not-a-virus.AdWare.Win32.AdLoad.zcjp_526bfae1b6

by malwarelabrobot on April 15th, 2017 in Malware Descriptions.

not-a-virus:AdWare.Win32.AdLoad.zcjp (Kaspersky), Trojan.LoadMoney.1965 (DrWeb), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 526bfae1b658e9775dc84badc8656fa1
SHA1: f048e4c1cd29e5a04508310e81bf337ec545a994
SHA256: 5dc4ead07606135f14bbbf0608635e8b433d7c61e34c05bdef5ec33d58432ccb
SSDeep: 393216:4SfneQPwwL Nc9gKgRkDgbK/nIei1lp2ofG0TxkxuweMe1BUjwZ1a 8RY:pe51ciRe9ZiEujqGlwUT
Size: 17847144 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, ACProtect141
Company:
Created at: 2012-01-09 15:44:10
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The not-a-virus creates the following process(es):

7z.exe:2724
7z.exe:992
%original file name%.exe:2012
WScript.exe:4084
mshta.exe:2104

The not-a-virus injects its code into the following process(es):

c program instal resourse creativecloudset-up.exe:1304
opera.exe:3980

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 7z.exe:2724 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

C:\Program instal\region\ua\ru\search.ini (9 bytes)
C:\Program instal\region\cn\en\bookmarks.adr (2 bytes)
C:\Program instal\ui\embedded_mouse.ini (583 bytes)
C:\Program instal\profile\download.dat (774 bytes)
C:\Program instal\profile\windows-opengl.blocklist.json (6 bytes)
C:\Program instal\profile\global_history.dat (634 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/yandex/favicon.png (570 bytes)
C:\Program instal\profile\icons\vk.com.idx (108 bytes)
C:\Program instal\profile\application_cache\mcache\vlink4.dat (12 bytes)
C:\Program instal\styles\plugins.css (2 bytes)
C:\Program instal\styles\images\red_left.png (327 bytes)
C:\Program instal\defaults\xmlentities.ini (2 bytes)
C:\Program instal\region\hk\turbosettings.xml (551 bytes)
C:\Program instal\profile\styles\user\contrastwb.css (705 bytes)
C:\Program instal\gstreamer\LGPL.txt (25 bytes)
C:\Program instal\region\eg\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/video/ru/favicon.png (347 bytes)
C:\Program instal\profile\styles\user\structuretables.css (2 bytes)
C:\Program instal\profile\cache\revocation\dcache4.url (22 bytes)
C:\Program instal\region\id\bookmarks.adr (6 bytes)
C:\Program instal\region\in\search.ini (7 bytes)
C:\Program instal\defaults\feedreaders.ini (718 bytes)
C:\Program instal\profile\override_downloaded.ini (11 bytes)
C:\Program instal\html5_entity_init.dat (36 bytes)
C:\Program instal\profile\icons\cache\g_0000\opr00006.tmp (30 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/google/favicon.png (397 bytes)
C:\Program instal\styles\image.css (516 bytes)
C:\Program instal\profile\dictionaries\dictionaries.xml (4 bytes)
C:\Program instal\styles\images\customize.gif (243 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/rambler/favicon.png (163 bytes)
C:\Program instal\profile\vps\0000\wb.vx (98 bytes)
C:\Program instal\region\latin_america\search.ini (7 bytes)
C:\Program instal\profile\styles\user\disablepositioning.css (243 bytes)
C:\Program instal\region\ru\search.ini (9 bytes)
C:\Program instal\defaults\public_domains.dat (100 bytes)
C:\Program instal\profile\icons\cache\vlink4.dat (12 bytes)
C:\Program instal\styles\images\red_center.png (190 bytes)
C:\Program instal\ui\dialogs.yml (84 bytes)
C:\Program instal\profile\next-kmsauto-net.lnk (718 bytes)
C:\Program instal\styles\user\contrastbw.css (673 bytes)
C:\Program instal\extra\windows-direct3d-10.blocklist.json (1 bytes)
C:\Program instal\profile\pstorage\00\12\00000000 (455 bytes)
C:\Program instal\region\cis\ru\bookmarks.adr (7 bytes)
C:\Program instal\profile\windows-direct3d-10.blocklist.json (1 bytes)
C:\Program instal\styles\images\top.png (360 bytes)
C:\Program instal\gstreamer\plugins\gstaudioresample.dll (94 bytes)
C:\Program instal\profile\opthumb.dat (778 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/wikipedia/favicon.png (322 bytes)
C:\Program instal\styles\debug.css (3 bytes)
C:\Program instal\styles\dir.css (25 bytes)
C:\Program instal\gstreamer\plugins\gstoggdec.dll (962 bytes)
C:\Program instal\profile\icons\win.mail.ru.idx (132 bytes)
C:\Program instal\profile\icons\www.opera.com.idx (487 bytes)
C:\Program instal\profile\pstorage\00\06\00000000 (376 bytes)
C:\Program instal\gstreamer\plugins\gstaudioconvert.dll (93 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/avia1/ru/favicon.png (553 bytes)
C:\Program instal\profile\oprand.dat (4 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/groupon.ru/favicon.png (239 bytes)
C:\Program instal\styles\images\opera.png (5 bytes)
C:\Program instal\region\ke\standard_speeddial.ini (1 bytes)
C:\Program instal\ui\fastforward.ini (2 bytes)
C:\Program instal\styles\gpu.css (62 bytes)
C:\Program instal\styles\images\page-bot.png (1 bytes)
C:\Program instal\profile\toolbar\standard_toolbar.ini (683 bytes)
C:\Program instal\styles\images\container.png (12 bytes)
C:\Program instal\styles\mail.css (1 bytes)
C:\Program instal\locale\ru\bookmarks.adr (7 bytes)
C:\Program instal\styles\about.css (27 bytes)
C:\Program instal\region\ph\standard_speeddial.ini (1 bytes)
C:\Program instal\ui\standard_mouse.ini (1 bytes)
C:\Program instal\styles\images\bkgd.png (860 bytes)
C:\Program instal\profile\icons\http://www.opera.com/favicon.png (586 bytes)
C:\Program instal\region\region.ini (1 bytes)
C:\Program instal\profile\icons\www.google.com.idx (146 bytes)
C:\Program instal\profile\bookmarks.adr (11 bytes)
C:\Program instal\region\vn\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\spdysett.dat (12 bytes)
C:\Program instal\region\cn\browser.js (122 bytes)
C:\Program instal\region\cn\en\search.ini (8 bytes)
C:\Program instal\profile\icons\http://www.litres.ru/favicon.png (340 bytes)
C:\Program instal\mapi\OperaMAPI.dll (807 bytes)
C:\Program instal\profile\search.ini (2 bytes)
C:\Program instal\profile\vps\0000\adoc.bx (4 bytes)
C:\Program instal\styles\user\disableforms.css (269 bytes)
C:\Program instal\profile\styles\user\disablefloats.css (229 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/shopping4/ru/favicon.png (928 bytes)
C:\Program instal\region\id\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\icons\www.opera-usb.com.idx (71 bytes)
C:\Program instal\profile\tips.ini (291 bytes)
C:\Program instal\profile\icons\cache\g_0000\opr00004.tmp (102 bytes)
C:\Program instal\region\tw\turbosettings.xml (551 bytes)
C:\Program instal\styles\user\disablefloats.css (229 bytes)
C:\Program instal\profile\opcache\dcache4.url (13 bytes)
C:\Program instal\region\gb\search.ini (8 bytes)
C:\Program instal\styles\images\bar.png (192 bytes)
C:\Program instal\profile\opcert6.dat (12 bytes)
C:\Program instal\profile\mail\omailbase.dat (4 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/auto/ru/favicon.png (375 bytes)
C:\Program instal\gstreamer\plugins\gstdirectsound.dll (67 bytes)
C:\Program instal\styles\images\Opera_256x256.png (18 bytes)
C:\Program instal\extra\missingpluginhover.svg (671 bytes)
C:\Program instal\defaults\handlers-ignore.ini (636 bytes)
C:\Program instal\profile\icons\http://pisbrat5.tmweb.ru/favicon.png (711 bytes)
C:\Program instal\region\se\bookmarks.adr (7 bytes)
C:\Program instal\defaults\tips_metadata.ini (1 bytes)
C:\Program instal\profile\styles\user\structureinline.css (2 bytes)
C:\Program instal\region\gb\bookmarks.adr (8 bytes)
C:\Program instal\profile\opicacrt6.dat (9 bytes)
C:\Program instal\region\cis\en\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\cache\CACHEDIR.TAG (188 bytes)
C:\Program instal\profile\opuntrust.dat (12 bytes)
C:\Program instal\profile\icons\redir.opera.com.idx (3 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/shopping1/ru/favicon.png (427 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/yahoo/favicon.png (736 bytes)
C:\Program instal\styles\images\darkBox.png (142 bytes)
C:\Program instal\region\ph\bookmarks.adr (5 bytes)
C:\Program instal\styles\feed.css (1 bytes)
C:\Program instal\styles\user\tablelayout.css (258 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/skyscanner/favicon.png (885 bytes)
C:\Program instal\profile\vps\0000\md.dat (65 bytes)
C:\Program instal\skin\standard_skin.zip (1 bytes)
C:\Program instal\styles\search.css (558 bytes)
C:\Program instal\styles\user\toc.css (4 bytes)
C:\Program instal\region\ar\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\icons\en.wikipedia.org.idx (120 bytes)
C:\Program instal\gstreamer\gstreamer.dll (931 bytes)
C:\Program instal\profile\styles\user\tablelayout.css (258 bytes)
C:\Program instal\defaults\standard_trusted_repositories.ini (262 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/izone/favicon.png (372 bytes)
C:\Program instal\region\za\bookmarks.adr (7 bytes)
C:\Program instal\profile\icons\cache\g_0000\opr00005.tmp (18 bytes)
C:\Program instal\D3DCompiler_43.dll (2389 bytes)
C:\Program instal\profile\styles\user\contrastbw.css (673 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/avia/ru/favicon.png (267 bytes)
C:\Program instal\styles\images\bkgd-rev.png (1 bytes)
C:\Program instal\styles\images\root.png (123 bytes)
C:\Program instal\profile\icons\pisbrat5.tmweb.ru.idx (185 bytes)
C:\Program instal\profile\icons\cache\cookies4.dat (13 bytes)
C:\Program instal\region\ru\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\sessions\autosave.win.bak (1 bytes)
C:\Program instal\profile\opssl6.dat (16 bytes)
C:\Program instal\profile\dictionaries\de.zip (820 bytes)
C:\Program instal\region\latin_america\standard_speeddial.ini (1 bytes)
C:\Program instal\operaprefs_default.ini (255 bytes)
C:\Program instal\profile\styles\user\toc.css (4 bytes)
C:\Program instal\region\in\bookmarks.adr (10 bytes)
C:\Program instal\profile\icons\mail.yandex.ru.idx (86 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/hotels.com/favicon.png (193 bytes)
C:\Program instal\styles\im.css (2 bytes)
C:\Program instal\ui\embedded_menu.ini (12 bytes)
C:\Program instal\ui\standard_keyboard_compat.ini (26 bytes)
C:\Program instal\profile\application_cache\mcache\dcache4.url (20 bytes)
C:\Program instal\styles\images\tooltiptail.png (414 bytes)
C:\Program instal\profile\dictionaries\de_AT.zip (821 bytes)
C:\Program instal\region\za\standard_speeddial.ini (1 bytes)
C:\Program instal\extra\windows-opengl.blocklist.json (6 bytes)
C:\Program instal\region\latin_america\bookmarks.adr (7 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/bigpoint/favicon.png (936 bytes)
C:\Program instal\region\ru\bookmarks.adr (9 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/booking/favicon.png (317 bytes)
C:\Program instal\gstreamer\plugins\gstwavparse.dll (73 bytes)
C:\Program instal\region\us\search.ini (8 bytes)
C:\Program instal\profile\icons\https://2ip.ru/favicon.png (729 bytes)
C:\Program instal\opera.dll (17121 bytes)
C:\Program instal\profile\cache\revocation\vlink4.dat (12 bytes)
C:\Program instal\styles\wml.css (1 bytes)
C:\Program instal\styles\user\disablebreaks.css (213 bytes)
C:\Program instal\profile\icons\my.opera.com.idx (157 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/myopera/favicon.png (619 bytes)
C:\Program instal\profile\pstorage\00\18\00000000 (4 bytes)
C:\Program instal\defaults\dictionaries.xml (4 bytes)
C:\Program instal\profile\vps\0000\url.axx (8 bytes)
C:\Program instal\styles\images\hanger.png (16 bytes)
C:\Program instal\styles\mime.css (9 bytes)
C:\Program instal\region\pk\bookmarks.adr (5 bytes)
C:\Program instal\profile\vlink4.dat (4 bytes)
C:\Program instal\profile\icons\http://www.opera-usb.com/favicon.png (797 bytes)
C:\Program instal\styles\private.css (798 bytes)
C:\Program instal\region\tw\browser.js (122 bytes)
C:\Program instal\styles\user\accessibility.css (2 bytes)
C:\Program instal\defaults\search.ini (8 bytes)
C:\Program instal\ui\widgets.yml (26 bytes)
C:\Program instal\region\hk\browser.js (122 bytes)
C:\Program instal\profile\typed_history.xml (1 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/alawar/favicon.png (740 bytes)
C:\Program instal\region\middle_east\bookmarks.adr (3 bytes)
C:\Program instal\gstreamer\plugins\gstautodetect.dll (24 bytes)
C:\Program instal\profile\icons\www.fastmail.fm.idx (94 bytes)
C:\Program instal\styles\user\structureinline.css (2 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/bing/favicon.png (268 bytes)
C:\Program instal\locale\en\en.lng (196 bytes)
C:\Program instal\region\pk\standard_speeddial.ini (1 bytes)
C:\Program instal\locale\en\en.zip (241 bytes)
C:\Program instal\styles\images\warning.png (2 bytes)
C:\Program instal\region\my\standard_speeddial.ini (1 bytes)
C:\Program instal\locale\ru\search.ini (8 bytes)
C:\Program instal\gstreamer\plugins\gstffmpegcolorspace.dll (158 bytes)
C:\Program instal\profile\optrust.dat (12 bytes)
C:\Program instal\profile\cookies4.dat (7 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/soft/ru/favicon.png (809 bytes)
C:\Program instal\locale\ru\standard_speeddial.ini (1 bytes)
C:\Program instal\files_old.sig (24 bytes)
C:\Program instal\styles\images\folder.png (792 bytes)
C:\Program instal\styles\cache.css (23 bytes)
C:\Program instal\region\middle_east\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\icons\www.yandex.ru.idx (113 bytes)
C:\Program instal\gstreamer\README.txt (401 bytes)
C:\Program instal\styles\certinfo.css (3 bytes)
C:\Program instal\opera.exe (2229 bytes)
C:\Program instal\defaults\plugin-ignore.ini (1 bytes)
C:\Program instal\styles\history.css (420 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/amazon/favicon.png (360 bytes)
C:\Program instal\profile\styles\user\structureblock.css (4 bytes)
C:\Program instal\styles\unstyledxml.css (2 bytes)
C:\Program instal\profile\pstorage\00\13\00000001 (939 bytes)
C:\Program instal\profile\pstorage\00\13\00000000 (366 bytes)
C:\Program instal\profile\cache\dcache4.url (90 bytes)
C:\Program instal\styles\images\arrow.png (106 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/gamexp/favicon.png (829 bytes)
C:\Program instal\styles\info.css (779 bytes)
C:\Program instal\styles\user\outline.css (735 bytes)
C:\Program instal\gstreamer\plugins\gstwaveform.dll (38 bytes)
C:\Program instal\styles\contentblock.css (331 bytes)
C:\Program instal\profile\speeddial.ini (273 bytes)
C:\Program instal\styles\user\structureblock.css (4 bytes)
C:\Program instal\files.sig (18 bytes)
C:\Program instal\profile\icons\portal.opera.com.idx (159 bytes)
C:\Program instal\region\ar\search.ini (7 bytes)
C:\Program instal\region\us\bookmarks.adr (7 bytes)
C:\Program instal\profile\styles\user\altdebugger.css (1 bytes)
C:\Program instal\profile\styles\user\accessibility.css (2 bytes)
C:\Program instal\region\au\standard_speeddial.ini (1 bytes)
C:\Program instal\styles\m2_welcome_message.mbs (158 bytes)
C:\Program instal\region\kz\bookmarks.adr (6 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/drom/favicon.png (499 bytes)
C:\Program instal\profile\operaprefs.ini (3 bytes)
C:\Program instal\region\my\bookmarks.adr (7 bytes)
C:\Program instal\gstreamer\plugins\gstcoreplugins.dll (96 bytes)
C:\Program instal\lngcode.txt (3 bytes)
C:\Program instal\profile\icons\cache\g_0000\opr00001.tmp (10 bytes)
C:\Program instal\ui\standard_toolbar.ini (54 bytes)
C:\Program instal\gstreamer\plugins\gstdecodebin2.dll (62 bytes)
C:\Program instal\profile\mail\accounts.ini (775 bytes)
C:\Program instal\styles\images\red_right.png (343 bytes)
C:\Program instal\styles\warning.css (1 bytes)
C:\Program instal\styles\images\flag.png (258 bytes)
C:\Program instal\region\cis\en\bookmarks.adr (4 bytes)
C:\Program instal\profile\icons\https://whoer.net/favicon.png (572 bytes)
C:\Program instal\styles\error.css (1 bytes)
C:\Program instal\styles\mathml.css (14 bytes)
C:\Program instal\styles\webstorage.css (422 bytes)
C:\Program instal\styles\images\search.png (453 bytes)
C:\Program instal\styles\images\bullet.png (349 bytes)
C:\Program instal\profile\icons\go.mail.ru.idx (108 bytes)
C:\Program instal\profile\autoupdate_region.dat (15 bytes)
C:\Program instal\styles\drives.css (658 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/mailru/favicon.png (835 bytes)
C:\Program instal\styles\images\smartGroup.png (1 bytes)
C:\Program instal\region\cn\en\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\handlers.ini (62 bytes)
C:\Program instal\styles\images\section.png (204 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/ozon/favicon.png (413 bytes)
C:\Program instal\styles\user\disabletables.css (410 bytes)
C:\Program instal\profile\icons\yahoo.opera.com.idx (108 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/softportal/favicon.png (243 bytes)
C:\Program instal\ui\embedded_keyboard.ini (8 bytes)
C:\Program instal\profile\icons\ru.wikipedia.org.idx (251 bytes)
C:\Program instal\profile\icons\www.bing.com.idx (113 bytes)
C:\Program instal\mathml.dtd (59 bytes)
C:\Program instal\defaults\webmailproviders.ini (591 bytes)
C:\Program instal\profile\icons\http://img.yandex.net/i/favicon.png (250 bytes)
C:\Program instal\locale\ru\ru.lng (316 bytes)
C:\Program instal\styles\opera.css (2 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/searchmailru/favicon.png (456 bytes)
C:\Program instal\profile\icons\cache\g_0000\opr00003.tmp (27 bytes)
C:\Program instal\profile\tasks.xml (249 bytes)
C:\Program instal\region\ng\standard_speeddial.ini (1 bytes)
C:\Program instal\region\ua\ru\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\styles\user\outline.css (735 bytes)
C:\Program instal\styles\user\disablepositioning.css (243 bytes)
C:\Program instal\profile\icons\http://ebay.ru/favicon.png (163 bytes)
C:\Program instal\styles\images\center.png (173 bytes)
C:\Program instal\region\eg\bookmarks.adr (4 bytes)
C:\Program instal\region\eg\search.ini (7 bytes)
C:\Program instal\ui\standard_menu.ini (101 bytes)
C:\Program instal\pubsuffix.xml (1119 bytes)
C:\Program instal\region\vn\bookmarks.adr (6 bytes)
C:\Program instal\ui\dialog.ini (171 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/vkontakte/favicon.png (587 bytes)
C:\Program instal\styles\user\classid.css (1 bytes)
C:\Program instal\profile\icons\whoer.net.idx (57 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/opera.sports.com/favicon.png (554 bytes)
C:\Program instal\styles\m2_upgrade_1160.mbs (267 bytes)
C:\Program instal\region\au\bookmarks.adr (7 bytes)
C:\Program instal\region\gb\standard_speeddial.ini (1 bytes)
C:\Program instal\styles\message.css (54 bytes)
C:\Program instal\region\cis\ru\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\icons\cache\dcache4.url (47 bytes)
C:\Program instal\html40_entities.dtd (7 bytes)
C:\Program instal\profile\sessions\autosave.win (1 bytes)
C:\Program instal\region\ng\bookmarks.adr (6 bytes)
C:\Program instal\styles\images\file.png (534 bytes)
C:\Program instal\region\ua\ru\bookmarks.adr (7 bytes)
C:\Program instal\gstreamer\plugins\gstwebmdec.dll (101 bytes)
C:\Program instal\styles\user\contrastwb.css (705 bytes)
C:\Program instal\region\us\standard_speeddial.ini (1 bytes)
C:\Program instal\program\plugins\readme.txt (76 bytes)
C:\Program instal\region\cn\turbosettings.xml (130 bytes)
C:\Program instal\ui\standard_keyboard.ini (29 bytes)
C:\Program instal\profile\icons\2ip.ru.idx (51 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/opera/favicon.png (619 bytes)
C:\Program instal\defaults\mailproviders.xml (40 bytes)
C:\Program instal\styles\config.css (7 bytes)
C:\Program instal\profile\icons\http://img.imgsmail.ru/r/favicon.png (916 bytes)
C:\Program instal\profile\icons\addons.opera.com.idx (88 bytes)
C:\Program instal\profile\opcacrt6.dat (34 bytes)
C:\Program instal\styles\cpu.css (662 bytes)
C:\Program instal\profile\pstorage\psindex.dat (1 bytes)
C:\Program instal\styles\user\structuretables.css (2 bytes)
C:\Program instal\region\ke\bookmarks.adr (7 bytes)
C:\Program instal\region\mx\bookmarks.adr (7 bytes)
C:\Program instal\profile\styles\user\disabletables.css (410 bytes)
C:\Program instal\region\kz\search.ini (8 bytes)
C:\Program instal\region\cis\ru\search.ini (8 bytes)
C:\Program instal\defaults\license.txt (16 bytes)
C:\Program instal\region\mx\standard_speeddial.ini (1 bytes)
C:\Program instal\region\mx\search.ini (7 bytes)
C:\Program instal\profile\mail\indexer\message_id (4 bytes)
C:\Program instal\region\ar\bookmarks.adr (6 bytes)
C:\Program instal\region\cis\en\search.ini (9 bytes)
C:\Program instal\profile\styles\user\disablebreaks.css (213 bytes)
C:\Program instal\styles\user\altdebugger.css (1 bytes)
C:\Program instal\styles\media.css (731 bytes)
C:\Program instal\profile\application_cache\cache_groups.xml (36 bytes)
C:\Program instal\styles\images\opera-icon-red.png (24 bytes)
C:\Program instal\profile\icons\www.ozon.ru.idx (133 bytes)
C:\Program instal\locale\en\license.txt (16 bytes)
C:\Program instal\profile\styles\user\classid.css (1 bytes)
C:\Program instal\extra\missingplugin.svg (753 bytes)
C:\Program instal\region\se\standard_speeddial.ini (1 bytes)
C:\Program instal\styles\images\defaultFavicon.png (763 bytes)
C:\Program instal\profile\webserver\users.xml (35 bytes)
C:\Program instal\region\in\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\icons\persistent.txt (5 bytes)
C:\Program instal\region\id\search.ini (8 bytes)
C:\Program instal\encoding.bin (526 bytes)
C:\Program instal\styles\webfeeds.html (12 bytes)
C:\Program instal\styles\images\error.png (2 bytes)
C:\Program instal\profile\icons\https://www.fastmail.fm/favicon.png (431 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/ebay/favicon.png (163 bytes)
C:\Program instal\region\kz\standard_speeddial.ini (1 bytes)
C:\Program instal\region\middle_east\search.ini (7 bytes)
C:\Program instal\profile\styles\user\disableforms.css (269 bytes)
C:\Program instal\profile\vps\0000\w.axx (65 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/blekko/favicon.png (203 bytes)

The process 7z.exe:992 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

C:\Program instal\resourse\creativecloudset-up.exe (11403 bytes)

The process %original file name%.exe:2012 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

C:\Program instal\ads.hta (2 bytes)
C:\Program instal\7-zip.dll (49 bytes)
C:\Program instal\Lang\fi.txt (8 bytes)
C:\Program instal\Lang\fa.txt (10 bytes)
C:\Program instal\Lang\uk.txt (15 bytes)
C:\Program instal\Lang\mng.txt (20 bytes)
C:\Program instal\Lang\en.ttt (7 bytes)
C:\Program instal\My file.gif (3 bytes)
C:\Program instal\Lang\ro.txt (7 bytes)
C:\Program instal\7z.exe (1425 bytes)
C:\Program instal\Lang\nb.txt (6 bytes)
C:\Program instal\Lang\hy.txt (14 bytes)
C:\Program instal\Lang\ky.txt (12 bytes)
C:\Program instal\Lang\cs.txt (7 bytes)
C:\Program instal\Lang\cy.txt (5 bytes)
C:\Program instal\Lang\ka.txt (18 bytes)
C:\Program instal\Lang\uz.txt (7 bytes)
C:\Program instal\Lang\ms.txt (5 bytes)
C:\Program instal\Lang\fur.txt (7 bytes)
C:\Program instal\sleep.exe (5 bytes)
C:\Program instal\7z.dll (7433 bytes)
C:\Program instal\Lang\af.txt (5 bytes)
C:\Program instal\Lang\pa-in.txt (15 bytes)
C:\Program instal\Lang\sq.txt (6 bytes)
C:\Program instal\verk.7z.002 (7385 bytes)
C:\Program instal\Lang\ga.txt (8 bytes)
C:\Program instal\Lang\ja.txt (11 bytes)
C:\Program instal\verk.7z.001 (15019 bytes)
C:\Program instal\Lang\gl.txt (5 bytes)
C:\Program instal\go.vbs (1 bytes)
C:\Program instal\Lang\nl.txt (9 bytes)
C:\Program instal\Lang\ru.txt (14 bytes)
C:\Program instal\Lang\he.txt (9 bytes)
C:\Program instal\Lang\is.txt (8 bytes)
C:\Program instal\Lang\fr.txt (9 bytes)
C:\Program instal\Lang\pl.txt (8 bytes)
C:\Program instal\Lang\mr.txt (10 bytes)
C:\Program instal\Lang\ast.txt (5 bytes)
C:\Program instal\Lang\lij.txt (7 bytes)
C:\Program instal\ad.ico (32 bytes)
C:\Program instal\Lang\ku.txt (5 bytes)
C:\Program instal\Lang\eo.txt (5 bytes)
C:\Program instal\Lang\de.txt (7 bytes)
C:\Program instal\Lang\ca.txt (7 bytes)
C:\Program instal\7-zip.chm (601 bytes)
C:\Program instal\Lang\sv.txt (7 bytes)
C:\Program instal\Lang\mn.txt (8 bytes)
C:\Program instal\Lang\ko.txt (9 bytes)
C:\Program instal\Lang\ext.txt (7 bytes)
C:\Program instal\Lang\fy.txt (6 bytes)
C:\Program instal\Lang\kk.txt (10 bytes)
C:\Program instal\7zG.exe (2105 bytes)
C:\Program instal\Lang\an.txt (7 bytes)
C:\Program instal\7zCon.sfx (673 bytes)
C:\Program instal\Lang\es.txt (8 bytes)
C:\Program instal\Lang\kaa.txt (8 bytes)
C:\Program instal\Lang\da.txt (8 bytes)
C:\Program instal\Lang\pt.txt (7 bytes)
C:\Program instal\Lang\hr.txt (8 bytes)
C:\Program instal\7z.sfx (673 bytes)
C:\Program instal\Lang\tr.txt (7 bytes)
C:\Program instal\Lang\lv.txt (5 bytes)
C:\Program instal\Lang\co.txt (10 bytes)
C:\Program instal\Lang\gu.txt (18 bytes)
C:\Program instal\Lang\hi.txt (18 bytes)
C:\Program instal\Lang\sr-spl.txt (7 bytes)
C:\Program instal\Lang\mng2.txt (22 bytes)
C:\Program instal\Lang\ps.txt (8 bytes)
C:\Program instal\Lang\io.txt (5 bytes)
C:\Program instal\Lang\et.txt (7 bytes)
C:\Program instal\Lang\zh-tw.txt (8 bytes)
C:\Program instal\descript.ion (366 bytes)
C:\Program instal\Lang\ku-ckb.txt (12 bytes)
C:\Program instal\Lang\lt.txt (9 bytes)
C:\Program instal\oprs.7z (84010 bytes)
C:\Program instal\Lang\br.txt (5 bytes)
C:\Program instal\7zFM.exe (3073 bytes)
C:\Program instal\Lang\it.txt (9 bytes)
C:\Program instal\Lang\id.txt (8 bytes)
C:\Program instal\Lang\sl.txt (6 bytes)
C:\Program instal\Lang\eu.txt (8 bytes)
C:\Program instal\Lang\mk.txt (8 bytes)
C:\Program instal\Lang\vi.txt (8 bytes)
C:\Program instal\taskkill.exe (601 bytes)
C:\Program instal\Lang\nn.txt (5 bytes)
C:\Program instal\Lang\hu.txt (8 bytes)
C:\Program instal\Lang\va.txt (6 bytes)
C:\Program instal\Lang\el.txt (17 bytes)
C:\Program instal\Lang\zh-cn.txt (8 bytes)

The not-a-virus deletes the following file(s):

C:\Program instal\__tmp_rar_sfx_access_check_2133032 (0 bytes)

The process WScript.exe:4084 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

C:\Program instal\opera.exe (880 bytes)
C:\Program instal\profile\temporary_downloads\c program instal resourse creativecloudset-up.exe (49 bytes)
C:\Program instal\opera.dll (5823 bytes)

The process opera.exe:3980 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

C:\Program instal\profile\temporary_downloads\c program instal resourse creativecloudset-up.exe (62297 bytes)
C:\Program instal\gstreamer\plugins\gstffmpegcolorspace.dll (159 bytes)
C:\Program instal\gstreamer\plugins\gstaudioresample.dll (94 bytes)
C:\Program instal\profile\optrust.dat (48 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A295VEOFPPMUX0QKORJ7.temp (3 bytes)
C:\Program instal\profile\cache\sesn\opr000BP.tmp (196 bytes)
C:\Program instal\gstreamer\plugins\gstoggdec.dll (315 bytes)
C:\Program instal\profile\cache\sesn\opr000BH.tmp (237 bytes)
C:\Program instal\gstreamer\plugins\gstcoreplugins.dll (98 bytes)
C:\Program instal\gstreamer\plugins\gstaudioconvert.dll (94 bytes)
C:\Program instal\profile\cache\sesn\opr000BR.tmp (157 bytes)
C:\Program instal\profile\opcert6.dat (60 bytes)
C:\Program instal\profile\cache\sesn\opr000BD.tmp (1098 bytes)
C:\Program instal\profile\download.dat (1792 bytes)
C:\Program instal\profile\global_history.dat (847 bytes)
C:\Program instal\profile\sessions\oprFA68.tmp (1 bytes)
C:\Program instal\profile\oprD5DA.tmp (7 bytes)
C:\Program instal\gstreamer\plugins\gstdirectsound.dll (69 bytes)
C:\Program instal\profile\icons\http://adob11.tmweb.ru/favicon.png (711 bytes)
C:\Program instal\profile\cache\sesn\opr000BF.tmp (258 bytes)
C:\Program instal\gstreamer\plugins\gstwaveform.dll (40 bytes)
C:\Program instal\profile\oprD629.tmp (7 bytes)
C:\Program instal\profile\cache\sesn\opr000BS.tmp (178 bytes)
C:\Program instal\profile\cache\sesn\opr000BL.tmp (1 bytes)
C:\Program instal\gstreamer\plugins\gstdecodebin2.dll (65 bytes)
C:\Program instal\profile\cache\sesn\opr000BK.tmp (934 bytes)
C:\Program instal\profile\cache\sesn\opr000BI.tmp (2 bytes)
C:\Program instal\profile\oprEC25.tmp (249 bytes)
C:\Program instal\profile\sessions\oprEB29.tmp (1 bytes)
C:\Program instal\profile\cache\sesn\opr000BM.tmp (280 bytes)
C:\Program instal\profile\opcacrt6.dat (32956 bytes)
C:\Program instal\profile\cache\sesn\opr000BN.tmp (1 bytes)
C:\Program instal\profile\cache\sesn\opr000BQ.tmp (7952 bytes)
C:\Program instal\profile\cache\revocation\sesn\opr00010.tmp (471 bytes)
C:\Program instal\profile\oprDCDF.tmp (7 bytes)
C:\Program instal\profile\cache\revocation\sesn\opr0000Y.tmp (471 bytes)
C:\Program instal\profile\oprDC61.tmp (7 bytes)
C:\Program instal\profile\opicacrt6.dat (2716 bytes)
C:\Program instal\gstreamer\plugins\gstautodetect.dll (57 bytes)
C:\Program instal\profile\autoupdate_response.xml (6588 bytes)
C:\Program instal\profile\cache\revocation\sesn\opr0000Z.tmp (543 bytes)
C:\Program instal\profile\opuntrust.dat (60 bytes)
C:\Program instal\profile\oprEB59.tmp (7 bytes)
C:\Program instal\profile\cache\sesn\opr000BE.tmp (196 bytes)
C:\Program instal\profile\cache\sesn\opr000BO.tmp (3 bytes)
C:\Program instal\profile\sessions\autosave.win.bak (1 bytes)
C:\Program instal\profile\cache\sesn\opr000BJ.tmp (1568 bytes)
C:\Program instal\profile\opssl6.dat (3382 bytes)
C:\Program instal\profile\cache\sesn\opr000BG.tmp (196 bytes)
C:\Program instal\profile\icons\adob11.tmweb.ru.idx (97 bytes)
C:\Program instal\profile\sessions\oprC25.tmp (1 bytes)

The not-a-virus deletes the following file(s):

C:\Program instal\profile\cache\sesn\opr000BQ.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2012 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\WinRAR SFX]
"C%%Program instal" = "C:\Program instal"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The not-a-virus deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process WScript.exe:4084 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The not-a-virus deletes the following value(s) in system registry:

The process opera.exe:3980 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\Opera Software]
"Last CommandLine v2" = "C:\Program instal\opera.exe http://loadre.ru/cc-creativecloudset2"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

The process mshta.exe:2104 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"
"Factor" = "20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

The not-a-virus deletes the following value(s) in system registry:

Dropped PE files

MD5	File path
23c651b2ace76d42fec3989bcba3ce7b	c:\Program instal\7-zip.dll
c5eab28195c8a35dd2ea72c03a80811e	c:\Program instal\7z.dll
d4362817cac005dab473a27a6038dc80	c:\Program instal\7z.exe
6952fb8f605ed496c22ba8c3fa1256a0	c:\Program instal\7z.sfx
5af06a188fcebf6df4270dd4e7dfd67d	c:\Program instal\7zCon.sfx
fca1b494a45abe5044ea5d5a1060a5f2	c:\Program instal\7zFM.exe
5c7481e2f981b7307af76aea87019962	c:\Program instal\7zG.exe
1c9b45e87528b8bb8cfa884ea0099a85	c:\Program instal\D3DCompiler_43.dll
d7139e04b44274c71b3c1c5dbf3f5f52	c:\Program instal\gstreamer\gstreamer.dll
e39bae9f813632ac6b434d6bc01a1a6c	c:\Program instal\gstreamer\plugins\gstaudioconvert.dll
330922836b5424869db8597f48cfe1b3	c:\Program instal\gstreamer\plugins\gstaudioresample.dll
d48156b954d8e8974d35ca27628fa623	c:\Program instal\gstreamer\plugins\gstautodetect.dll
4125c4d8d5f0db304b42d0f0aa9e9485	c:\Program instal\gstreamer\plugins\gstcoreplugins.dll
4c938b92f6e389cc22bde03be140f43c	c:\Program instal\gstreamer\plugins\gstdecodebin2.dll
2880ff5daaba68431c9cf056786a10fb	c:\Program instal\gstreamer\plugins\gstdirectsound.dll
747f73cd83367b287899ce3a41dd04f0	c:\Program instal\gstreamer\plugins\gstffmpegcolorspace.dll
50e5b61b4bde3cb0335801f57c7bae40	c:\Program instal\gstreamer\plugins\gstoggdec.dll
f509e86efcba242200e4c2aff917d2fc	c:\Program instal\gstreamer\plugins\gstwaveform.dll
c400199ce866c00a806b0eebb9e5326c	c:\Program instal\gstreamer\plugins\gstwavparse.dll
0acdd4ec0a2a2944eedbd83815226fe5	c:\Program instal\gstreamer\plugins\gstwebmdec.dll
f7bf95e31a36eb62c6a21ffbd17a88b3	c:\Program instal\mapi\OperaMAPI.dll
bf269f175ad73f7279778baf3c06ae18	c:\Program instal\opera.dll
75fd107aa2ac13eeb85e0c4096b90c78	c:\Program instal\opera.exe
6fcb5a67892f7deae88a3d279005b2fc	c:\Program instal\profile\temporary_downloads\c program instal resourse creativecloudset-up.exe
a7cbd0e6a5a45c5ff17e2f9c499842d1	c:\Program instal\resourse\creativecloudset-up.exe
3966fbba168463fd59fbebaace710b1c	c:\Program instal\sleep.exe
94bdcafbd584c979b385adee14b08ab4	c:\Program instal\taskkill.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	53182	53248	4.53908	4ac3bfd8d76525868e8e0f03d7dc5bda
.rdata	57344	7013	7168	3.44108	813eb85081684ec5ac68b925bd52a382
.data	65536	135184	512	0.935883	2d7344509303d51be19de89734ebf778
.CRT	204800	16	512	0.147711	8cf1fbb4d9dc097b982a9700053cd2bf
.rsrc	208896	21440	21504	3.3734	a9f3dce21b23fa6a092e1604c2f60787

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://loadre.ru/cc-creativecloudset2	92.53.96.8
hxxp://loadre.ru/adobe-cc-creativecloudset.html	92.53.96.8
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEA+ddDVDrxAxhTRpZSguQJM=
hxxp://loadre.ru/js/rw_cnter.js	92.53.96.8
hxxp://rvip1.ue.cachefly.net/DigiCertHighAssuranceEVRootCA.crl
hxxp://loadre.ru/wp-content/themes/media-maven/style.css?ver=3.8.1	92.53.96.8
hxxp://loadre.ru/wp-content/themes/media-maven/library/js/modernizr-2.6.1.min.js?ver=2.6.1	92.53.96.8
hxxp://loadre.ru/wp-includes/js/jquery/jquery.js?ver=1.10.2	92.53.96.8
hxxp://loadre.ru/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1	92.53.96.8
hxxp://loadre.ru/wp-content/themes/media-maven/library/js/scripts.js?ver=1.0.0	92.53.96.8
hxxp://loadre.ru/wp-content/themes/media-maven/library/css/default.css	92.53.96.8
hxxp://freesoftloads.ru/download-file/2014/06/1337.png	37.140.192.60
hxxp://loadre.ru/favicon.ico	92.53.96.8
hxxp://loadre.ru/wp-content/themes/media-maven/library/images/subtle.png	92.53.96.8
hxxp://loadre.ru/wp-content/themes/media-maven/refgen3.php	92.53.96.8
hxxp://34.253.40.151/7e080e9dd56b5dcab4df0e4c6d3d238f/625819-book
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEArKdNViqZvRTsj6pSQqLDU=
crl4.digicert.com	66.225.197.197
ocsp.digicert.com	93.184.220.29
adob11.tmweb.ru	92.53.96.8
dns.msftncsi.com	131.107.255.255
certs.opera.com	82.145.215.40
autoupdate.opera.com	185.26.182.78
teredo.ipv6.microsoft.com	157.56.106.189

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /7e080e9dd56b5dcab4df0e4c6d3d238f/625819-book HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Host: 34.253.40.151

Accept: text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: en-US,en;q=0.9

Accept-Encoding: gzip, deflate

Referer: hXXp://adob11.tmweb.ru/adobe-cc-creativecloudset.html

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Fri, 14 Apr 2017 13:59:34 GMT

Content-Type: application/exe

Content-Length: 1197048

Connection: close

Last-Modified: Fri, 14 Apr 2017 12:48:23 GMT

Expires: Mon, 8 Oct 2012 01:02:03 GMT

Cache-Control: no-cache, must-revalidate

Set-Cookie: GSID=910c51f6a59f1c8a19fa4bb3a67c594a; expires=Sat, 15-Apr-2017 13:59:34 GMT; Max-Age=86400; path=/; domain=34.253.40.151

Set-Cookie: usid=usid-72fb5810af0a3fd40237aa882aa8ad6758f0d5c65b9f9; expires=Thu, 04-Apr-2019 13:59:34 GMT; Max-Age=62208000; path=/; domain=34.253.40.151

Content-Disposition: attachment; filename="c program instal resourse creativecloudset-up.exe"

ETag: "58f0c517-1243f8"

Accept-Ranges: bytes

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........Q...?...?.
..?...0...?...`...?...b...?.j.b...?...>...?..._...?...a...?...e...?
.Rich..?.........................PE..L......X......................!..
.................@.......................... ".....0..................
.....................h[..d.....!..@...........0........"..............
......................................................................
..text....z.......................... ..`.rdata.......................
.......@..@.data...48...p...P...p..............@....rsrc....@....!..P.
.................@..@.reloc........".. ..................@..B.........
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................

<<< skipped >>>

GET /download-file/2014/06/1337.png HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Host: freesoftloads.ru

Accept: text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: en-US,en;q=0.9

Accept-Encoding: gzip, deflate

Referer: hXXp://adob11.tmweb.ru/adobe-cc-creativecloudset.html

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 14 Apr 2017 13:59:30 GMT

Content-Type: image/png

Content-Length: 2825

Last-Modified: Mon, 23 Jun 2014 19:52:53 GMT

Connection: keep-alive

ETag: "53a88595-b09"

X-Powered-By: PleskLin

Accept-Ranges: bytes
.PNG........IHDR.............Km).....pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;.
.m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
.b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......<<< skipped >>>

GET /wp-includes/js/jquery/jquery.js?ver=1.10.2 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Host: adob11.tmweb.ru

Accept: text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: en-US,en;q=0.9

Accept-Encoding: gzip, deflate

Referer: hXXp://adob11.tmweb.ru/adobe-cc-creativecloudset.html

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.10.1

Date: Fri, 14 Apr 2017 13:59:30 GMT

Content-Type: application/x-javascript

Last-Modified: Mon, 01 Aug 2016 13:57:50 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

ETag: W/"579f555e-16b9d"

Expires: Mon, 15 May 2017 13:59:30 GMT

Cache-Control: max-age=2678400

Content-Encoding: gzip
8001.............}iw.F.... D....%.t...`J..K'.Y...$M.>..J.A..@-...}.
RU..@....9.n.X....[........vqqwt=.M..'G...........;.T.....UT%y&....#(.
...f....i...2.......w..........8.D!.Y.m.|}T.\..4_re.....n.g.(edn^.1=K.
..A....X......B......JnG.<.J..\nw......{&6p.d........Q....$...ps...
.d..|...........[.....]..e....h.A.I.oD....<..O.3.........|5..y.bA/.
..NGe. .Co.......x&O......../_..>./.u.......a..c.........Y0.{.x\...
.'..A..T..r_..7........./.O.'g5.~A.-Dx.?/....ky.E..a-.n.|.`..B..q.....
..: .E.................M.z..X.8.....*vq...2..]..'<%..Sr).C.N6....F.
......x.........i...,*c...w.\p.G.h.zq...MRVq..u..y.....BH...|.M.*.....
....*.............4..i ..V?...M~.;.}....>....A.......$.q.q.#..B.s.W
.....^.Q.J...*..c(.U.J.J..S.Ty;..y....=o.p-`...X.*/.[...Zs.[..n".i...q
...*)..W....S..&..'...g..X<..1L.w.<...g........3..l. #.u.Y.....x
..*.I]...dq|..~....F<...7E0Z....!vqd....;.9VD}.dv.@.([..ng.|..3X.M\
\.>..7..(...|..})2..(.W....,..7.t....N.....@..UqYqk.....|.FI...o...
..k.Y..8..|.R.>6;O..L]..........=.Z ........F._.}....,.....8.x.....
....@J*..).$QS.,r"......V.8.U|[.....8.q.eL..h....|. ..ncA..G.....aq.zt
[....j.}s)..c}..{.....Et.s....g....N8.UN.Bk...]..Q.R..1.{h. M,....i%G.
.?..g.hn.}./h......./.E..N... iC........=._3..\...z}#....y..x.v..x....
.e...B..j6."e .Y....A.!..F.....9........K.T.<..(.C.......4z.......=
sj....0...D...dV?.39>>......<[,.....D...i}....A....L.X...a.u.
~.....Y....>....*..e^T.....rKk..t.....(.>... .....Vwp..h..."BFN.
.l....-...k...^..d......4.........t*.......i...u. .2.k..v1...L...7<<< skipped >>>

GET /wp-content/themes/media-maven/library/images/subtle.png HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Host: adob11.tmweb.ru

Accept: text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: en-US,en;q=0.9

Accept-Encoding: gzip, deflate

Referer: hXXp://adob11.tmweb.ru/adobe-cc-creativecloudset.html

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.10.1

Date: Fri, 14 Apr 2017 13:59:31 GMT

Content-Type: image/png

Content-Length: 106988

Last-Modified: Mon, 01 Aug 2016 13:57:48 GMT

Connection: keep-alive

ETag: "579f555c-1a1ec"

Expires: Mon, 15 May 2017 13:59:31 GMT

Cache-Control: max-age=2678400

Accept-Ranges: bytes
.PNG........IHDR................/....tEXtSoftware.Adobe ImageReadyq.e&
lt;...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:B4136406F2B8E1119DBBBB9882B71CE8" xmpMM:DocumentID="xmp.did:EE73
87F8BC1E11E182BA8515B45DD0FE" xmpMM:InstanceID="xmp.iid:EE7387F7BC1E11
E182BA8515B45DD0FE" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:EF7395A3F0B9E111836A
AEFA8D8FCEF2" stRef:documentID="xmp.did:B4136406F2B8E1119DBBBB9882B71C
E8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>.SG\....IDATx.....lkU..T.9.b......,(E.(.O..k.
...-...ArT$........f>.w....k..w.....ku.../...1...N..G......[......\
~~..|...}...<..O.y......_..7.._.u..c.qw...>.m..............>.
..?..?...1.y..X...}..m....x...}..]~....?......./?.......U......=......
.q.......|.....]...y..7}.......<...........fy.....'>......-7....
/ce..#..z.v.y..W~..7|.7.<..................9......r..7k..q.....{.W.
.W..........u/........'t.......o.........|....w.c?.c7?..?x.._...=P..v.
s..y........?...?..?...o....................}7o~../...............<<< skipped >>>

GET /adobe-cc-creativecloudset.html HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Host: adob11.tmweb.ru

Accept: text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: en-US,en;q=0.9

Accept-Encoding: gzip, deflate

Connection: Keep-Alive


HTTP/1.1 404 Not found

Server: nginx/1.10.1

Date: Fri, 14 Apr 2017 13:59:30 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.29

Content-Encoding: gzip
7a2.............Y.n.F..&..0.......$t.....m...z.....Il.....(.?.\..Z..BE
H}...B..^..F=3c...&..@bW..g..9?.|>..9u... ?..-.D..'.:..B......?^5..
.4..13.SCM!............q..w.%.....G.k.(.'....bAb.9....>.Q...&W.T...
...........e{.v./._g;.....z.\]5W9....j...ODtl.}r...4.@...F*6C......~..
.....H...L/M.......@..m...p.KDc.....'f..-....VVLe.Vf,0......u.r.Hl&...
.....J...a..P.:..i".....ki....@gB...o.. f>.1.....d9VDck];....c.....
..p..'....!...K..c9M....4#:.X.j...:.`._......i5k>Tv.@.pNxe..d$.m...
.]5.8....7L.....6...c_B.p.z...f..MT..B...t.%. .!...i.!...Y.sBR..!.~*..
.q,o.>...j:.....,..[I<h....$...F.Z.JXJ.eq........X....d....:.W..
...p...s...p..d#.m.n.4MB..F1..:E#.E8. ...4`.............Gm.\j&.W.  t..
...rA..d.si....JyJo@..bn..q@.Q.2<H............`n..}......G..e.F.3..
*r..3.f..V7.8..v$.Y]...@.n.qH.)..)...sX/..!.6>}.......>....-._..
.?.^...;....v....Wl..u.5....H.....k.. .d.1.Ki).:..d.. Ii<....I(....
7...]...x...64...,<....^..#M.....Q....!\....>h.......8...kj.J..5
....B....Y. ]I.t.D.fK.j.....S..d.#..k..1...2......:6.d."*v.....n..S..N
c.#i.Ls."Brv.nE_W..\...V.......&.\..4U..(....ZM4U. ..... $...y..D.....
T.P...A..,....{!M.T.T..s@$4...MH.|s.e......P..8T...N}J^.CZ..).)R....[.
......V.k..^ .2.....J(n.`#..5J...~..>.{!.6VPA.@. ..[......t...G.]..
=...<...d[.`..&w...}@.s@.D.6..fo&.@.zr...!.......B.4.q..X...;......
P......p. 4....og;.{..K..*I..V5'4N.b.......K........p...[nJ0..........
.V......V0.{.z..jY.~".]r..,.>:.y^.......!wg....;.L.`..!.|@!...J./..
\.>....QS?..H>...N.`....... .......#9.`..bq....8/.{n,.a..4.@<<< skipped >>>

GET /js/rw_cnter.js HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Host: adob11.tmweb.ru

Accept: text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: en-US,en;q=0.9

Accept-Encoding: gzip, deflate

Referer: hXXp://adob11.tmweb.ru/adobe-cc-creativecloudset.html

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.10.1

Date: Fri, 14 Apr 2017 13:59:30 GMT

Content-Type: application/x-javascript

Last-Modified: Mon, 01 Aug 2016 13:57:40 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

ETag: W/"579f5554-98f"

Expires: Mon, 15 May 2017 13:59:30 GMT

Cache-Control: max-age=2678400

Content-Encoding: gzip
3a6.............V.n.F.>SO1Y...X.$...].Csj.&..0V..dL.,..d....@...K_.
@.....T....7.,w)Q.. .".?..of...]...A....J...y..Xd..| E.....,>7.....
00.i.Z3.?.....:f._K....P...j........G.........$..D>='.@.0`..v..p.p.
W8...>.......>....{;.....g4..M.............Q..p.............?..G
....k.......N.J..=.W......;..t.iE...\C........`keSA...1..'.....1-%Z.N.
f~.T...h..b......q.crH$.......*..J.lZH..Mb...p....G=...=P>O...].fQ.
.1p.-...K..s<...3.X.........9.F.O9...3,A...J0.<P........b.E.....
........??"..d..=P. ....Db....rp.ljF........6..$.|.....9.kB.<i..p8.
.&p.....Z..E...X..J.6.37......K..b!....b!...6!:d.^...F,.vR...C..>p.
.......9oR.;.z...aB../h.C..I.....}......t.9$..9.g.v....S..&....8.7..:.
..m.P.{....d4. .rHt9.)c.....W..X......V~.m.o......EG...........Qn....S
.:.D.Zs..Yp.....a...w;N.:../".L..[..|.[.U......r....eL.W..b.7.X...v...
......#H.ToI 7......_....*.J...n...D.A.y....e."{.!.w.K$.. b..Q...,....
O....\..#.U.l.[..a.[../.T...P..^......{..5. .f..@...o.}......0..>....

GET /wp-content/themes/media-maven/library/css/default.css HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Host: adob11.tmweb.ru

Accept: text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: en-US,en;q=0.9

Accept-Encoding: gzip, deflate

Referer: hXXp://adob11.tmweb.ru/adobe-cc-creativecloudset.html

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.10.1

Date: Fri, 14 Apr 2017 13:59:30 GMT

Content-Type: text/css

Last-Modified: Mon, 01 Aug 2016 13:57:48 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

ETag: W/"579f555c-48bc"

Expires: Mon, 15 May 2017 13:59:30 GMT

Cache-Control: max-age=2678400

Content-Encoding: gzip
11d5..............k.............V:?......k...^.Cr-P.A@K.J.,*.....iE.R.
Bg..DR..u....C$....p8$.../.;>zy...7.....r.....1~w|t|..#v-rQ.....5..
.^egl!..3..7g.*x~...."...X-D|.........P..K..g,..k......5.... .a&.w....
fE)....bQ.1..@.:cQ.U...=..B....`_].[.m.-..{`....P.x.....94...|.b7.0.C.
X........kxe)./S....3..%P....f.D.mk....^...Fj%.z)%...........?e.F...4&
...W.....|Y..-:...)0....A..y]J....J..3.sT......j.K.#Ey..w@o...:.T%....
i>....m._...,.9|..ei...R.uP...l4..~~#.{..<K....W....<z......y
..P....O.....M...L...3VE..2h.M..L[.c.__j[..IX}Q.OqZ......u..3..X...".W
v. YZ.P..L.X...-Tg..P1m.=...j.Bv.... ..0..%..}[.^......b.}....n...y..S
.#.T?....m.M.f....g...45. ...z...H.....*...!..../*1k.... .i..Y.c,F....
...E...u-W36*.X%.4f......G.......b.....CP..$.X.q........\..H.....S..R]
.U....$$.......G...D.}........w....ll....&f.R..H.E.*...l@c....\p-.j...
_.A.............aK..........d9c.....r.!}Z....I...kC}.....Oi.j.l9.40R.&
gt;..i...:.Z........P.Z>.xm.@.. BxG.k.:P.:]...u.O.C04.z..H..]G7..{.
...0y.kv....o!..Z...P....D.<.(_.i..74 ...p......W.D.uY.[...%...3...
.... J.Qx!....C#..p.Y0...w..."0.v@.pD2v...O......(.-y. W^... .........
:.p..........B.. ..j..J....Y.H.......@R../.U.... c.5...)..^#L.E....c..
:. .K...c..B......?)9D.'o|..-M.J........uy...b....y....R.n.t4fPRn..U..
.J.7...v.......RU...q|...e.;...iL....@g7.l...gp.`..8gi...%.pE.. ...t..
..=.....h.C........V..c....7b[kQ..D...s.u.}.......1..2FI..q.4....MZ...
......b.eZ.....c=...* U.2#}..b...4Z/..Wa&./.3P.D..J]...:P!n.,..D..C.*.
...[.BV...|.........B.5..(.R.9%..7.~........Yo.v..C.1[.r.&..W.-...<<< skipped >>>

GET /wp-content/themes/media-maven/library/js/scripts.js?ver=1.0.0 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Host: adob11.tmweb.ru

Accept: text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: en-US,en;q=0.9

Accept-Encoding: gzip, deflate

Referer: hXXp://adob11.tmweb.ru/adobe-cc-creativecloudset.html

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.10.1

Date: Fri, 14 Apr 2017 13:59:30 GMT

Content-Type: application/x-javascript

Content-Length: 258

Last-Modified: Mon, 01 Aug 2016 13:57:48 GMT

Connection: keep-alive

ETag: "579f555c-102"

Expires: Mon, 15 May 2017 13:59:30 GMT

Cache-Control: max-age=2678400

Accept-Ranges: bytes
jQuery(document).ready(function($){..../* prepend menu icon */..$('div
.menu').prepend('<div id="menu-icon">Menu</div>');..../* t
oggle nav */..$("#menu-icon").on("click", function(){...$("div.menu ul
").slideToggle();...$(this).toggleClass("active");..});..});HTTP/1.1 2
00 OK..Server: nginx/1.10.1..Date: Fri, 14 Apr 2017 13:59:30 GMT..Cont
ent-Type: application/x-javascript..Content-Length: 258..Last-Modified
: Mon, 01 Aug 2016 13:57:48 GMT..Connection: keep-alive..ETag: "579f55
5c-102"..Expires: Mon, 15 May 2017 13:59:30 GMT..Cache-Control: max-ag
e=2678400..Accept-Ranges: bytes..jQuery(document).ready(function($){..
../* prepend menu icon */..$('div.menu').prepend('<div id="menu-ico
n">Menu</div>');..../* toggle nav */..$("#menu-icon").on("cli
ck", function(){...$("div.menu ul").slideToggle();...$(this).toggleCla
ss("active");..});..});..

GET /wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Host: adob11.tmweb.ru

Accept: text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: en-US,en;q=0.9

Accept-Encoding: gzip, deflate

Referer: hXXp://adob11.tmweb.ru/adobe-cc-creativecloudset.html

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.10.1

Date: Fri, 14 Apr 2017 13:59:30 GMT

Content-Type: application/x-javascript

Last-Modified: Mon, 01 Aug 2016 13:57:50 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

ETag: W/"579f555e-1c1f"

Expires: Mon, 15 May 2017 13:59:30 GMT

Cache-Control: max-age=2678400

Content-Encoding: gzip
bf7.............Y{s.6...>...l .Qrz...F..I.N.6....Y..I..M.*..vM}...H
....7....]...E....7.K....<...`s...N.* ..^.F.`.........)...,x/.(.2..
]..$JZ._.Vi..o~........!.......D ....".....`t|L....([.2A.D0.$}l..&0.p.
..F...BL...W.....DC.g.e.3..K...L.....V...D.)H.7H.......tv.f........<
;.H....R.m...2.r..c. ?\...F.X.R...Zh.@.~x...Z...8....E..._.b....J..L.q
.$...DQ.o.....v...n)....dI.}....}._ku $*...<....<~.N.(5.....[.t.
Q...iO...,.zAn...oD..s.....-"L....<9.(.e>..B......._....Z....A..
P.D1q.\.ha..N..Ie...........e.oM..C:A].X..e.............-...@..!=>.
n.V2..! ..;.nM..E).c....^UO./.......0...eE<..L.N....*I..s......_...
.......P..p...C...L.d).[.V.8..T.0..47...Z.i*dU(..Vea.u!*@.........~...
Y.......D.N.......M8...k6d......k}.!S...|@..i..C......$..U..;._s....."
.%...a-&..J..._5...'ZHo.`..fX.......@.(..0.d....<.e.."........%... 
....tLB.. ...q~.........JP.{.5@.C...\....\f".... ..@- ............M...
.._..G.X......sL....^...V.i.]..)B...F.9<.hTU...p.ex..X T..9.} wf}..
...)p....A....N..o......XZQ..2vWE..Jm..q......m~?..m4s.....*1.Yt.V4...
..2.v..;U=..I8H....V.!(!.........q.ix.@.D./..)A.......3.....1.....<
.}.k.....19-#.^.....a\g.l...CL....5..g.....gJ........4...A.@....;<.
 G..[....?.O.?~..=...),...{.........n]....mbt.(..e ...F|w......n....sJ
^....~..^QXy. ....^.C5.*..T.HC......v&.J...X.\.2.*$@s.?D.^$.N...8....F
....P..%.\.Y2..~F.v.o.wy.}...`U.......'/O0.@..B.2.........._....@.rW..
.T.E............. ...u.=.N... "....b....Ai...............%.2('..q;C..r
(..n.W:hu6.H}1..a.@C.7.1.N\....Uh6....H. ......(.$1]}..;....:.B..x<<< skipped >>>

GET /cc-creativecloudset2 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Host: loadre.ru

Accept: text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: en-US,en;q=0.9

Accept-Encoding: gzip, deflate

Connection: Keep-Alive


HTTP/1.1 302 Found

Server: nginx/1.10.1

Date: Fri, 14 Apr 2017 13:59:30 GMT

Content-Type: text/html; charset=iso-8859-1

Content-Length: 237

Connection: keep-alive

Location: hXXp://adob11.tmweb.ru/adobe-cc-creativecloudset.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://adob11.tmweb.ru/adobe-cc-creativecloudset.html">here&l
t;/a>.</p>.</body></html>.HTTP/1.1 302 Found..Ser
ver: nginx/1.10.1..Date: Fri, 14 Apr 2017 13:59:30 GMT..Content-Type: 
text/html; charset=iso-8859-1..Content-Length: 237..Connection: keep-a
live..Location: hXXp://adob11.tmweb.ru/adobe-cc-creativecloudset.html.
.<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>
<head>.<title>302 Found</title>.</head><bod
y>.<h1>Found</h1>.<p>The document has moved <a
 href="hXXp://adob11.tmweb.ru/adobe-cc-creativecloudset.html">here&
lt;/a>.</p>.</body></html>...

POST /wp-content/themes/media-maven/refgen3.php HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Host: adob11.tmweb.ru

Accept-Language: en-US,en;q=0.9

Accept-Encoding: gzip, deflate

Referer: hXXp://adob11.tmweb.ru/adobe-cc-creativecloudset.html

Connection: Keep-Alive

Content-Length: 33

Accept: */*

X-Requested-With: XMLHttpRequest

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

pd=adobe-cc-creativecloudset.html
HTTP/1.1 200 OK

Server: nginx/1.10.1

Date: Fri, 14 Apr 2017 13:59:34 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 67

Connection: keep-alive

X-Powered-By: PHP/5.3.29

Set-Cookie: PHPSESSID=35fbfdac5e7d48170e95ae0576ae8074; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

hXXp://34.253.40.151/7e080e9dd56b5dcab4df0e4c6d3d238f/625819-book;0HTT
P/1.1 200 OK..Server: nginx/1.10.1..Date: Fri, 14 Apr 2017 13:59:34 GM
T..Content-Type: text/html; charset=utf-8..Content-Length: 67..Connect
ion: keep-alive..X-Powered-By: PHP/5.3.29..Set-Cookie: PHPSESSID=35fbf
dac5e7d48170e95ae0576ae8074; path=/..Expires: Thu, 19 Nov 1981 08:52:0
0 GMT..Cache-Control: no-store, no-cache, must-revalidate, post-check=
0, pre-check=0..Pragma: no-cache..hXXp://34.253.40.151/7e080e9dd56b5dc
ab4df0e4c6d3d238f/625819-book;0..

GET /wp-content/themes/media-maven/library/js/modernizr-2.6.1.min.js?ver=2.6.1 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Host: adob11.tmweb.ru

Accept: text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: en-US,en;q=0.9

Accept-Encoding: gzip, deflate

Referer: hXXp://adob11.tmweb.ru/adobe-cc-creativecloudset.html

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.10.1

Date: Fri, 14 Apr 2017 13:59:30 GMT

Content-Type: application/x-javascript

Last-Modified: Mon, 01 Aug 2016 13:57:48 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

ETag: W/"579f555c-384b"

Expires: Mon, 15 May 2017 13:59:30 GMT

Cache-Control: max-age=2678400

Content-Encoding: gzip
170a.............[.w.6..>...de..h9..-.T.;I....4....3.$A...2I..S....
.$E.r.{v.ie......o .....@.Y..0.9.v...bSVyj.o.$.......14.?......u......
i..u.<=...,.Ep.d..Y.._.=...E...2......8...]. ....-#...0...j.. .....
.2..t.T.:.....k.....Xxb\.........B..YI_~.lR4.2...d..8.U4....V....~7.*D
V.y..|=...X...:.}../.H.}.]...C...B,D..E..G...Hd.A.....Xl.8._....q..[..
.Z.M.....,.I...f...yY...E.._"....^.. .}Q.*.D%<Q....X....Q|=N....Q..
.XVeu.4.5QK..$...tyM.[.Y.-..<..t....?Mo.....d...Lq...c.}.~.........
.>q..F...}_.jS.\.,...F...G.W..i.;..{...<4............Ls$lG.....z
....8r.Z.F`...R.-.....8...,...i......p.......:.5g..L...g;.?(V...do..{s
..j...6...g3.t.Z!3[..=...;....l7<.....jG\8...ueMl....^....l.#...hi.
.Lrb.a.....}...vJH}e...!...1...g...k....xd2....[ ..p^=...@. .w&?Z..t.B
.$......^.Id...i.JN.....>..../x.j.....7.Z..........6.)..2Iqh.Nx0...
.>...}?....Y..L..r.A..J......4h..N`..<.2...5R...2c-..Jb..j..20`0
.f..8.gg.z.t.o....8.n.....)e....x.JZ&.1Y.d..w.P.d.$Ke2....k.l$O.f.A...
..Qf...1.0N..2.b.{.Fq..lj........... ..ZL...*.^C..`|Z..Y..VTf.E..c.l.q
................x.E...k8|.g.X.I...:j.a,..$z.0.k~..".0:a...i~-["l...Ub.
...L..v.....Hj...?2#......@r.p.....l...A*>.x.c..B..` [.-!Yz}...X.P.
..KY..T.#.G...)WF.I..0.l.z.=u"..a^...V....?...o!......bLR..;......q;..
.fK...f.....dhw.M.6Y..`{>*..2n...pncc.._..S...}.Y.M}.._....ii.5.. W
............cI?..l...]...z........&...b.<.. .V.../....d....h...6}-.
R.G_..&.}...V0....p/.8.r&!"n4...m^.)....!...'g.y.M<y....l.<..81.
;a...N..w..6...@...Y.l.....2.........@..F.wq.7M...)d;.>.S`.l.`.<<< skipped >>>

GET /favicon.ico HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Host: adob11.tmweb.ru

Accept: text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: en-US,en;q=0.9

Accept-Encoding: gzip, deflate

Referer: hXXp://adob11.tmweb.ru/adobe-cc-creativecloudset.html

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.10.1

Date: Fri, 14 Apr 2017 13:59:31 GMT

Content-Type: image/x-icon

Content-Length: 1150

Connection: keep-alive

Last-Modified: Mon, 01 Aug 2016 13:57:40 GMT

ETag: "47e-53902fbc875d0"

Accept-Ranges: bytes
............ .h.......(....... ..... .................................
............................................................gS.sq\.ro^
#tl^&xj^*{h^-.g_0.ha4.id9.kh>~onE{stKwwyRsptQt..........3...K...P..
.A...E...M...V...^...g...o...x...........~.........T@.l\G.j\J.j]L.j^N.
j^Q jLC..TK#.`X,jaZ0jb\4jb_8jca;j\\;l............................WI.[.
.8...F.nb,.............................................]J.q.. ...7...@
...F.vh/.....................................eN....%...%...-...6...>
;...G..r3.$ ..........................pW....G...N.......#...,...4...=.
..E..~7.F?..................|a....Q...Z...W...A......."...*...3...;...
D...:.RI"(........A1.x.h...l...n....W...W.../....... ...)..}&..t(..w..
[P".....................cJ.v..V...Z...W...6..........g................
..................bI.v..Z...^...[...X...H...!..c......................
............aI.v..]...a...^...\...Y...S..f............................
......`H.v..`...d...a..._...\...Y..i..................................
_G.v..c...h...e...b..._...]..h..................................P;.].w
(..y ..x ..x*..y)..x).fN...................................?..........
....................................HTTP/1.1 200 OK..Server: nginx/1.1
0.1..Date: Fri, 14 Apr 2017 13:59:31 GMT..Content-Type: image/x-icon..
Content-Length: 1150..Connection: keep-alive..Last-Modified: Mon, 01 A
ug 2016 13:57:40 GMT..ETag: "47e-53902fbc875d0"..Accept-Ranges: bytes.
............. .h.......(....... ..... ................................
.............................................................gS.sq<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEA+ddDVDrxAxhTRpZSguQJM= HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Host: ocsp.digicert.com

Accept: text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: en-US,en;q=0.9

Accept-Encoding: gzip, deflate

Connection: Keep-Alive


HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: public, max-age=172800

Content-Type: application/ocsp-response

Date: Fri, 14 Apr 2017 13:59:30 GMT

Etag: "58f0846b-1d7"

Expires: Fri, 21 Apr 2017 01:59:30 GMT

Last-Modified: Fri, 14 Apr 2017 08:12:27 GMT

Server: ECS (fcn/4196)

X-Cache: HIT

Content-Length: 471
0..........0..... .....0......0...0......Qh.....u<..edb...Yr;..2017
0414074300Z0s0q0I0... .........&....~...B../j..._...Qh.....u<..edb.
..Yr;....t5C..1.4ie(.@.....20170414074300Z....20170421065800Z0...*.H..
...........}.D...('........Z....j....n=..RPJ.........:uK%.55E?....JN*.
0.[x2....P..Z...}.pC.Dn.<..1.\.|U.l2.7..r[...P...K.S.z .Z.;...V....
.i.\..F.mR....c_oA.......9.$#...j.1.$.C.!..p.o.;s.....0..?E.@Z.a...8..
.".......]V...)..2.>..0..v.S.BO..&!..[j.4..L.....R..#....j.kHTTP/1.
1 200 OK..Accept-Ranges: bytes..Cache-Control: public, max-age=172800.
.Content-Type: application/ocsp-response..Date: Fri, 14 Apr 2017 13:59
:30 GMT..Etag: "58f0846b-1d7"..Expires: Fri, 21 Apr 2017 01:59:30 GMT.
.Last-Modified: Fri, 14 Apr 2017 08:12:27 GMT..Server: ECS (fcn/4196).
.X-Cache: HIT..Content-Length: 471..0..........0..... .....0......0...
0......Qh.....u<..edb...Yr;..20170414074300Z0s0q0I0... .........&..
..~...B../j..._...Qh.....u<..edb...Yr;....t5C..1.4ie(.@.....2017041
4074300Z....20170421065800Z0...*.H.............}.D...('........Z....j.
...n=..RPJ.........:uK%.55E?....JN*.0.[x2....P..Z...}.pC.Dn.<..1.\.
|U.l2.7..r[...P...K.S.z .Z.;...V.....i.\..F.mR....c_oA.......9.$#...j.
1.$.C.!..p.o.;s.....0..?E.@Z.a...8...".......]V...)..2.>..0..v.S.BO
..&!..[j.4..L.....R..#....j.k....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEArKdNViqZvRTsj6pSQqLDU= HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Host: ocsp.digicert.com

Accept: text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: en-US,en;q=0.9

Accept-Encoding: gzip, deflate

Connection: Keep-Alive


HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: public, max-age=172800

Content-Type: application/ocsp-response

Date: Fri, 14 Apr 2017 14:00:30 GMT

Etag: "58f0a96a-1d7"

Expires: Fri, 21 Apr 2017 02:00:30 GMT

Last-Modified: Fri, 14 Apr 2017 10:50:18 GMT

Server: ECS (fcn/9F9C)

X-Cache: HIT

Content-Length: 471
0..........0..... .....0......0...0......Qh.....u<..edb...Yr;..2017
0414102300Z0s0q0I0... .........&....~...B../j..._...Qh.....u<..edb.
..Yr;....t.b...N...$*,5....20170414102300Z....20170421093800Z0...*.H..
....................N.dB.._@'.}>.......i.....Y.\r.]..#....P..Eyx.H.
||...`\1..m...x7^g:.o..\.9.%\R...)&$~ <.......SV.........x.....H..d
t....Q-4d.L?../.L.S.N^..."oGg.. .}!.[.....K... 6..di....I".E...Esx1.o.
..s...s.9T.T.K.$.x,?.F.........?.6L|..2YF..h...y&.1..[..7.....5HTTP/1.
1 200 OK..Accept-Ranges: bytes..Cache-Control: public, max-age=172800.
.Content-Type: application/ocsp-response..Date: Fri, 14 Apr 2017 14:00
:30 GMT..Etag: "58f0a96a-1d7"..Expires: Fri, 21 Apr 2017 02:00:30 GMT.
.Last-Modified: Fri, 14 Apr 2017 10:50:18 GMT..Server: ECS (fcn/9F9C).
.X-Cache: HIT..Content-Length: 471..0..........0..... .....0......0...
0......Qh.....u<..edb...Yr;..20170414102300Z0s0q0I0... .........&..
..~...B../j..._...Qh.....u<..edb...Yr;....t.b...N...$*,5....2017041
4102300Z....20170421093800Z0...*.H......................N.dB.._@'.}>
;.......i.....Y.\r.]..#....P..Eyx.H.||...`\1..m...x7^g:.o..\.9.%\R...)
&$~ <.......SV.........x.....H..dt....Q-4d.L?../.L.S.N^..."oGg.. .}
!.[.....K... 6..di....I".E...Esx1.o...s...s.9T.T.K.$.x,?.F.........?.6
L|..2YF..h...y&.1..[..7.....5..<<< skipped >>>

GET /DigiCertHighAssuranceEVRootCA.crl HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Host: crl4.digicert.com

Accept: text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: en-US,en;q=0.9

Accept-Encoding: gzip, deflate

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Fri, 14 Apr 2017 13:59:30 GMT

Content-Type: application/x-pkcs7-crl

Content-Length: 543

Connection: keep-alive

Cache-Control: max-age=172800

Expires: Sun, 16 Apr 2017 13:59:21 GMT

X-CFHash: "c42c7b6ab359dd4268dbf5e4f15ad734"

X-CFF: H

Last-Modified: Wed, 12 Apr 2017 22:15:05 GMT

X-CF3: H

CF4Age: 19

CF4ttl: 31536000.000

X-CF2: H

Server: CFS 0215

X-CF1: 13483:fD.fra2:cf:cacheN.fra2-01:H

Accept-Ranges: bytes

0...0......0...*.H........0l1.0...U....US1.0...U....DigiCert Inc1.0...
U....VVV.digicert.com1 0)..U..."DigiCert High Assurance EV Root CA..17
0412210000Z..170503210000Z010/....................061110000100Z0.0...U
........00.0...U.#..0....>.i...G...&....cd .0...U.......U0...*.H...
...........Z.Z."?..l.H....T.%...2.U...........jGR.....4..u.I.-....`...
....V*.e.,..Z.. [=.....~.%.....c..t.......U,6..7..RO.q.a.......d....i.
.*...?b..%...j8...&.. "K..-.H.|...7`....ei.{H......D....4G.DI..ux^.7..
b..I........K.v.1........X....&J..#.. n.\.vJ.UN.PZ...n..HTTP/1.1 200 O
K..Date: Fri, 14 Apr 2017 13:59:30 GMT..Content-Type: application/x-pk
cs7-crl..Content-Length: 543..Connection: keep-alive..Cache-Control: m
ax-age=172800..Expires: Sun, 16 Apr 2017 13:59:21 GMT..X-CFHash: "c42c
7b6ab359dd4268dbf5e4f15ad734"..X-CFF: H..Last-Modified: Wed, 12 Apr 20
17 22:15:05 GMT..X-CF3: H..CF4Age: 19..CF4ttl: 31536000.000..X-CF2: H.
.Server: CFS 0215..X-CF1: 13483:fD.fra2:cf:cacheN.fra2-01:H..Accept-Ra
nges: bytes..0...0......0...*.H........0l1.0...U....US1.0...U....DigiC
ert Inc1.0...U....VVV.digicert.com1 0)..U..."DigiCert High Assurance E
V Root CA..170412210000Z..170503210000Z010/....................0611100
00100Z0.0...U........00.0...U.#..0....>.i...G...&....cd .0...U.....
..U0...*.H..............Z.Z."?..l.H....T.%...2.U...........jGR.....4..
u.I.-....`.......V*.e.,..Z.. [=.....~.%.....c..t.......U,6..7..RO.q.a.
......d....i..*...?b..%...j8...&.. "K..-.H.|...7`....ei.{H......D....4
G.DI..ux^.7..b..I........K.v.1........X....&J..#.. n.\.vJ.UN.PZ...

<<< skipped >>>

GET /wp-content/themes/media-maven/style.css?ver=3.8.1 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Host: adob11.tmweb.ru

Accept: text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: en-US,en;q=0.9

Accept-Encoding: gzip, deflate

Referer: hXXp://adob11.tmweb.ru/adobe-cc-creativecloudset.html

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.10.1

Date: Fri, 14 Apr 2017 13:59:30 GMT

Content-Type: text/css

Last-Modified: Mon, 01 Aug 2016 13:57:48 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

ETag: W/"579f555c-7b5d"

Expires: Mon, 15 May 2017 13:59:30 GMT

Cache-Control: max-age=2678400

Content-Encoding: gzip
1d4a.............=ks.8...*....2cO........$.....8..ssS)..$.)RKRv.).....
..J....M...F..h4.........l..;.d.....%o..K.....".&...x.......W,..hUDi2!
.$.....I.3......lN.....,...cR<..@:#.8..Y.......8....{..o..%9`..._./
,a.....4.."..]....t.OH...t.-Y.n......o..E.,. K..%-.6....i2_.9...j.fP..
h...;.e...m2[..w.... .....3..IX....?....?~..../@=@....8.....N.<?...
........4vx.......o.........|.....tg..8<.....zx....v...$...z....fi.
D..(~....4.m>.w.o....,.fP....(_.....Q..|].l...tV_..^...r....J#..6..
3."_...E.h......i.3...OH.....-.p.6V. ....8 L....#Q.C..H..-...G...t]...
...s._.d..r.E.EA.'1..8../N.....i<.@.d.#..... ....42....y....e......
...........b.gT....]...j..Z.cT.w.xB.....xfV<.#.........88.":0...jC.
0C.A.&a..8..9w :2IsVV.....(:6.snT3.w.....a.S.<3Y......4.....9....$M
W2.......^&D....c...3....x....g.a.....H....cU.LA...Q.2.aB.$.)pAfqJ...\
.r.y.....N.SP..h..B.1\...F9.e.`ey.a...../Lv.h.r.P...H..r4....M.9..XHP.
...i..G!....%......D..^..7...k....y:......W.D..Ez...?..../..4.u.Vs.-:.
......g........@..i...@..1.O.q...'...XD9..s..r...Z.....D.h(..qO.:h'W..
......O.........:.Y.&/.Y...%....6z3.(b.........h4.z....s*..=....}.....
.@.$...iD^G..._TK.....f@.$.Y.WJ.....!..=.*e..~.z...}..^W(.{...........
....W...o.on.=.....qC(Y..B.@...U..<.3....@Y........!.Y.K....9.X....
....f..........-...Z....aZ.ueq..b.0.J.d..r....i..|.&a...$Y@7.3lHB./.&E
*..9_..."......JIJT.....E..]..a..3T...g>......cY.f..@..'..9P&V../..
.b.i..']z.@..DKV.K.ZF.[.(P1.h.3.H......I...B.T.Q.uw.V.@..;.Y.*..e.d.nd
.Q.L.T...`s.{.}V...*.<.KpsK..[.^..4.OQ<..5. !].'u`6...e.r...<<< skipped >>>

The not-a-virus connects to the servers at the folowing location(s):

opera.exe_3980:

.text

`.rdata

@.data

.rsrc

@.reloc

u)SSh

OperaCrashlogEvent-%u

-write_crashlog%c%x %p %s

%s %s

Opera Crash Logging

%-63s Base: %8X

dddddd

opera-%s\

gpu_info.txt

crash.txt

Couldn't initialize MemGuard, %s

Opera Error

Couldn't initialize MemGuard, error patching Opera.dll!

Couldn't initialize MemGuard, function signature not found in Opera.dll!

Warning: Bad breakpoint size in MemGuard.ini

MemLeak.bin

MemCrash.bin

MemGuard.bin

OperaWindowClass

12.18.1872

Opera MemGuard

Press Yes to run Opera in memory guarding mode

This causes Opera to consume much more memory and run slower.

Press Cancel to delete the file MemGuard.ini from your desktop

del "%S"

if exist "%S" goto Repeat1

if exist "%S" goto Repeat2

Opera failed to start because:

Failed to load Opera.DLL because:

OPERA

PSAPI.DLL

WINTRUST.dll

CryptMsgGetParam

CertFindCertificateInStore

CertGetNameStringW

CertFreeCertificateContext

CertCloseStore

CryptMsgClose

CRYPT32.dll

GetProcessHeap

KERNEL32.dll

EnumWindows

USER32.dll

ADVAPI32.dll

ShellExecuteA

ShellExecuteW

ShellExecuteExW

ShellExecuteExA

SHELL32.dll

ole32.dll

C:\build\output\1453991951\work\VS_Output\PGO\desktop_starter.pdb

KERNEL32.DLL

Crash log writing failed, %s!

Error description from system: %s

OPERA-CRASHLOG V1 desktop 12.18 1872 windows

%s caused exception %X at address X (Base: %X)

EAX=X EBX=X ECX=X EDX=X ESI=X

EDI=X EBP=X ESP=X EIP=X FLAGS=X

CS=X DS=X SS=X ES=X FS=X GS=X

XXX XXX XXX

XXX XXX SW=X CW=X

Opera crashed while trying to show the crash dialogue for a previous crash.

-crashlog "%s"

!!%F!

99999999

999999999

88888888

VVVV{{{{%%%%%%%%%Ý{2

%%%%%%Ý&=

%%%%Ý5

#.oooo

~~~~

%%%%%x8888

44444444

<description>Opera Internet Browser</description>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" publicKeyToken="6595b64144ccf1df" language="*" processorArchitecture="*" />

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

>!>&>0>=>

autoupdate.txt

autoupdate.ini

dwmapi.dll

dOpera.dll

opera.exe

operaupgrader.exe

install.conf

advapi32.dll

kernel32.dll

yntdll.dll

sshell32.dll

user32.dll

uxtheme.dll

wlanapi.dll

Opera Software ASA

k.bat

OperaUpgrader.exe

Opera.exe

Opera.dll

/install /silent /autoupdate /launchopera 0 /setdefaultbrowser 0 /installfolder "

OperaInstallerCompletedSuccessfully

\MemGuard*.ini

OPERADOC

Opera Software

Opera Internet Browser

Opera

Opera Software 1995-2014

opera.exe_3980_rwx_02760000_0000F000:

C .up

__________________________________________________1304:

.text

`.rdata

@.data

.rsrc

@.reloc

T$`RSSh

u!SSSh

SSSSh|uE

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

operator

GetProcessWindowStation

USER32.DLL

QueryInterface(IWebBrowser) failed

inflate 1.2.8 Copyright 1995-2013 Mark Adler

deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler

1.2.8

banner_url

error creating executable heap

error allocating executable memory

hXXp://

in Json::Value::operator[](ArrayIndex): requires arrayValue

in Json::Value::operator[](int index): index cannot be negative

in Json::Value::operator[](char const*)const: requires objectValue

GetProcessHeap

SetProcessShutdownParameters

KERNEL32.dll

USER32.dll

GDI32.dll

GdiplusShutdown

gdiplus.dll

PathCreateFromUrlW

SHLWAPI.dll

COMCTL32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ShellExecuteW

SHELL32.dll

ole32.dll

OLEAUT32.dll

HttpOpenRequestW

HttpSendRequestW

HttpQueryInfoA

HttpQueryInfoW

WININET.dll

POWRPROF.dll

VERSION.dll

PSAPI.DLL

IPHLPAPI.DLL

WS2_32.dll

CryptCATCatalogInfoFromContext

WINTRUST.dll

CryptMsgGetParam

CertFindCertificateInStore

CertGetNameStringW

CertFreeCertificateContext

CertCloseStore

CryptMsgClose

CRYPT32.dll

GetCPInfo

GetConsoleOutputCP

zcÁ

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="highestAvailable" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX

4&404(70?

40465<5_5

1!1%1)101|1

5Q5X5e5j5x5S6v6

78Z8

2P2|2-3p3}3

7"7-7B7c7v7}7

8”9u9

,363>3`4

KERNEL32.DLL

mscoree.dll

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Tag like '\\\\.\\PHYSICALDRIVE%'

\\.\PhysicalDrive

https

Error getting HTTP status #

Error HTTP status

wrong file url

\msiexec.exe

lempty download url

file.exe

:Zone.Identifier

<a href="hXXp://amigo.mail.ru/eula.html">

kernel32.dll

Shell32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion

\cmd.exe

" /c for /l %x in (1,1,10) do ping localhost -n 6 -w 1 & del /q /f "

hkey_classes_root

hkey_current_user

hkey_local_machine

hkey_users

hkey_current_config

windows

.deleted

openwith.exe

user32.dll

wuapi.dll

Windows Update

C:\Program instal\profile\temporary_downloads\c program instal resourse creativecloudset-up.exe

__________________________________________________1304_rwx_00400000_00221000:

.text

`.rdata

@.data

.rsrc

@.reloc

T$`RSSh

u!SSSh

SSSSh|uE

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

operator

GetProcessWindowStation

USER32.DLL

QueryInterface(IWebBrowser) failed

inflate 1.2.8 Copyright 1995-2013 Mark Adler

deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler

1.2.8

banner_url

error creating executable heap

error allocating executable memory

hXXp://

in Json::Value::operator[](ArrayIndex): requires arrayValue

in Json::Value::operator[](int index): index cannot be negative

in Json::Value::operator[](char const*)const: requires objectValue

GetProcessHeap

SetProcessShutdownParameters

KERNEL32.dll

USER32.dll

GDI32.dll

GdiplusShutdown

gdiplus.dll

PathCreateFromUrlW

SHLWAPI.dll

COMCTL32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ShellExecuteW

SHELL32.dll

ole32.dll

OLEAUT32.dll

HttpOpenRequestW

HttpSendRequestW

HttpQueryInfoA

HttpQueryInfoW

WININET.dll

POWRPROF.dll

VERSION.dll

PSAPI.DLL

IPHLPAPI.DLL

WS2_32.dll

CryptCATCatalogInfoFromContext

WINTRUST.dll

CryptMsgGetParam

CertFindCertificateInStore

CertGetNameStringW

CertFreeCertificateContext

CertCloseStore

CryptMsgClose

CRYPT32.dll

GetCPInfo

GetConsoleOutputCP

zcÁ

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="highestAvailable" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX

4&404(70?

40465<5_5

1!1%1)101|1

5Q5X5e5j5x5S6v6

78Z8

2P2|2-3p3}3

7"7-7B7c7v7}7

8”9u9

,363>3`4

KERNEL32.DLL

mscoree.dll

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Tag like '\\\\.\\PHYSICALDRIVE%'

\\.\PhysicalDrive

https

Error getting HTTP status #

Error HTTP status

wrong file url

\msiexec.exe

lempty download url

file.exe

:Zone.Identifier

<a href="hXXp://amigo.mail.ru/eula.html">

kernel32.dll

Shell32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion

\cmd.exe

" /c for /l %x in (1,1,10) do ping localhost -n 6 -w 1 & del /q /f "

hkey_classes_root

hkey_current_user

hkey_local_machine

hkey_users

hkey_current_config

windows

.deleted

openwith.exe

user32.dll

wuapi.dll

Windows Update

C:\Program instal\profile\temporary_downloads\c program instal resourse creativecloudset-up.exe

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

7z.exe:2724
7z.exe:992
%original file name%.exe:2012
WScript.exe:4084
mshta.exe:2104
Delete the original not-a-virus file.
Delete or disinfect the following files created/modified by the not-a-virus:

C:\Program instal\region\ua\ru\search.ini (9 bytes)
C:\Program instal\region\cn\en\bookmarks.adr (2 bytes)
C:\Program instal\ui\embedded_mouse.ini (583 bytes)
C:\Program instal\profile\download.dat (774 bytes)
C:\Program instal\profile\windows-opengl.blocklist.json (6 bytes)
C:\Program instal\profile\global_history.dat (634 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/yandex/favicon.png (570 bytes)
C:\Program instal\profile\icons\vk.com.idx (108 bytes)
C:\Program instal\profile\application_cache\mcache\vlink4.dat (12 bytes)
C:\Program instal\styles\plugins.css (2 bytes)
C:\Program instal\styles\images\red_left.png (327 bytes)
C:\Program instal\defaults\xmlentities.ini (2 bytes)
C:\Program instal\region\hk\turbosettings.xml (551 bytes)
C:\Program instal\profile\styles\user\contrastwb.css (705 bytes)
C:\Program instal\gstreamer\LGPL.txt (25 bytes)
C:\Program instal\region\eg\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/video/ru/favicon.png (347 bytes)
C:\Program instal\profile\styles\user\structuretables.css (2 bytes)
C:\Program instal\profile\cache\revocation\dcache4.url (22 bytes)
C:\Program instal\region\id\bookmarks.adr (6 bytes)
C:\Program instal\region\in\search.ini (7 bytes)
C:\Program instal\defaults\feedreaders.ini (718 bytes)
C:\Program instal\profile\override_downloaded.ini (11 bytes)
C:\Program instal\html5_entity_init.dat (36 bytes)
C:\Program instal\profile\icons\cache\g_0000\opr00006.tmp (30 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/google/favicon.png (397 bytes)
C:\Program instal\styles\image.css (516 bytes)
C:\Program instal\profile\dictionaries\dictionaries.xml (4 bytes)
C:\Program instal\styles\images\customize.gif (243 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/rambler/favicon.png (163 bytes)
C:\Program instal\profile\vps\0000\wb.vx (98 bytes)
C:\Program instal\region\latin_america\search.ini (7 bytes)
C:\Program instal\profile\styles\user\disablepositioning.css (243 bytes)
C:\Program instal\region\ru\search.ini (9 bytes)
C:\Program instal\defaults\public_domains.dat (100 bytes)
C:\Program instal\profile\icons\cache\vlink4.dat (12 bytes)
C:\Program instal\styles\images\red_center.png (190 bytes)
C:\Program instal\ui\dialogs.yml (84 bytes)
C:\Program instal\profile\next-kmsauto-net.lnk (718 bytes)
C:\Program instal\styles\user\contrastbw.css (673 bytes)
C:\Program instal\extra\windows-direct3d-10.blocklist.json (1 bytes)
C:\Program instal\profile\pstorage\00\12\00000000 (455 bytes)
C:\Program instal\region\cis\ru\bookmarks.adr (7 bytes)
C:\Program instal\profile\windows-direct3d-10.blocklist.json (1 bytes)
C:\Program instal\styles\images\top.png (360 bytes)
C:\Program instal\gstreamer\plugins\gstaudioresample.dll (94 bytes)
C:\Program instal\profile\opthumb.dat (778 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/wikipedia/favicon.png (322 bytes)
C:\Program instal\styles\debug.css (3 bytes)
C:\Program instal\styles\dir.css (25 bytes)
C:\Program instal\gstreamer\plugins\gstoggdec.dll (962 bytes)
C:\Program instal\profile\icons\win.mail.ru.idx (132 bytes)
C:\Program instal\profile\icons\www.opera.com.idx (487 bytes)
C:\Program instal\profile\pstorage\00\06\00000000 (376 bytes)
C:\Program instal\gstreamer\plugins\gstaudioconvert.dll (93 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/avia1/ru/favicon.png (553 bytes)
C:\Program instal\profile\oprand.dat (4 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/groupon.ru/favicon.png (239 bytes)
C:\Program instal\styles\images\opera.png (5 bytes)
C:\Program instal\region\ke\standard_speeddial.ini (1 bytes)
C:\Program instal\ui\fastforward.ini (2 bytes)
C:\Program instal\styles\gpu.css (62 bytes)
C:\Program instal\styles\images\page-bot.png (1 bytes)
C:\Program instal\profile\toolbar\standard_toolbar.ini (683 bytes)
C:\Program instal\styles\images\container.png (12 bytes)
C:\Program instal\styles\mail.css (1 bytes)
C:\Program instal\locale\ru\bookmarks.adr (7 bytes)
C:\Program instal\styles\about.css (27 bytes)
C:\Program instal\region\ph\standard_speeddial.ini (1 bytes)
C:\Program instal\ui\standard_mouse.ini (1 bytes)
C:\Program instal\styles\images\bkgd.png (860 bytes)
C:\Program instal\profile\icons\http://www.opera.com/favicon.png (586 bytes)
C:\Program instal\region\region.ini (1 bytes)
C:\Program instal\profile\icons\www.google.com.idx (146 bytes)
C:\Program instal\profile\bookmarks.adr (11 bytes)
C:\Program instal\region\vn\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\spdysett.dat (12 bytes)
C:\Program instal\region\cn\browser.js (122 bytes)
C:\Program instal\region\cn\en\search.ini (8 bytes)
C:\Program instal\profile\icons\http://www.litres.ru/favicon.png (340 bytes)
C:\Program instal\mapi\OperaMAPI.dll (807 bytes)
C:\Program instal\profile\search.ini (2 bytes)
C:\Program instal\profile\vps\0000\adoc.bx (4 bytes)
C:\Program instal\styles\user\disableforms.css (269 bytes)
C:\Program instal\profile\styles\user\disablefloats.css (229 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/shopping4/ru/favicon.png (928 bytes)
C:\Program instal\region\id\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\icons\www.opera-usb.com.idx (71 bytes)
C:\Program instal\profile\tips.ini (291 bytes)
C:\Program instal\profile\icons\cache\g_0000\opr00004.tmp (102 bytes)
C:\Program instal\region\tw\turbosettings.xml (551 bytes)
C:\Program instal\styles\user\disablefloats.css (229 bytes)
C:\Program instal\profile\opcache\dcache4.url (13 bytes)
C:\Program instal\region\gb\search.ini (8 bytes)
C:\Program instal\styles\images\bar.png (192 bytes)
C:\Program instal\profile\opcert6.dat (12 bytes)
C:\Program instal\profile\mail\omailbase.dat (4 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/auto/ru/favicon.png (375 bytes)
C:\Program instal\gstreamer\plugins\gstdirectsound.dll (67 bytes)
C:\Program instal\styles\images\Opera_256x256.png (18 bytes)
C:\Program instal\extra\missingpluginhover.svg (671 bytes)
C:\Program instal\defaults\handlers-ignore.ini (636 bytes)
C:\Program instal\profile\icons\http://pisbrat5.tmweb.ru/favicon.png (711 bytes)
C:\Program instal\region\se\bookmarks.adr (7 bytes)
C:\Program instal\defaults\tips_metadata.ini (1 bytes)
C:\Program instal\profile\styles\user\structureinline.css (2 bytes)
C:\Program instal\region\gb\bookmarks.adr (8 bytes)
C:\Program instal\profile\opicacrt6.dat (9 bytes)
C:\Program instal\region\cis\en\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\cache\CACHEDIR.TAG (188 bytes)
C:\Program instal\profile\opuntrust.dat (12 bytes)
C:\Program instal\profile\icons\redir.opera.com.idx (3 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/shopping1/ru/favicon.png (427 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/yahoo/favicon.png (736 bytes)
C:\Program instal\styles\images\darkBox.png (142 bytes)
C:\Program instal\region\ph\bookmarks.adr (5 bytes)
C:\Program instal\styles\feed.css (1 bytes)
C:\Program instal\styles\user\tablelayout.css (258 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/skyscanner/favicon.png (885 bytes)
C:\Program instal\profile\vps\0000\md.dat (65 bytes)
C:\Program instal\skin\standard_skin.zip (1 bytes)
C:\Program instal\styles\search.css (558 bytes)
C:\Program instal\styles\user\toc.css (4 bytes)
C:\Program instal\region\ar\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\icons\en.wikipedia.org.idx (120 bytes)
C:\Program instal\gstreamer\gstreamer.dll (931 bytes)
C:\Program instal\profile\styles\user\tablelayout.css (258 bytes)
C:\Program instal\defaults\standard_trusted_repositories.ini (262 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/izone/favicon.png (372 bytes)
C:\Program instal\region\za\bookmarks.adr (7 bytes)
C:\Program instal\profile\icons\cache\g_0000\opr00005.tmp (18 bytes)
C:\Program instal\D3DCompiler_43.dll (2389 bytes)
C:\Program instal\profile\styles\user\contrastbw.css (673 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/avia/ru/favicon.png (267 bytes)
C:\Program instal\styles\images\bkgd-rev.png (1 bytes)
C:\Program instal\styles\images\root.png (123 bytes)
C:\Program instal\profile\icons\pisbrat5.tmweb.ru.idx (185 bytes)
C:\Program instal\profile\icons\cache\cookies4.dat (13 bytes)
C:\Program instal\region\ru\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\sessions\autosave.win.bak (1 bytes)
C:\Program instal\profile\opssl6.dat (16 bytes)
C:\Program instal\profile\dictionaries\de.zip (820 bytes)
C:\Program instal\region\latin_america\standard_speeddial.ini (1 bytes)
C:\Program instal\operaprefs_default.ini (255 bytes)
C:\Program instal\profile\styles\user\toc.css (4 bytes)
C:\Program instal\region\in\bookmarks.adr (10 bytes)
C:\Program instal\profile\icons\mail.yandex.ru.idx (86 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/hotels.com/favicon.png (193 bytes)
C:\Program instal\styles\im.css (2 bytes)
C:\Program instal\ui\embedded_menu.ini (12 bytes)
C:\Program instal\ui\standard_keyboard_compat.ini (26 bytes)
C:\Program instal\profile\application_cache\mcache\dcache4.url (20 bytes)
C:\Program instal\styles\images\tooltiptail.png (414 bytes)
C:\Program instal\profile\dictionaries\de_AT.zip (821 bytes)
C:\Program instal\region\za\standard_speeddial.ini (1 bytes)
C:\Program instal\extra\windows-opengl.blocklist.json (6 bytes)
C:\Program instal\region\latin_america\bookmarks.adr (7 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/bigpoint/favicon.png (936 bytes)
C:\Program instal\region\ru\bookmarks.adr (9 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/booking/favicon.png (317 bytes)
C:\Program instal\gstreamer\plugins\gstwavparse.dll (73 bytes)
C:\Program instal\region\us\search.ini (8 bytes)
C:\Program instal\profile\icons\https://2ip.ru/favicon.png (729 bytes)
C:\Program instal\opera.dll (17121 bytes)
C:\Program instal\profile\cache\revocation\vlink4.dat (12 bytes)
C:\Program instal\styles\wml.css (1 bytes)
C:\Program instal\styles\user\disablebreaks.css (213 bytes)
C:\Program instal\profile\icons\my.opera.com.idx (157 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/myopera/favicon.png (619 bytes)
C:\Program instal\profile\pstorage\00\18\00000000 (4 bytes)
C:\Program instal\defaults\dictionaries.xml (4 bytes)
C:\Program instal\profile\vps\0000\url.axx (8 bytes)
C:\Program instal\styles\images\hanger.png (16 bytes)
C:\Program instal\styles\mime.css (9 bytes)
C:\Program instal\region\pk\bookmarks.adr (5 bytes)
C:\Program instal\profile\vlink4.dat (4 bytes)
C:\Program instal\profile\icons\http://www.opera-usb.com/favicon.png (797 bytes)
C:\Program instal\styles\private.css (798 bytes)
C:\Program instal\region\tw\browser.js (122 bytes)
C:\Program instal\styles\user\accessibility.css (2 bytes)
C:\Program instal\defaults\search.ini (8 bytes)
C:\Program instal\ui\widgets.yml (26 bytes)
C:\Program instal\region\hk\browser.js (122 bytes)
C:\Program instal\profile\typed_history.xml (1 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/alawar/favicon.png (740 bytes)
C:\Program instal\region\middle_east\bookmarks.adr (3 bytes)
C:\Program instal\gstreamer\plugins\gstautodetect.dll (24 bytes)
C:\Program instal\profile\icons\www.fastmail.fm.idx (94 bytes)
C:\Program instal\styles\user\structureinline.css (2 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/bing/favicon.png (268 bytes)
C:\Program instal\locale\en\en.lng (196 bytes)
C:\Program instal\region\pk\standard_speeddial.ini (1 bytes)
C:\Program instal\locale\en\en.zip (241 bytes)
C:\Program instal\styles\images\warning.png (2 bytes)
C:\Program instal\region\my\standard_speeddial.ini (1 bytes)
C:\Program instal\locale\ru\search.ini (8 bytes)
C:\Program instal\gstreamer\plugins\gstffmpegcolorspace.dll (158 bytes)
C:\Program instal\profile\optrust.dat (12 bytes)
C:\Program instal\profile\cookies4.dat (7 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/soft/ru/favicon.png (809 bytes)
C:\Program instal\locale\ru\standard_speeddial.ini (1 bytes)
C:\Program instal\files_old.sig (24 bytes)
C:\Program instal\styles\images\folder.png (792 bytes)
C:\Program instal\styles\cache.css (23 bytes)
C:\Program instal\region\middle_east\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\icons\www.yandex.ru.idx (113 bytes)
C:\Program instal\gstreamer\README.txt (401 bytes)
C:\Program instal\styles\certinfo.css (3 bytes)
C:\Program instal\opera.exe (2229 bytes)
C:\Program instal\defaults\plugin-ignore.ini (1 bytes)
C:\Program instal\styles\history.css (420 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/amazon/favicon.png (360 bytes)
C:\Program instal\profile\styles\user\structureblock.css (4 bytes)
C:\Program instal\styles\unstyledxml.css (2 bytes)
C:\Program instal\profile\pstorage\00\13\00000001 (939 bytes)
C:\Program instal\profile\pstorage\00\13\00000000 (366 bytes)
C:\Program instal\profile\cache\dcache4.url (90 bytes)
C:\Program instal\styles\images\arrow.png (106 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/gamexp/favicon.png (829 bytes)
C:\Program instal\styles\info.css (779 bytes)
C:\Program instal\styles\user\outline.css (735 bytes)
C:\Program instal\gstreamer\plugins\gstwaveform.dll (38 bytes)
C:\Program instal\styles\contentblock.css (331 bytes)
C:\Program instal\profile\speeddial.ini (273 bytes)
C:\Program instal\styles\user\structureblock.css (4 bytes)
C:\Program instal\files.sig (18 bytes)
C:\Program instal\profile\icons\portal.opera.com.idx (159 bytes)
C:\Program instal\region\ar\search.ini (7 bytes)
C:\Program instal\region\us\bookmarks.adr (7 bytes)
C:\Program instal\profile\styles\user\altdebugger.css (1 bytes)
C:\Program instal\profile\styles\user\accessibility.css (2 bytes)
C:\Program instal\region\au\standard_speeddial.ini (1 bytes)
C:\Program instal\styles\m2_welcome_message.mbs (158 bytes)
C:\Program instal\region\kz\bookmarks.adr (6 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/drom/favicon.png (499 bytes)
C:\Program instal\profile\operaprefs.ini (3 bytes)
C:\Program instal\region\my\bookmarks.adr (7 bytes)
C:\Program instal\gstreamer\plugins\gstcoreplugins.dll (96 bytes)
C:\Program instal\lngcode.txt (3 bytes)
C:\Program instal\profile\icons\cache\g_0000\opr00001.tmp (10 bytes)
C:\Program instal\ui\standard_toolbar.ini (54 bytes)
C:\Program instal\gstreamer\plugins\gstdecodebin2.dll (62 bytes)
C:\Program instal\profile\mail\accounts.ini (775 bytes)
C:\Program instal\styles\images\red_right.png (343 bytes)
C:\Program instal\styles\warning.css (1 bytes)
C:\Program instal\styles\images\flag.png (258 bytes)
C:\Program instal\region\cis\en\bookmarks.adr (4 bytes)
C:\Program instal\profile\icons\https://whoer.net/favicon.png (572 bytes)
C:\Program instal\styles\error.css (1 bytes)
C:\Program instal\styles\mathml.css (14 bytes)
C:\Program instal\styles\webstorage.css (422 bytes)
C:\Program instal\styles\images\search.png (453 bytes)
C:\Program instal\styles\images\bullet.png (349 bytes)
C:\Program instal\profile\icons\go.mail.ru.idx (108 bytes)
C:\Program instal\profile\autoupdate_region.dat (15 bytes)
C:\Program instal\styles\drives.css (658 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/mailru/favicon.png (835 bytes)
C:\Program instal\styles\images\smartGroup.png (1 bytes)
C:\Program instal\region\cn\en\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\handlers.ini (62 bytes)
C:\Program instal\styles\images\section.png (204 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/ozon/favicon.png (413 bytes)
C:\Program instal\styles\user\disabletables.css (410 bytes)
C:\Program instal\profile\icons\yahoo.opera.com.idx (108 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/softportal/favicon.png (243 bytes)
C:\Program instal\ui\embedded_keyboard.ini (8 bytes)
C:\Program instal\profile\icons\ru.wikipedia.org.idx (251 bytes)
C:\Program instal\profile\icons\www.bing.com.idx (113 bytes)
C:\Program instal\mathml.dtd (59 bytes)
C:\Program instal\defaults\webmailproviders.ini (591 bytes)
C:\Program instal\profile\icons\http://img.yandex.net/i/favicon.png (250 bytes)
C:\Program instal\locale\ru\ru.lng (316 bytes)
C:\Program instal\styles\opera.css (2 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/searchmailru/favicon.png (456 bytes)
C:\Program instal\profile\icons\cache\g_0000\opr00003.tmp (27 bytes)
C:\Program instal\profile\tasks.xml (249 bytes)
C:\Program instal\region\ng\standard_speeddial.ini (1 bytes)
C:\Program instal\region\ua\ru\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\styles\user\outline.css (735 bytes)
C:\Program instal\styles\user\disablepositioning.css (243 bytes)
C:\Program instal\profile\icons\http://ebay.ru/favicon.png (163 bytes)
C:\Program instal\styles\images\center.png (173 bytes)
C:\Program instal\region\eg\bookmarks.adr (4 bytes)
C:\Program instal\region\eg\search.ini (7 bytes)
C:\Program instal\ui\standard_menu.ini (101 bytes)
C:\Program instal\pubsuffix.xml (1119 bytes)
C:\Program instal\region\vn\bookmarks.adr (6 bytes)
C:\Program instal\ui\dialog.ini (171 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/vkontakte/favicon.png (587 bytes)
C:\Program instal\styles\user\classid.css (1 bytes)
C:\Program instal\profile\icons\whoer.net.idx (57 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/opera.sports.com/favicon.png (554 bytes)
C:\Program instal\styles\m2_upgrade_1160.mbs (267 bytes)
C:\Program instal\region\au\bookmarks.adr (7 bytes)
C:\Program instal\region\gb\standard_speeddial.ini (1 bytes)
C:\Program instal\styles\message.css (54 bytes)
C:\Program instal\region\cis\ru\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\icons\cache\dcache4.url (47 bytes)
C:\Program instal\html40_entities.dtd (7 bytes)
C:\Program instal\region\ng\bookmarks.adr (6 bytes)
C:\Program instal\styles\images\file.png (534 bytes)
C:\Program instal\region\ua\ru\bookmarks.adr (7 bytes)
C:\Program instal\gstreamer\plugins\gstwebmdec.dll (101 bytes)
C:\Program instal\styles\user\contrastwb.css (705 bytes)
C:\Program instal\region\us\standard_speeddial.ini (1 bytes)
C:\Program instal\program\plugins\readme.txt (76 bytes)
C:\Program instal\region\cn\turbosettings.xml (130 bytes)
C:\Program instal\ui\standard_keyboard.ini (29 bytes)
C:\Program instal\profile\icons\2ip.ru.idx (51 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/opera/favicon.png (619 bytes)
C:\Program instal\defaults\mailproviders.xml (40 bytes)
C:\Program instal\styles\config.css (7 bytes)
C:\Program instal\profile\icons\http://img.imgsmail.ru/r/favicon.png (916 bytes)
C:\Program instal\profile\icons\addons.opera.com.idx (88 bytes)
C:\Program instal\profile\opcacrt6.dat (34 bytes)
C:\Program instal\styles\cpu.css (662 bytes)
C:\Program instal\profile\pstorage\psindex.dat (1 bytes)
C:\Program instal\styles\user\structuretables.css (2 bytes)
C:\Program instal\region\ke\bookmarks.adr (7 bytes)
C:\Program instal\region\mx\bookmarks.adr (7 bytes)
C:\Program instal\profile\styles\user\disabletables.css (410 bytes)
C:\Program instal\region\kz\search.ini (8 bytes)
C:\Program instal\region\cis\ru\search.ini (8 bytes)
C:\Program instal\defaults\license.txt (16 bytes)
C:\Program instal\region\mx\standard_speeddial.ini (1 bytes)
C:\Program instal\region\mx\search.ini (7 bytes)
C:\Program instal\profile\mail\indexer\message_id (4 bytes)
C:\Program instal\region\ar\bookmarks.adr (6 bytes)
C:\Program instal\region\cis\en\search.ini (9 bytes)
C:\Program instal\profile\styles\user\disablebreaks.css (213 bytes)
C:\Program instal\styles\user\altdebugger.css (1 bytes)
C:\Program instal\styles\media.css (731 bytes)
C:\Program instal\profile\application_cache\cache_groups.xml (36 bytes)
C:\Program instal\styles\images\opera-icon-red.png (24 bytes)
C:\Program instal\profile\icons\www.ozon.ru.idx (133 bytes)
C:\Program instal\locale\en\license.txt (16 bytes)
C:\Program instal\profile\styles\user\classid.css (1 bytes)
C:\Program instal\extra\missingplugin.svg (753 bytes)
C:\Program instal\region\se\standard_speeddial.ini (1 bytes)
C:\Program instal\styles\images\defaultFavicon.png (763 bytes)
C:\Program instal\profile\webserver\users.xml (35 bytes)
C:\Program instal\region\in\standard_speeddial.ini (1 bytes)
C:\Program instal\profile\icons\persistent.txt (5 bytes)
C:\Program instal\region\id\search.ini (8 bytes)
C:\Program instal\encoding.bin (526 bytes)
C:\Program instal\styles\webfeeds.html (12 bytes)
C:\Program instal\styles\images\error.png (2 bytes)
C:\Program instal\profile\icons\https://www.fastmail.fm/favicon.png (431 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/ebay/favicon.png (163 bytes)
C:\Program instal\region\kz\standard_speeddial.ini (1 bytes)
C:\Program instal\region\middle_east\search.ini (7 bytes)
C:\Program instal\profile\styles\user\disableforms.css (269 bytes)
C:\Program instal\profile\vps\0000\w.axx (65 bytes)
C:\Program instal\profile\icons\http://redir.opera.com/favicons/blekko/favicon.png (203 bytes)
C:\Program instal\resourse\creativecloudset-up.exe (11403 bytes)
C:\Program instal\ads.hta (2 bytes)
C:\Program instal\7-zip.dll (49 bytes)
C:\Program instal\Lang\fi.txt (8 bytes)
C:\Program instal\Lang\fa.txt (10 bytes)
C:\Program instal\Lang\uk.txt (15 bytes)
C:\Program instal\Lang\mng.txt (20 bytes)
C:\Program instal\Lang\en.ttt (7 bytes)
C:\Program instal\My file.gif (3 bytes)
C:\Program instal\Lang\ro.txt (7 bytes)
C:\Program instal\7z.exe (1425 bytes)
C:\Program instal\Lang\nb.txt (6 bytes)
C:\Program instal\Lang\hy.txt (14 bytes)
C:\Program instal\Lang\ky.txt (12 bytes)
C:\Program instal\Lang\cs.txt (7 bytes)
C:\Program instal\Lang\cy.txt (5 bytes)
C:\Program instal\Lang\ka.txt (18 bytes)
C:\Program instal\Lang\uz.txt (7 bytes)
C:\Program instal\Lang\ms.txt (5 bytes)
C:\Program instal\Lang\fur.txt (7 bytes)
C:\Program instal\sleep.exe (5 bytes)
C:\Program instal\7z.dll (7433 bytes)
C:\Program instal\Lang\af.txt (5 bytes)
C:\Program instal\Lang\pa-in.txt (15 bytes)
C:\Program instal\Lang\sq.txt (6 bytes)
C:\Program instal\verk.7z.002 (7385 bytes)
C:\Program instal\Lang\ga.txt (8 bytes)
C:\Program instal\Lang\ja.txt (11 bytes)
C:\Program instal\verk.7z.001 (15019 bytes)
C:\Program instal\Lang\gl.txt (5 bytes)
C:\Program instal\go.vbs (1 bytes)
C:\Program instal\Lang\nl.txt (9 bytes)
C:\Program instal\Lang\ru.txt (14 bytes)
C:\Program instal\Lang\he.txt (9 bytes)
C:\Program instal\Lang\is.txt (8 bytes)
C:\Program instal\Lang\fr.txt (9 bytes)
C:\Program instal\Lang\pl.txt (8 bytes)
C:\Program instal\Lang\mr.txt (10 bytes)
C:\Program instal\Lang\ast.txt (5 bytes)
C:\Program instal\Lang\lij.txt (7 bytes)
C:\Program instal\ad.ico (32 bytes)
C:\Program instal\Lang\ku.txt (5 bytes)
C:\Program instal\Lang\eo.txt (5 bytes)
C:\Program instal\Lang\de.txt (7 bytes)
C:\Program instal\Lang\ca.txt (7 bytes)
C:\Program instal\7-zip.chm (601 bytes)
C:\Program instal\Lang\sv.txt (7 bytes)
C:\Program instal\Lang\mn.txt (8 bytes)
C:\Program instal\Lang\ko.txt (9 bytes)
C:\Program instal\Lang\ext.txt (7 bytes)
C:\Program instal\Lang\fy.txt (6 bytes)
C:\Program instal\Lang\kk.txt (10 bytes)
C:\Program instal\7zG.exe (2105 bytes)
C:\Program instal\Lang\an.txt (7 bytes)
C:\Program instal\7zCon.sfx (673 bytes)
C:\Program instal\Lang\es.txt (8 bytes)
C:\Program instal\Lang\kaa.txt (8 bytes)
C:\Program instal\Lang\da.txt (8 bytes)
C:\Program instal\Lang\pt.txt (7 bytes)
C:\Program instal\Lang\hr.txt (8 bytes)
C:\Program instal\7z.sfx (673 bytes)
C:\Program instal\Lang\tr.txt (7 bytes)
C:\Program instal\Lang\lv.txt (5 bytes)
C:\Program instal\Lang\co.txt (10 bytes)
C:\Program instal\Lang\gu.txt (18 bytes)
C:\Program instal\Lang\hi.txt (18 bytes)
C:\Program instal\Lang\sr-spl.txt (7 bytes)
C:\Program instal\Lang\mng2.txt (22 bytes)
C:\Program instal\Lang\ps.txt (8 bytes)
C:\Program instal\Lang\io.txt (5 bytes)
C:\Program instal\Lang\et.txt (7 bytes)
C:\Program instal\Lang\zh-tw.txt (8 bytes)
C:\Program instal\descript.ion (366 bytes)
C:\Program instal\Lang\ku-ckb.txt (12 bytes)
C:\Program instal\Lang\lt.txt (9 bytes)
C:\Program instal\oprs.7z (84010 bytes)
C:\Program instal\Lang\br.txt (5 bytes)
C:\Program instal\7zFM.exe (3073 bytes)
C:\Program instal\Lang\it.txt (9 bytes)
C:\Program instal\Lang\id.txt (8 bytes)
C:\Program instal\Lang\sl.txt (6 bytes)
C:\Program instal\Lang\eu.txt (8 bytes)
C:\Program instal\Lang\mk.txt (8 bytes)
C:\Program instal\Lang\vi.txt (8 bytes)
C:\Program instal\taskkill.exe (601 bytes)
C:\Program instal\Lang\nn.txt (5 bytes)
C:\Program instal\Lang\hu.txt (8 bytes)
C:\Program instal\Lang\va.txt (6 bytes)
C:\Program instal\Lang\el.txt (17 bytes)
C:\Program instal\Lang\zh-cn.txt (8 bytes)
C:\Program instal\profile\temporary_downloads\c program instal resourse creativecloudset-up.exe (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A295VEOFPPMUX0QKORJ7.temp (3 bytes)
C:\Program instal\profile\cache\sesn\opr000BP.tmp (196 bytes)
C:\Program instal\profile\cache\sesn\opr000BH.tmp (237 bytes)
C:\Program instal\profile\cache\sesn\opr000BR.tmp (157 bytes)
C:\Program instal\profile\cache\sesn\opr000BD.tmp (1098 bytes)
C:\Program instal\profile\sessions\oprFA68.tmp (1 bytes)
C:\Program instal\profile\oprD5DA.tmp (7 bytes)
C:\Program instal\profile\icons\http://adob11.tmweb.ru/favicon.png (711 bytes)
C:\Program instal\profile\cache\sesn\opr000BF.tmp (258 bytes)
C:\Program instal\profile\oprD629.tmp (7 bytes)
C:\Program instal\profile\cache\sesn\opr000BS.tmp (178 bytes)
C:\Program instal\profile\cache\sesn\opr000BL.tmp (1 bytes)
C:\Program instal\profile\cache\sesn\opr000BK.tmp (934 bytes)
C:\Program instal\profile\cache\sesn\opr000BI.tmp (2 bytes)
C:\Program instal\profile\oprEC25.tmp (249 bytes)
C:\Program instal\profile\sessions\oprEB29.tmp (1 bytes)
C:\Program instal\profile\cache\sesn\opr000BM.tmp (280 bytes)
C:\Program instal\profile\cache\sesn\opr000BN.tmp (1 bytes)
C:\Program instal\profile\cache\sesn\opr000BQ.tmp (7952 bytes)
C:\Program instal\profile\cache\revocation\sesn\opr00010.tmp (471 bytes)
C:\Program instal\profile\oprDCDF.tmp (7 bytes)
C:\Program instal\profile\cache\revocation\sesn\opr0000Y.tmp (471 bytes)
C:\Program instal\profile\oprDC61.tmp (7 bytes)
C:\Program instal\profile\autoupdate_response.xml (6588 bytes)
C:\Program instal\profile\cache\revocation\sesn\opr0000Z.tmp (543 bytes)
C:\Program instal\profile\oprEB59.tmp (7 bytes)
C:\Program instal\profile\cache\sesn\opr000BE.tmp (196 bytes)
C:\Program instal\profile\cache\sesn\opr000BO.tmp (3 bytes)
C:\Program instal\profile\cache\sesn\opr000BJ.tmp (1568 bytes)
C:\Program instal\profile\cache\sesn\opr000BG.tmp (196 bytes)
C:\Program instal\profile\icons\adob11.tmweb.ru.idx (97 bytes)
C:\Program instal\profile\sessions\oprC25.tmp (1 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

not-a-virus.AdWare.Win32.AdLoad.zcjp_526bfae1b6

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

not-a-virus.AdWare.Win32.AdLoad.zcjp_526bfae1b6

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet