot initialize Instup, return code %s
Error returned by Instup, return code %s
Error in Instup cleanup, return code %s
--send dumps|report
hu/hu/hu hu:hu:hu END: Avast installer/updater, return code %s
The operation completed successfully
Operation was cancelled
Proxy login needed
HTTP error
Retrying operation
%d (0xX)
dbghelp.dll
Install failed: cannot get filename of current process due to error: %d
Minidump generation failed with error: %d
Minidump created successfully. Exception code is: %x
Attempted to WriteDump while another operation is already in progress
unp%u%u.mdmp
"%s" --pid %d --exception_ptr %p --thread_id %d --dump_level %d --dump_file "%s" --comment "%s"
Failed to start process dumper at '%s' due to error: %d
Failed to get exit code from dumper process, error: %d
avDump32.exe
User-initiated crash in %d ms
ekernel32.dll
rKernel32.dll
KERNEL32.DLL
.tmp.
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\\.\GLOBALROOT
\\.\aswSP_Handler
\\.\ASWSP
daavmGlob.cnt
aavmGlob.mtx
aavmRefr.now
aavmSema.apc
asw.script_blocking.conf_data
asw.script_blocking.conf_data_protect
aswAavmUp.evt
aswArPotTest.evt
aswLogDebug.mtx
AswMailSvc.Evt
aswUpdateNow.evt
Avast5.ChestMutex
AvWsCfgChg.evt
AvWsTrm.evt
vpsNew.sig
vpsUpdat.sig
Avast5.XLayer.AavmMutex
AswProxyCfgChg.evt
AswProxy.evt
avResWss64.mtx
avResE2K64.mtx
avResSPM64.mtx
avResMai64.mtx
%SystemRoot%
avast5.ini
aswCmnOS.dll
%s\Oem\%s
KeyFolder
ReportFolder
report
CertificateFile
HKEY_LOCAL_MACHINE
\\.\%s
NTDLL.DLL
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_USERS
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\instup.exe
12.3.3154.0
InstCont.exe

svchost.exe_1700:




.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

svchost.exe_1700_rwx_10000000_0004D000:




`.rsrc
ServerKeyloggerU
789:;<&'()* ,-./12345
%SERVER%
URLMON.DLL
shell32.dll
hXXp://
advapi32.dll
kernel32.dll
mpr.dll
version.dll
comctl32.dll
gdi32.dll
opengl32.dll
user32.dll
wintrust.dll
msimg32.dll
KWindows
TServerKeylogger
GetWindowsDirectoryW
RegOpenKeyExW
RegCreateKeyW
RegCloseKey
RegOpenKeyExA
FindExecutableW
ShellExecuteW
SHDeleteKeyW
URLDownloadToCacheFileW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyboardLayout
GetKeyState
GetKeyboardType
GetKeyboardState
FtpPutFileW
FtpSetCurrentDirectoryW
.idata
.rdata
P.reloc
P.rsrc
URLD
KERNEL32.DLL
ntdll.dll
oleaut32.dll
shlwapi.dll
wininet.dll
x.html
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
[Execute]
KeyDelBackspace
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
.html
XtremeKeylogger
Software\Microsoft\Windows\CurrentVersion\Run
.functions
icon=shell32.dll,4
shellexecute=
autorun.inf
\Microsoft\Windows\
ÞFAULTBROWSER%
svchost.exe
mansoor-mans.ddns.net
google.fr.exe
{266BM021-35E2-GSW3-78P1-660EAO21QSP3}
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Port
ftpuser
PTF.ftpserver.com

iexplore.exe_1052:




.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

iexplore.exe_1052_rwx_10000000_0004D000:




`.rsrc
ServerKeyloggerU
789:;<&'()* ,-./12345
%SERVER%
URLMON.DLL
shell32.dll
hXXp://
advapi32.dll
kernel32.dll
mpr.dll
version.dll
comctl32.dll
gdi32.dll
opengl32.dll
user32.dll
wintrust.dll
msimg32.dll
KWindows
TServerKeylogger
GetWindowsDirectoryW
RegOpenKeyExW
RegCreateKeyW
RegCloseKey
RegOpenKeyExA
FindExecutableW
ShellExecuteW
SHDeleteKeyW
URLDownloadToCacheFileW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyboardLayout
GetKeyState
GetKeyboardType
GetKeyboardState
FtpPutFileW
FtpSetCurrentDirectoryW
.idata
.rdata
P.reloc
P.rsrc
URLD
KERNEL32.DLL
ntdll.dll
oleaut32.dll
shlwapi.dll
wininet.dll
x.html
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
[Execute]
KeyDelBackspace
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
.html
XtremeKeylogger
Software\Microsoft\Windows\CurrentVersion\Run
.functions
icon=shell32.dll,4
shellexecute=
autorun.inf
\Microsoft\Windows\
ÞFAULTBROWSER%
svchost.exe
mansoor-mans.ddns.net
google.fr.exe
{266BM021-35E2-GSW3-78P1-660EAO21QSP3}
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Port
ftpuser
PTF.ftpserver.com
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FB_53E9.tmp.exe
%Program Files%\Internet Explorer\iexplore.exe

google.fr.exe_3908_rwx_00312000_00002000:




6%Ci(

google.fr.exe_3908_rwx_692D2000_00002000:




.iOj?ifj?iK
@*-iu}6i

instup.exe_3336:




.text
`.rdata
@.data
.rsrc
@.reloc
j.Yf;
_tcPVj@
.PjRW
AKv.AKv
address family not supported
broken pipe
function not supported
inappropriate io control operation
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
InitOnceExecuteOnce
%b %d %H : %M : %S %Y
%m / %d / %y
%I : %M : %S %p
%H : %M : %S
%d / %m / %y
0123456789-
MaxPolicyElementKey
pExecutionResource
operator
operator ""
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
?#%X.y
%S#[k
avBugReport.exe
GetModuleHandleW (%s)
GetProcAddress (%s)
0xx (%d)
Unable to retrieve a path of the known folder (%d)!
GetNamedPipeClientProcessId
GetNamedPipeServerProcessId
InvokeMainViaCRT
ExitMainViaCRT
Microsoft.CRTProvider
d:\DEV\AvastNitro\BUILDS\Release\x86\InstCont.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPB
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.cfguard
.rdata
.rdata$r
.rdata$sxdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.rsrc$01
.rsrc$02
VERSION.dll
PSAPI.DLL
GetProcessHeap
GetWindowsDirectoryW
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExW
ADVAPI32.dll
SHELL32.dll
Instup.dll
RPCRT4.dll
SHLWAPI.dll
GetCPInfo
.?AVstl_critical_section_concrt@details@Concurrency@@
.?AVstl_condition_variable_concrt@details@Concurrency@@
.?AVwindows_file_codecvt@@
.?AVunsupported_os@Concurrency@@
.?AVinvalid_scheduler_policy_key@Concurrency@@
.?AVinvalid_oversubscribe_operation@Concurrency@@
.?AVinvalid_operation@Concurrency@@
.?AUITopologyExecutionResource@Concurrency@@
.?AVExecutionResource@details@Concurrency@@
.?AUIExecutionResource@Concurrency@@
.?AUIExecutionContext@Concurrency@@
.?AV?$Exportable@VIEventConnection@mi@asw@@@mi@asw@@
.?AVExportedFromModule@mi@asw@@
.?AVIExportable@mi@asw@@
.?AU_Crt_new_delete@std@@
.?AV?$Exportable@VILogger@log@asw@@@mi@asw@@
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
8#9 939;9
: :$:(:,:0:4:8:\:
0"1-191?1
0 1$1(1,1014181
2%2s2
5%5s5
3=3
9 9$9(9,90949
2$2(2,2024282<2
<$<,<8<@<`<|<
combase.dll
advapi32.dll
minkernel\crts\ucrt\inc\corecrt_internal_strtox.h
__crt_strtox::floating_point_value::as_double
__crt_strtox::floating_point_value::as_float
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
\\.\ASWSP_Open
avast! Self-Defense trust was not acquired. Code %s
Cannot initialize Instup, return code %s
Error returned by Instup, return code %s
Error in Instup cleanup, return code %s
--send dumps|report
hu/hu/hu hu:hu:hu END: Avast installer/updater, return code %s
The operation completed successfully
Operation was cancelled
Proxy login needed
HTTP error
Retrying operation
%d (0xX)
dbghelp.dll
Install failed: cannot get filename of current process due to error: %d
Minidump generation failed with error: %d
Minidump created successfully. Exception code is: %x
Attempted to WriteDump while another operation is already in progress
unp%u%u.mdmp
"%s" --pid %d --exception_ptr %p --thread_id %d --dump_level %d --dump_file "%s" --comment "%s"
Failed to start process dumper at '%s' due to error: %d
Failed to get exit code from dumper process, error: %d
avDump32.exe
User-initiated crash in %d ms
ekernel32.dll
rKernel32.dll
KERNEL32.DLL
.tmp.
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\\.\GLOBALROOT
\\.\aswSP_Handler
\\.\ASWSP
daavmGlob.cnt
aavmGlob.mtx
aavmRefr.now
aavmSema.apc
asw.script_blocking.conf_data
asw.script_blocking.conf_data_protect
aswAavmUp.evt
aswArPotTest.evt
aswLogDebug.mtx
AswMailSvc.Evt
aswUpdateNow.evt
Avast5.ChestMutex
AvWsCfgChg.evt
AvWsTrm.evt
vpsNew.sig
vpsUpdat.sig
Avast5.XLayer.AavmMutex
AswProxyCfgChg.evt
AswProxy.evt
avResWss64.mtx
avResE2K64.mtx
avResSPM64.mtx
avResMai64.mtx
%SystemRoot%
avast5.ini
aswCmnOS.dll
%s\Oem\%s
KeyFolder
ReportFolder
report
CertificateFile
HKEY_LOCAL_MACHINE
\\.\%s
NTDLL.DLL
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_USERS
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\instup.exe
12.3.3154.0
InstCont.exe






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    aswOfferTool.exe:3048
    aswOfferTool.exe:1656
    aswOfferTool.exe:2856
    FB_587C.tmp.exe:656
    %original file name%.exe:2196
    WScript.exe:3900
    instup.exe:2036
    instup.exe:3336
    FB_53E9.tmp.exe:2360
    avast_premier_antivirus_setup_online.exe:3504
    rytr5674657gfhgjgj.eXe:992
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\gcapi_14826084123048.dll (368 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\gtapi_14826084121656.dll (146 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\gcapi_14826084122856.dll (368 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\google.fr.exe (678 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (64 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (8250 bytes)
    %Program Files%\AVAST Software\Avast Antivirus\avast_premier_antivirus_setup_online.exe (101262 bytes)
    %Program Files%\AVAST Software\Avast Antivirus\Uninstall.exe (3878 bytes)
    %Program Files%\AVAST Software\Avast Antivirus\M.vbs (6697 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\5.tmp (1008 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\4.tmp (4 bytes)
    %Program Files%\AVAST Software\Avast Antivirus\Uninstall.ini (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\rytr5674657gfhgjgj.eXe (32685 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\avdump_x86_ais-8e8.vpx (591 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\AvDump32.exe (4185 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\uat.vpx.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\servers.def.lkg (24 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\prod-pgm.vpx (446 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\avBugReport.exe (15799 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\avbugreport_ais-8e8.vpx (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\prod-vps.vpx (451 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-vps_win32-16122403.vpx (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\config.def.new (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\Instup.dll (78553 bytes)
    C:\$Directory (1152 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-iex-8.vpx (225 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\HTMLayout.dll (24822 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\selfdefense_x86_ais-8e8.vpx (434 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\AvDump64.exe (5441 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\avdump_x64_ais-8e8.vpx (725 bytes)
    C:\ProgramData\AVAST Software\Avast\avast5.ini (838 bytes)
    C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\Setup.log (27530 bytes)
    C:\Windows\System32\config\SYSTEM.LOG1 (4875 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\offertool_ais-8e8.vpx (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\servers.def.vpx (2 bytes)
    C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\event_manager.log (794 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\Instup.dll (2668 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-jrog2-1319.vpx (841 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\instup.exe (7733 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\aswOfferTool.exe (15278 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\selfdefense_x64_ais-8e8.vpx (513 bytes)
    C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\event_manager.log.tmp.cc4b2451-75b9-4c75-9742-0fb1c6e807d7 (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-iex-0.vpx (212 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-jrog2-1.vpx (213 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-vps_win32-16122402.vpx (298 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\setgui_ais-8e8.vpx (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\config.def.vpx (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\Instup.exe (1783 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\HTMLayout.dll (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-setup_ais-c0308e8.vpx (97 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-prg_ais-c0308e8.vpx (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\instcont_ais-8e8.vpx (891 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-vps_win32-16081802.vpx (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-jrog2-11af.vpx (868 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-iex-7.vpx (221 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\instup_ais-8e8.vpx (780 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FB_587C.tmp.exe (154 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FB_53E9.tmp.exe (69 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now