Gen.Variant.Adware.Kazy.559039_6050bd32b4

by malwarelabrobot on August 3rd, 2015 in Malware Descriptions.

Gen:Variant.Adware.Kazy.559039 (B) (Emsisoft), Gen:Variant.Adware.Kazy.559039 (AdAware), Trojan.Win32.Swrort.3.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6050bd32b4762f279017abddf83429d5
SHA1: e87de08e09f48ca793881b6eaaf3e01edc5c6686
SHA256: 8bfcaf0a452e20dfd3303a6b9f925067d32d68fb49f49de31191fbedea56cd23
SSDeep: 49152:JbzJQNMlmyHOXIIDpoA58 WNazhnwHAeVywv/6 Mo9Ere/V0:JRQNGmyHopYIZJHwv/6Ji/q
Size: 4868040 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: TODO:
Created at: 2013-07-23 00:41:56
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

tmp5.exe:464
tmp2.exe:1252

The Trojan injects its code into the following process(es):

%original file name%.exe:320

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.exe (157 bytes)
%Documents and Settings%\%current user%\Application Data\iPumper\config.xml (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6050bd32b4762f279017abddf83429d5_000320.log (29270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.exe (148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\htmlayout.dll (6388 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (0 bytes)

The process tmp2.exe:1252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D84QQBV6\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D84QQBV6\amipb[1].js (22235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1BXCJDKW\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CA4RR9LF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ami3.tmp.ico (766 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y6R5H6KK\index[1].htm (4052 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y6R5H6KK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (14 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ami3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ami3.tmp.ico (0 bytes)

Registry activity

The process %original file name%.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 11 A0 96 B6 37 E3 B1 30 56 7D 78 C8 FC 71 A4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"tmp5.exe" = "Installer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Escolade]
"Guid" = "3ef7641038b311e581cc000c298a8b37"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"tmp2.exe" = "Installer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process tmp5.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp5.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\VersionIndependentProgID]
"(Default)" = "AmiBs.Installer"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\TypeLib]
"(Default)" = "{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}"

[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}]
"(Default)" = "Installer Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp5.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKCR\AmiBs.Installer.1\CLSID]
"(Default)" = "{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}"

[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp5.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\AmiBs.Installer]
"(Default)" = "Installer Class"

[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\tmp5\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}]
"(Default)" = "IBoot"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\AmiBs.Installer.1]
"(Default)" = "Installer Class"

[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\TypeLib]
"(Default)" = "{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}"

[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\ProgID]
"(Default)" = "AmiBs.Installer.1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 30 62 F1 0D 03 22 C6 8E 07 E4 0E AF 89 85 00"

[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0]
"(Default)" = "InstallerLib"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCR\AmiBs.Installer\CurVer]
"(Default)" = "AmiBs.Installer.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\TypeLib]
[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\ProxyStubClsid]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\LocalServer32]
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\Version]
[HKCR\AmiBs.Installer.1\CLSID]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\ProgID]
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\0\win32]
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\FLAGS]
[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}]
[HKCR\AmiBs.Installer.1]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\TypeLib]
[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\ProxyStubClsid32]
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0]
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\0]
[HKCR\AmiBs.Installer]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\Programmable]
[HKCR\AmiBs.Installer\CurVer]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\VersionIndependentProgID]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}]
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\HELPDIR]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\LocalServer32]
"ServerExecutable"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\tmp5\DEBUG]
"Trace Level"

The process tmp2.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCR\AmiBs.Boot.1]
"(Default)" = "Boot Class"

[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\ProgID]
"(Default)" = "AmiBs.Boot.1"

[HKCR\AmiBs.Boot\CurVer]
"(Default)" = "AmiBs.Boot.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp2.exe"

[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AmiBs.Boot.1\CLSID]
"(Default)" = "{F04A2CA1-9140-4553-B6C4-03E4139ECA93}"

[HKCR\AmiBs.Boot]
"(Default)" = "Boot Class"

[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\VersionIndependentProgID]
"(Default)" = "AmiBs.Boot"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\TypeLib]
"(Default)" = "{4ECB13A5-757F-472B-8E54-EE529A450220}"

[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}]
"(Default)" = "IBoot"

[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0]
"(Default)" = "BootStrapperLib"

[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\TypeLib]
"(Default)" = "{4ECB13A5-757F-472B-8E54-EE529A450220}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp2.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp2.exe"

[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "tmp2.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB B9 77 69 D0 A4 10 78 5E 50 08 DC 18 FF C7 88"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1354017460"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\tmp2\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}]
"(Default)" = "Boot Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\TypeLib]
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\LocalServer32]
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\Version]
[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\ProxyStubClsid]
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\HELPDIR]
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0]
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\ProgID]
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\VersionIndependentProgID]
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\0]
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\FLAGS]
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}]
[HKCR\AmiBs.Boot.1]
[HKCR\AmiBs.Boot\CurVer]
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}]
[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}]
[HKCR\AmiBs.Boot]
[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\ProxyStubClsid32]
[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\TypeLib]
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\Programmable]
[HKCR\AmiBs.Boot.1\CLSID]
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\0\win32]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\tmp2\DEBUG]
"Trace Level"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoConfigURL"

[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\LocalServer32]
"ServerExecutable"

Dropped PE files

MD5 File path
7222f8144a764f45b21fbc89e007c4c9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\htmlayout.dll
b7bd4dba39f45e1cf57683cab3a6f120 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp2.exe
0bd49da3957331a9a932e8be35448de1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp5.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 0.0.0.
Legal Copyright:
Legal Trademarks:
Original Filename: xyzeAhK3X.lnk_
Internal Name: xyzeAhK3X.lnk_
File Version: 0.0.0.
File Description: iPumpe
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 403571 403968 4.56747 ab9143413605400bbb2f6fd9535b900d
.rdata 409600 90682 91136 3.51744 519033a4b55b82f2dd933ec9cea0f213
.data 503808 36608 9216 2.81532 40fdd4ae460b41f3fdb50fdf539d7509
.rsrc 540672 4333568 4329984 3.03413 d39338c96bc2bc1410e1cd8471b43fcd
.reloc 4874240 26820 27136 3.31665 127ac5e6d488e397c238b06e29a1b995

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 4
6cb468d8e106fd18f7d79c89cde5649f
619176599c8f8188c6a04179a75b0766
633aa8736aaf2d53a59af8b2b6333c04
9e94722d253d6f8f21ad96a78f7c4320

URLs

URL IP
hxxp://urlforward.topdns.com/api/cc
hxxp://unlimitedloads.com/dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/cc 78.140.166.249
hxxp://rc-aflrm.com/nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/cc 188.164.255.157
hxxp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd777ooMLeoLXOs3GIu/NdgFenPL1+kiGIS/oBRE/qBFA/RzVgO0MpYAtg4VU2YbBonzThIc8Y1SHPIJLc= 206.190.150.104
hxxp://urlforward.topdns.com/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5
hxxp://unlimitedloads.com/dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5 78.140.166.249
hxxp://rc-aflrm.com/nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5 188.164.255.157
hxxp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd777Iub7OyPX6tmTZ9uZEyDeOMPRHi2W4a68kBHe3EAgfYyAhV1M1fWdo4S1/UZ0R13zhKdcQ9T3rJPrV+ySXlNjMr6WIzK708Ohaqbj0S9gB0Tf1eJxmtU3wEhR1pV84WHQibRhYKmEMONcoOSXiPpEF7hqBAPoK7DGL7ugti/6Nwf7jiLTCqp3lS5qx0Uu6SZV0= 206.190.150.104
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php?ts=1438477824&Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&X64=N&admin=Y&browser=IEXPLORE.EXE&exe=tmp2&lang_DfltSys=0409&lang_DfltUser=0409&s=Y&screen=1276x818&ver=1.1.2.41&i=WSbing
hxxp://dyno3mlj15jgv.cloudfront.net/V26/amipb.js
hxxp://urlforward.topdns.com/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001
hxxp://unlimitedloads.com/dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001 78.140.166.249
hxxp://rc-aflrm.com/nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001 188.164.255.157
hxxp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd7778iZLepPHm6hDZwv404Vb7GaEOy2mke6cFQFr7GVgOFzFMHh55fCthiQQfUZE8gwz5Ud8U+T3rIIbJoj2DlO2QkumY0L7htMQfnJ3xAqlo2WKlbMlnsVykFkFYoApBKEQCNBVBUwh8VcIBLHn2AuwB8jw== 206.190.150.104
hxxp://cdn1.downloadsoup.com/V26/amipb.js 54.239.168.104
hxxp://www.freefilesdownloader.com/api/cc 199.59.160.184
hxxp://www.freefilesdownloader.com/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5 199.59.160.184
hxxp://www.amonetizeinstaller.com/index.php?ts=1438477824&Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&X64=N&admin=Y&browser=IEXPLORE.EXE&exe=tmp2&lang_DfltSys=0409&lang_DfltUser=0409&s=Y&screen=1276x818&ver=1.1.2.41&i=WSbing 107.21.125.212
hxxp://www.freefilesdownloader.com/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001 199.59.160.184


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /index.php?ts=1438477824&Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&X64=N&admin=Y&browser=IEXPLORE.EXE&exe=tmp2&lang_DfltSys=0409&lang_DfltUser=0409&s=Y&screen=1276x818&ver=1.1.2.41&i=WSbing HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.amonetizeinstaller.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: hXXp://VVV.somauto.com
Content-Type: text/html; charset=UTF-8
Date: Sun, 02 Aug 2015 01:10:15 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
transfer-encoding: chunked
Connection: keep-alive
159c....      ..      ..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
1 Transitional//EN">..<html>..    <head>..        <m
eta http-equiv="content-type" content="text/html; charset=UTF-8" />
 ..        <title>Installer</title>..        <base href
="hXXp://VVV.amonetizeinstaller.com:80/index.php?ts=1438477824&Net1.1=
&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=975F29
BE8C8FD0BC5E8EBA2BBF1B629F&X64=N&admin=Y&browser=IEXPLORE.EXE&exe=tmp2
&lang_DfltSys=0409&lang_DfltUser=0409&s=Y&screen=1276x818&ver=1.1.2.41
&i=WSbing" />..        <script type="text/javascript" src="http:
//cdn1.downloadsoup.com/V26/amipb.js"></script>..        <
script type="text/javascript">..            var g_amiobj = '', g_am
i, g_updb = false, g_close = '0', g_additional_offer_list = '0';..    
        var g_finish_install_button = '0';..            var g_popup_in
stall_all = '0';..            var g_eula = '';..            var g_post
1 = '_hdn=1&_ver=1.1.2.41&_p=1&_s=0&_cc=UA&_cid=0&_psb=0&_cnt=17a44a22
fad08cc0b155094444c454a2&_instid=&_brw=ie&_fc=0&_appname=&_appimageurl
=&_netfs=0&_vert=0';..            var g_icon = '';..            var g_
comps = [], g_pages = [], c, g_curPage = -1;..            var g_cid = 
'0';..            var g_tid = '';..            var g_cc = 'UA';..     
       var g_lang = 'en';..            var g_ip = '193.138.244.231';..
            var g_browser = 'ie';..            var g_cnt = '6e3a7fadab
157730fdf029b3bdb897c8';..            var g_ver = '1.1.2.41';..   
<<< skipped >>>


GET /api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: VVV.freefilesdownloader.com
Connection: Close


HTTP/1.1 302 Found
Date: Sun, 02 Aug 2015 00:45:40 GMT
Server: Apache
location: hXXp://unlimitedloads.com/dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /j5GDXm7V6X9pw6NTZdm1JnyTtDd777ooMLeoLXOs3GIu/NdgFenPL1+kiGIS/oBRE/qBFA/RzVgO0MpYAtg4VU2YbBonzThIc8Y1SHPIJLc= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: y.the-ad.net
Connection: Close


HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 02 Aug 2015 01:10:13 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.4-14 deb7u4
Set-Cookie: __d89=jcmxaHbZpF47hfkMMozmdDaN5mFxrLAofZuzICf4xzV3vpYjfaOcOU+w0G4a6MNUGeXTAVuSih9plcApU4RkWHqDchkun2gfI4YoTQyZYeprzlPkMQ==; expires=Mon, 01-Aug-2016 01:10:13 GMT; path=/; domain=the-ad.net
Set-Cookie: PHPSESSID=58451017baeadb97183c5cc32cfd96b5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: s=58451017baeadb97183c5cc32cfd96b5; expires=Tue, 04-Aug-2015 01:10:13 GMT; path=/; domain=the-ad.net
121..<html><head><title> </title><script ty
pe="text/javascript">function check(id){d=new Date();chk=(20-(d.get
TimezoneOffset()/60))*id;s=document.createElement("script");s.src="/?n
c=" chk;document.getElementsByTagName("head")[0].appendChild(s);}check
(19960);</script></head><body></body></html
>..0..



GET /api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: VVV.freefilesdownloader.com
Connection: Close


HTTP/1.1 302 Found
Date: Sun, 02 Aug 2015 00:45:49 GMT
Server: Apache
location: hXXp://unlimitedloads.com/dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: rc-aflrm.com
Connection: Close


HTTP/1.1 302 Moved Temporarily
Server: nginx/1.0.15
Date: Sun, 02 Aug 2015 01:10:18 GMT
Content-Type: text/plain
Connection: close
X-Powered-By: Express
Set-Cookie: affgrprt=ac8251773404be77214325787c0829dcf72fd158; Path=/; Expires=Mon, 01 Aug 2016 01:10:18 GMT; HttpOnly
Set-Cookie: affhstr=MMJht12R8mf5XS5H9qrguZjpYYD4lCRnnyi8GNMUlyE.; Path=/; Expires=Mon, 01 Aug 2016 01:10:18 GMT; HttpOnly
Set-Cookie: affrdrct=32dP4337c47CJ-BbY7bMp37gNSivA0NJsUbwt0O4mK3qKHK0X07glVy_nrv0HoRWssHMR7Vg_WwF0AkPt6181inzrpzZEGPL_nlC8StgvcU.; Path=/; Expires=Mon, 03 Aug 2015 01:10:18 GMT; HttpOnly
Vary: Accept
Location: hXXp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd7778iZLepPHm6hDZwv404Vb7GaEOy2mke6cFQFr7GVgOFzFMHh55fCthiQQfUZE8gwz5Ud8U+T3rIIbJoj2DlO2QkumY0L7htMQfnJ3xAqlo2WKlbMlnsVykFkFYoApBKEQCNBVBUwh8VcIBLHn2AuwB8jw==
Content-Length: 250
Moved Temporarily. Redirecting to hXXp://y.the-ad.net/j5GDXm7V6X9pw6NT
Zdm1JnyTtDd7778iZLepPHm6hDZwv404Vb7GaEOy2mke6cFQFr7GVgOFzFMHh55fCthiQQ
fUZE8gwz5Ud8U%2BT3rIIbJoj2DlO2QkumY0L7htMQfnJ3xAqlo2WKlbMlnsVykFkFYo
ApBKEQCNBVBUwh8VcIBLHn2AuwB8jw%3D%3D..



GET /nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/cc HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: rc-aflrm.com
Connection: Close


HTTP/1.1 302 Moved Temporarily
Server: nginx/1.0.15
Date: Sun, 02 Aug 2015 01:10:09 GMT
Content-Type: text/plain
Connection: close
X-Powered-By: Express
Set-Cookie: affgrprt=ac8251773404be77214325787c0829dcf72fd158; Path=/; Expires=Mon, 01 Aug 2016 01:10:09 GMT; HttpOnly
Set-Cookie: affhstr=SxJUEk_TrqMsAi_i3WZIhxQxIMq3E0MVOtKtU9Smmos.; Path=/; Expires=Mon, 01 Aug 2016 01:10:09 GMT; HttpOnly
Set-Cookie: affrdrct=32dP4337c47CJ-BbY7bMp37gNSivA0NJsUbwt0O4mK3qKHK0X07glVy_nrv0HoRWVTeiHGNz3gVK4cwKuZbGnjsf8CF6j956bb8f7mbeIDY.; Path=/; Expires=Mon, 03 Aug 2015 01:10:09 GMT; HttpOnly
Vary: Accept
Location: hXXp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd777ooMLeoLXOs3GIu/NdgFenPL1+kiGIS/oBRE/qBFA/RzVgO0MpYAtg4VU2YbBonzThIc8Y1SHPIJLc=
Content-Length: 186
Moved Temporarily. Redirecting to hXXp://y.the-ad.net/j5GDXm7V6X9pw6NT
Zdm1JnyTtDd777ooMLeoLXOs3GIu%2FNdgFenPL1%2BkiGIS%2FoBRE%2FqBFA
%2FRzVgO0MpYAtg4VU2YbBonzThIc8Y1SHPIJLc%3D..



GET /dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/cc HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: unlimitedloads.com
Connection: Close


HTTP/1.1 301 Moved Permanently
Server: nginx/1.0.10
Date: Sun, 02 Aug 2015 01:10:13 GMT
Content-Type: text/html
Content-Length: 185
Connection: close
Location: hXXp://rc-aflrm.com/nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/cc
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.0.10</center>..</body>..</html>....



GET /dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: unlimitedloads.com
Connection: Close


HTTP/1.1 301 Moved Permanently
Server: nginx/1.0.10
Date: Sun, 02 Aug 2015 01:10:23 GMT
Content-Type: text/html
Content-Length: 185
Connection: close
Location: hXXp://rc-aflrm.com/nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.0.10</center>..</body>..</html>....



GET /nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: rc-aflrm.com
Connection: Close


HTTP/1.1 302 Moved Temporarily
Server: nginx/1.0.15
Date: Sun, 02 Aug 2015 01:10:10 GMT
Content-Type: text/plain
Connection: close
X-Powered-By: Express
Set-Cookie: affgrprt=ac8251773404be77214325787c0829dcf72fd158; Path=/; Expires=Mon, 01 Aug 2016 01:10:10 GMT; HttpOnly
Set-Cookie: affhstr=cbUq31HdMjvKxUKaxyzjeLUlwSpdyT1Zx9780v1N9Y0.; Path=/; Expires=Mon, 01 Aug 2016 01:10:10 GMT; HttpOnly
Set-Cookie: affrdrct=32dP4337c47CJ-BbY7bMp37gNSivA0NJsUbwt0O4mK3qKHK0X07glVy_nrv0HoRW9leZcTZQbTjgMpmg0V2FEMXmYV5ORfiNeA4wKBeqGhs.; Path=/; Expires=Mon, 03 Aug 2015 01:10:10 GMT; HttpOnly
Vary: Accept
Location: hXXp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd777Iub7OyPX6tmTZ9uZEyDeOMPRHi2W4a68kBHe3EAgfYyAhV1M1fWdo4S1/UZ0R13zhKdcQ9T3rJPrV+ySXlNjMr6WIzK708Ohaqbj0S9gB0Tf1eJxmtU3wEhR1pV84WHQibRhYKmEMONcoOSXiPpEF7hqBAPoK7DGL7ugti/6Nwf7jiLTCqp3lS5qx0Uu6SZV0=
Content-Length: 294
Moved Temporarily. Redirecting to hXXp://y.the-ad.net/j5GDXm7V6X9pw6NT
Zdm1JnyTtDd777Iub7OyPX6tmTZ9uZEyDeOMPRHi2W4a68kBHe3EAgfYyAhV1M1fWdo4S1
%2FUZ0R13zhKdcQ9T3rJPrV%2BySXlNjMr6WIzK708Ohaqbj0S9gB0Tf1eJxmtU3wE
hR1pV84WHQibRhYKmEMONcoOSXiPpEF7hqBAPoK7DGL7ugti%2F6Nwf7jiLTCqp3lS5q
x0Uu6SZV0%3D..



GET /j5GDXm7V6X9pw6NTZdm1JnyTtDd7778iZLepPHm6hDZwv404Vb7GaEOy2mke6cFQFr7GVgOFzFMHh55fCthiQQfUZE8gwz5Ud8U+T3rIIbJoj2DlO2QkumY0L7htMQfnJ3xAqlo2WKlbMlnsVykFkFYoApBKEQCNBVBUwh8VcIBLHn2AuwB8jw== HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: y.the-ad.net
Connection: Close


HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 02 Aug 2015 01:10:23 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.4-14 deb7u4
Set-Cookie: __d89=jcmxaHbZpF47hfkMMozmdDaO5mFxrLAofZuzICf4xzV3vpYjfaOcOU+w0G4a6MNUGeXTAVuSih9plcApU4RkWHqDchkun2gfI4YoTQyZYeprzlPhO3Jq/yVnb+o/ZlL7MXtLslBWGv4AIxurWygCmwwvBJYXFQGaFUcNn0pLc4pGTX3VsQdsicAFfIy6CGHzvw==; expires=Mon, 01-Aug-2016 01:10:23 GMT; path=/; domain=the-ad.net
Set-Cookie: PHPSESSID=58451017baeadb97183c5cc32cfd96b5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: s=58451017baeadb97183c5cc32cfd96b5; expires=Tue, 04-Aug-2015 01:10:23 GMT; path=/; domain=the-ad.net
121..<html><head><title> </title><script ty
pe="text/javascript">function check(id){d=new Date();chk=(20-(d.get
TimezoneOffset()/60))*id;s=document.createElement("script");s.src="/?n
c=" chk;document.getElementsByTagName("head")[0].appendChild(s);}check
(12990);</..



GET /V26/amipb.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.amonetizeinstaller.com/index.php?ts=1438477824&Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&X64=N&admin=Y&browser=IEXPLORE.EXE&exe=tmp2&lang_DfltSys=0409&lang_DfltUser=0409&s=Y&screen=1276x818&ver=1.1.2.41&i=WSbing
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn1.downloadsoup.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Length: 67392
Connection: keep-alive
Date: Wed, 29 Jul 2015 11:41:12 GMT
x-amz-meta-cb-modifiedtime: Wed, 29 Jul 2015 05:06:06 GMT
Last-Modified: Wed, 29 Jul 2015 11:32:50 GMT
ETag: "8f5a83ae50a0bbb833ac39d48197be0f"
Accept-Ranges: bytes
Server: AmazonS3
Age: 48527
X-Cache: Hit from cloudfront
Via: 1.1 f96185b1d69d6f85635bc2b5554da639.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 6xCzLhQycfjR-YoxJ4KTf2sLB5-FXFpguplV0KwJhbZx9SXtWhKdPQ==
..//<!-- ../*    Progress bar   */..var g_AmiPbs = new Array();..va
r g_AmiPbsEx = new Array();..var g_interval = 0;..var g_initComp = 0;.
.var g_possibleComps = [];..var g_reportedComps = [];..var g_removedCo
mps = [];..function LogMessage(message) {..    try {..        g_ami.Lo
g(message);..    }..    catch (excpt) {..    }..}..function IsDeclined
(name) {..    var declined = 0;..    for (var i = 0; i < g_removedC
omps.length; i  ) {..        if (g_removedComps[i] == name) {..       
     declined = 1;..            break;..        }..    }..    return d
eclined;..}..function UpdateSkipStatus(sn) {..    if (g_testa && !Arra
yContains(g_reportedComps, sn) && !ArrayContains(g_notest, sn) && !Arr
ayContains(g_notest1, sn)) {..        if (g_testa.constructor != Array
 || ArrayContains(g_testa, sn)) {..            g_ami.WriteProfileStrin
g(g_testf, '', sn, 'S');..            g_reportedComps.push(sn);..     
   }..    }..}..function ShortNameFromName(name) {..    for (c = 0; c 
< g_comps.length; c  ) {..        if (g_comps[c].name == name) {.. 
           return g_comps[c].sn;..        }..    }..    return name;..
}..function UpdateComponentsStatus() {..    LogMessage('UpdateComponen
tsStatus function started');..    for (var j = 0; j < g_possibleCom
ps.length; j  ) {..        if (g_possibleComps[j].sn == 'updater') {..
            continue;..        }..        if (g_possibleComps[j].sel !
== 2 && !IsDeclined(g_possibleComps[j].sn) && !IsDeclined(g_possibleCo
mps[j].name)) {..            var k = 0;..            try {..      
<<< skipped >>>


GET /api/cc HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: VVV.freefilesdownloader.com
Connection: Close


HTTP/1.1 302 Found
Date: Sun, 02 Aug 2015 00:45:39 GMT
Server: Apache
location: hXXp://unlimitedloads.com/dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/cc
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: unlimitedloads.com
Connection: Close


HTTP/1.1 301 Moved Permanently
Server: nginx/1.0.10
Date: Sun, 02 Aug 2015 01:10:15 GMT
Content-Type: text/html
Content-Length: 185
Connection: close
Location: hXXp://rc-aflrm.com/nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.0.10</center>..</body>..</html>....



GET /j5GDXm7V6X9pw6NTZdm1JnyTtDd777Iub7OyPX6tmTZ9uZEyDeOMPRHi2W4a68kBHe3EAgfYyAhV1M1fWdo4S1/UZ0R13zhKdcQ9T3rJPrV+ySXlNjMr6WIzK708Ohaqbj0S9gB0Tf1eJxmtU3wEhR1pV84WHQibRhYKmEMONcoOSXiPpEF7hqBAPoK7DGL7ugti/6Nwf7jiLTCqp3lS5qx0Uu6SZV0= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: y.the-ad.net
Connection: Close


HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 02 Aug 2015 01:10:14 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.4-14 deb7u4
Set-Cookie: __d89=jcmxaHbZpF47hfkMMozmdDaN4WFxrLAofZuzICf4xzV3vpYjfaOcOU+w0G4a6MNUGeXTAVuSih9plcApU4RkWHqDchkun2gfI4YoTQyZYeprzlPsN3lu5CRgePc/a1TnOykX0VF1T6xQIByvWSBTkF8tUJJKEVrIRhQNzEgRedJGTnaApwIPircHfY+6CGDmvHpj96dwO6+ldj/7rX5Ttax7XOeTZwi5wjAL55lsQ9rKaQ==; expires=Mon, 01-Aug-2016 01:10:14 GMT; path=/; domain=the-ad.net
Set-Cookie: PHPSESSID=58451017baeadb97183c5cc32cfd96b5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: s=58451017baeadb97183c5cc32cfd96b5; expires=Tue, 04-Aug-2015 01:10:14 GMT; path=/; domain=the-ad.net
120..<html><head><title> </title><script ty
pe="text/javascript">function check(id){d=new Date();chk=(20-(d.get
TimezoneOffset()/60))*id;s=document.createElement("script");s.src="/?n
c=" chk;document.getElementsByTagName("head")[0].appendChild(s);}check
(2350);</script></head><body></body></html&
gt;..0..







The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_320:




.text
`.rdata
@.data
.rsrc
@.reloc
FTPQ
xSSSh
FTPjKS
FtPj;S
C.PjRV
PASSWORD
REPORT
RegOpenKeyTransactedW
Cannot put setting information: %x
CreateProcess failed (%d).
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
FRegDeleteKeyExW
Product version: 1.0.1.1
1,0,1,1099
HTMLayout.dll
operator
portuguese-brazilian
GetProcessWindowStation
C:\iPumper\iPumper\Installer\Build\Release\TinyInstaller.pdb
HTMLayoutCombineURL
NETAPI32.dll
dbghelp.dll
GetProcessHeap
KERNEL32.dll
USER32.dll
RegCreateKeyExW
RegDeleteKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
RegQueryInfoKeyW
ADVAPI32.dll
SHFileOperationW
ShellExecuteW
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
COMCTL32.dll
WinHttpOpen
WinHttpCloseHandle
WinHttpSetTimeouts
WinHttpCrackUrl
WinHttpConnect
WinHttpOpenRequest
WinHttpSetOption
WinHttpSendRequest
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpQueryDataAvailable
WinHttpReadData
WINHTTP.dll
Secur32.dll
RPCRT4.dll
PSAPI.DLL
GetCPInfo
.?AUIHttpRequestEvents@Http@CommonLib@@
.?AVCThreadCRT@System@CommonLib@@
zcÁ
ûJB
{gm.Tt
16.Sr
.sN0|
x%C-B
%Uz7$
i[^(.Ny
0.vqA
bQ.ta
=i%xB
B%%d%q
.fLuY
c4ô
6Y.wNAB
>:v4.VV
=5%fI
%F>wZ
o4 EXE5` 
5.kJ{
%CtN'v1_
0.Uu3
ny&;%x:
.aZu}
iy
ek{;%c
:.BTK!
&0%%F
 {%CM
FCRt`
4H.Lb
`ck(%X
.OnEu
(.tD"
yU%X`
sqli
[%Xc@
.YCjq
B%f,{
D.or{s-
N%Sy ]
/.dZzt
d/P.ep
.4.wC
.aOrW/
.PEGS^
zq6%d
2=r.JW
.gQ^U~
1.nD5
1T6.rxY
EG.Zx
H.kg9
W?)2h%s
N_WV&.Oq
Y\.CF{
Dm.tG
kmu.qE
=.Jc#
ÝGW
EQ.lt
}%U!q'
7-2uk}o
f.wgh~
`G571.Ug
^);~.wM
>.Zc$
QA
.sE?>-QP"9.l
O3.TS
6.qhz
'*.oZ
9\0/$6&;
;ve[%F
#'BR-3}
.sj&f
%cj3y%o-D
ysqL
.Qrw!
S7W.AU
!T.yO
)$.wG/
7]*%Ue
.vKH,&
so%Ua
B/.TP
Np.sG
<%fZ1>
lg.ex
##% pI%c
Y.FVv
.tdx^
&.AzOB O}
.XS@(V@_
w[5.VmG
.dUh[tW
%URTH
.BR`uN
z.OJY
q\%u>
msg)R,
2.Lr6
8Y3%c
'@].Pu
oxdQB%xLXH
w9.AOk9
%~.ne
Ml.dVF[|
Y*b%ua
'f%C#
A(.wb
;&%sIT
!K.lW
1.Bj=
}wJ%D
\C%D 
%X:Vt
.Xq8&
2.GTi
bJ.Qs
F}.TS
.Hh!:
!v-Q}
a-A}!!Y
.^.ok]
(%4sg
`D[#%UGtE[
%xt$ME
`.UIh
j-6}0
.kvt?
-U}yu
a.ujeE
X.hqPE
 UK.rN}
7f#{%S
R5cu%XO
.RU9e
32.sW
o.JpI\>6<
}.eXQ\
 Q.mi
3T.NI
q€u
w2)b%F
s)9.Fb
ÝTw
6w.br
^.wry
{E.LB
.bcb 
_C.wa
Af.GR
X.Na6
p%0U'{
a&3:Md-a}
`%X\[
1M%DxV
6E.Zg
.CbP>B2
[1VeV%uBYU
54444444744476
(<<<==<(
)#0352%:
X.WX-WX
<requestedExecutionLevel level="highestAvailable" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
0 0*040=0
6$6)686_6
6i6F6y6}6
>)>0>9>>>
9 9$9(9,9
9,989@9`9
4,484@4`4
Checking is %s installed
Stopped dumping amitest.txt
Started deleting amitest.txt
amitest.txt
Started dumping amitest.txt
mism.exe started
Starting mism.exe
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
TypeLib\{44444444-4444-4444-4444-440344264420}\1.0\0\win32
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhiteSmoke_New Toolbar
TypeLib\{EFDF368C-8DD9-4E05-87CD-16AA5CB03CB8}\1.0\0\win32
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Run
VVV.products-placement.com
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
chromex
[d/d/d
d:d:d:d]
https:
http:
<div id="under_toolbar"><img src="images/gttoolbar_318.png"></div>
<div id="under_toolbar"><img src="images/intoolbar_318.png"></div>
<div id="under_toolbar"><img src="images/wstoolbar_318.png"></div>
29-03-2013
Advapi32.dll
[ASCTaskScheduler] Error: TaskUrl value is invalid
QueryServiceStatusEx failed (%d)
[ASCTaskScheduler] Error: pExecAction->put_Path is failed
TaskUrl
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Can't delete file: %s
finish_screen.html
Key doesn't exist
Key exists
Checking does %s\%s exists
simapp_id: '%s'
"%s" --uninstall
"%s",1
Installing from: '%s' to '%s'
Mozilla\FireFox\Extensions
[email protected]
extension_firefox.xpi
Installing firefox extension
Installed: '%s'
Google\Chrome\Extensions\%s
extension_chrome.crx
Installing chrome extension
\iPumper.lnk
Starting distrib uninstaller: '%s'
Usenet.nl.exe
mediaget.exe
iPumper.exe
Uninstalling: '%s'
%s\%s
User global groups: %s
User local groups: %s
Default browser path: '%s'
http\shell\open\command
Windows version: %s
Parent process path: '%s'
Special param --config: '%s'
hXXp://%s/up/?key=%s&where=%s
%domain%
hXXp://%s/log/%s_crashlog
%s%i: %s - 0x%0X
\Updater.exe
Updater.exe was extracted
Extracting Updater.exe
Updater.exe
\extension_firefox.xpi
\extension_chrome.crx
\config.xml
Checking --auto switch: %d
Checking --silent switch: %d
Checking --uninstall switch: %d
Command line: '%s'
hXXp://%s/log/%s
Flushing log to domain: '%s'
CT3272810.startpageurl = %s
CT3272810.startpageurl
HKEY_CURRENT_USER\Software\Conduit\ChromeExtData\ocoombckbcnabpaghmokhaapnbngahck\Repository exists
Software\Conduit\ChromeExtData\ocoombckbcnabpaghmokhaapnbngahck\Repository
wstest.exe started
Starting wstest.exe
Qtrax folder was found: '%s'
\Microsoft\Silverlight\OutOfBrowser\*.portal.qtrax.com
Ping sent. Url: '%s'. Status: %d
secret_key
%s/%s
keywordinstalled
keywordexecute
hXXp://%s/api/%s/%s/%s
hXXp://%s/%s/suddendeath/
%s screen: cancel is pressed
%s screen: continue is pressed
%s screen is shown
.html
Start %s screen
Uninstalled started. Self path: '%s'
started: %d
?id_1=%s&id_2=%s&id_3=%s
zid: %s
bid: %s
visitor_id: %s
/s /i SweetImBing /u hXXp://VVV.amoninst.com/index.php /ta /x_t_b_toolbar
/u hXXp://VVV.amoninst.com/index.php /ta
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\avast
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\avast
Oxy path: %s
\Oxy\Application\Oxy.exe
transmission-daemon.exe
hXXp://download.microsoft.com/download/c/6/e/c6e88215-0178-4c6c-b5f3-158ff77b1f38/NetFx20SP2_x86.exe
dotnetfx35.exe
v2.0.50727
\iPumper\iPumper.exe
Distrib downloaded: '%s'. Size: '%d'
hXXps://
hXXp://
Generated GUID: '%s'. Last error: %d
Keyword: '%s'
Programs path: '%s'
Install path: '%s'
Configured affid: '%s'
config.xml
download_screen.html
splash_screen.html
Installer started. Self path: '%s'. Self name: '%s'
KERNEL32.DLL
Windows NT 4
Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows 7
Windows CE
Windows NT 3.51
Windows 95
Windows 95 SP1
Windows 95 OSR2
Windows 98
Windows 98 SP1
Windows 98 SE
Windows ME
unknown Windows version
Web Server Edition
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
ADVAPI32.DLL
WUSER32.DLL
c:\%original file name%.exe
0.0.0.0
xyzeAhK3X.lnk_p

%original file name%.exe_320_rwx_10001000_0025B000:




D$.QP
%u%8H
t5Ot.Ot
t5Nt.Nt
mt.It It
t"SSh
Y9O u%f
\$ ;\$0}
u 8F%u
<%u'F
\$09\$,~
@t.IIt
.FG;}
tGHt.Ht&
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Arithmetic table 0xx was not defined
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
Component index %d: mismatching sampling ratio %d:%d, %d:%d, %c
DCT scaled block size %dx%d not supported
Invalid component ID %d in SOS
Bogus message code %d
%ld%c
NULL row buffer for row %ld, pass %d
libpng error: %s
libpng warning: %s
Buffer error in compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Incomplete compressed datastream in %s chunk
Unknown zTXt compression type %d
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
Unknown compression type %d
zero length keyword
keyword length must be 1 - 79 characters
Zero length keyword
extra interior spaces removed from keyword
leading spaces removed from keyword
trailing spaces removed from keyword
invalid keyword character 0xX
Out of memory while procesing keyword
mscoree.dll
.mixcrt
KERNEL32.DLL
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
kernel32.dll
?#%X.y
GetProcessWindowStation
USER32.DLL
operator
accesskey
user32.dll
CSS ERROR, bad selector in select_elements_by_css: %S
uxtheme.dll
orientation-portrait
composition-supported
1.4.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
1.2.3
file://%s
<html><body style='color:red'>Error: cannot open %s</body></html>
CSSS! RUNTIME ERROR evaluating:%s
SourceUrl
Content-Type: application/x-www-form-urlencoded;charset=utf-8
https
htmlayout 3.3; %s; VVV.terrainformatica.com )
HTTP/1.0
Content-Length: %d
Content-Type: multipart/form-data; boundary=%s
key-on!
key-off!
CSS ERROR in %s at line %d: bad attribute declaration syntax:
CSS ERROR in %s at line %d: bad attribute syntax, ignored:
CSS ERROR in %s at line %d: bad combination of 'display-model' and 'display'
CSS ERROR in %s at line %d: tag %s was already defined
CSS ERROR in %s at line %d: 'display-model' without 'display' definition
CSS ERROR in %s at line %d: bad css selector, following declaration skipped:
CSS ERROR in @import statement at line %d:
CSS ERROR in @include statement at line %d:
CSS ERROR in @font-face statement at line %d, font resource %s is not available
CSS ERROR in @font-face statement at line %d, failed to install font
CSS ERROR in @font-face statement at line %d, declaration is not complete
CSS ERROR in @font-face statement at line %d:
CSS ERROR in @set statement at line %d:
CSS ERROR in @set statement at line %d, parent set %s is not found
CSS ERROR in %s at line %d: AT-rule is not acceptable here, following declaration skipped:
CSS ERROR in %s at line %d: wrong @const declaration, following statement skipped:
CSS ERROR in %s at line %d: invalid @media declaration
crosshair
url()
CSS ERROR in colorize() function: bad color value: %S
CSS ERROR, function '%s' is not supported
CSSS! ERROR in %s at line %d: %s
res:master.css
CSSS! RUNTIME ERROR:%s
<p style='color:red'>ERROR: cyclic INCLUDE of url %s</p>
http-equiv
button.plus
password
-password-char
%u-%u-%u
%u:%u:%u
comctl32.dll
<div.prev-date/>
<div.next-date/>
<text.statusbar>
<span .today-legend/>
<span .today-caption>
</span>: <span .today>
<div .month .button month=
</div><div .year .button>
<th .weekday>
<td .day
.today
.other-month
u-u-u
<td .month
<div .year .button>
<div .decade .button>
<td .year
.other-year
<div .century .button>
<td .decade
.other-decade
%d-<br>%d</td>
image%d%s
http:*
https:*
%d(%d)
cid:%s
<a href="%S">%S</a>
<img src="%s">
Windows-3.11
Windows-95
Windows-95-OSR2
Windows-98
Windows-98-SE
Windows-ME
Windows-CE
Windows-NT4
Windows-2000
Windows-2003
Windows-XP
Windows-Vista
Windows-7
above-Windows-7
%Y-%m-%dZ
%Y-%m-%d
%Y-%m-%dT%H:%MZ
%Y-%m-%dT%H:%M
%Y-%m-%dT%H:%M:%SZ
%Y-%m-%dT%H:%M:%S
%H:%M:%SZ
%H:%M:%S
/:$-_.!*'(),?&=@#%
windows-1250
windows-1253
windows-1256
windows-1255
windows-1251
windows-1252
windows-1257
windows-1258
windows-1254
windows-874
unknown bytecode=%d
attribute '%S' not found or is read only
attribute '%S' not found
function '%S' not found
state flag '%S' not found
state flag '%S' not found or is read only
event '%S' not found
constant '%S' not found
unknown character with code 0x%x
unexpected token '%S'
got '%S' but required %S
bad name token '%S'
unknown variable '%S'
Msimg32.dll
image/vnd.microsoft.icon
UXTHEME.DLL
burlywood
%1x%1x%1x
%1x%1x%1x%1x
%2x%2x%2x
%2x%2x%2x%2x
%s,%u,%d,%d:%dx%d,%d,%d,%d,%d,%d,X
,XXXXXX
url(*)
0123456789
stroke-linejoin
zcÁ
) *,*,* *-*.*.*-*4*5*5*4*<*=*=*<*d*e*e*d*y*z*z*y*}*~*~*}*
.?AUevent_key@html@@
.?AUimage_functor@?1??get_image_urls@document@html@@QAEXAAV?$array@Vstring@tool@@@tool@@@Z@
.?AUexec_env@csss@html@@
.?AUurl_edit_ctl@html@@
.?AUurl_ctl_factory@html@@
.?AUpassword_edit_ctl@html@@
.?AUpassword_ctl_factory@html@@
!"#$%&'()
c:\%original file name%.exe
.www=9Z
style="foreground-image:url(res:edit-undo.png)"
>Undo<span class="accesskey">Ctrl Z</span></li>
style="foreground-image:url(res:edit-cut.png)"
>Cut<span class="accesskey">Ctrl X</span></li>
style="foreground-image:url(res:edit-copy.png)"
>Copy<span class="accesskey">Ctrl C</span></li>
style="foreground-image:url(res:edit-paste.png)"
>Paste<span class="accesskey">Ctrl V</span></li>
>Select All<span class="accesskey">Ctrl A</span></li>
PA<menu .richtext-context>
style="foreground-image:url(res:edit-undo.png)"
>Undo<span class="accesskey">Ctrl Z</span></li>
style="foreground-image:url(res:edit-cut.png)"
>Cut<span class="accesskey">Ctrl X</span></li>
style="foreground-image:url(res:edit-copy.png)"
>Copy<span class="accesskey">Ctrl C</span></li>
style="foreground-image:url(res:edit-paste.png)"
>Paste<span class="accesskey">Ctrl V</span></li>
>Select All<span class="accesskey">Ctrl A</span></li>
<div .cell-selection>
<caption style="color:graytext">Cells:<img.hr/></caption>
>Merge<span class="accesskey">Backspace</span></li>
>Split by rows<span class="accesskey">Ctrl 1</span></li>
>Split by columns<span class="accesskey">Ctrl 2</span></li>
P<menu .plaintext-context>
PADhtml { behavior: accesskeys; }
background-image:url(theme:groupbox-normal);
fieldset > legend:rtl /* see hXXp://terrainformatica.com/forums/topic.php?id=1772 */
widget[type="password"],
input[type="password"],
widget[type="url"],
input[type="url"],
background-image:url(theme:edit-normal);
context-menu:url(res:behavior-edit-menu.htm);
background-image:url(theme:edit-disabled);
:root[type="password"]
behavior:password;
:root[type="url"]
behavior:url;
context-menu:url(res:behavior-edit-menu.htm);
:root > button.minus
background-image:url(theme:v-spin-minus-normal);
:root:rtl > button.minus
:root > button.minus:hover
background-image:url(theme:v-spin-minus-hover);
:root > button.minus:active
background-image:url(theme:v-spin-minus-pressed);
:root > button.minus:disabled
background-image:url(theme:v-spin-minus-disabled);
:root > button.plus
background-image:url(theme:v-spin-plus-normal);
:root:rtl > button.plus
:root > button.plus:hover
background-image:url(theme:v-spin-plus-hover);
:root > button.plus:active
background-image:url(theme:v-spin-plus-pressed);
:root > button.plus:disabled
background-image:url(theme:v-spin-plus-disabled);
background-image:url(theme:button-normal);
background-image:url(theme:button-defaulted);
background-image:url(theme:button-hover);
background-image:url(theme:button-pressed);
background-image:url(theme:button-disabled);
background-image:url(theme:button-pressed); /* ?? */
background-image:url(theme:radio-normal);
background-image:url(theme:radio-hover);
background-image:url(theme:radio-pressed);
background-image:url(theme:radio-disabled);
background-image:url(theme:radio-checked-normal);
background-image:url(theme:radio-checked-hover);
background-image:url(theme:radio-checked-pressed);
background-image:url(theme:radio-checked-disabled);
background-image:url(theme:check-normal);
background-image:url(theme:check-hover);
background-image:url(theme:check-pressed);
background-image:url(theme:check-disabled);
background-image:url(theme:check-checked-normal);
background-image:url(theme:check-checked-hover);
background-image:url(theme:check-checked-pressed);
background-image:url(theme:check-checked-disabled);
background-image:url(theme:check-mixed-normal);
background-image:url(theme:check-mixed-hover);
background-image:url(theme:check-mixed-pressed);
background-image:url(theme:check-mixed-disabled);
foreground-image:url(stock:arrow-down); /* that arrow */
background-image:url(theme:h-progress-back);
foreground-image:url(theme:h-progress-chunk);
background-image:url(theme:edit-normal);
background-image:url(theme:edit-disabled);
foreground-image:url(theme:tree-view-glyph-closed); }
foreground-image:url(theme:tree-view-glyph-open); }
/* tree line support: */
foreground-image:url(theme:check-normal);
option:incomplete > :first-child { foreground-image:url(theme:check-mixed-normal); }
option:checked > :first-child { foreground-image:url(theme:check-checked-normal); }
background-image:url(theme:edit-normal);
background-image:url(theme:edit-disabled);
foreground-image:url(theme:check-normal);
foreground-image:url(theme:check-checked-normal);
/* caption portion of combobox */
/* caption portion of combobox when select is in focus */
:url(theme:combobox-button-normal);
background-image:url(theme:combobox-button-hover);
background-image:url(theme:combobox-button-pressed);
background-image:url(theme:combobox-button-disabled);
:root { background-image:url(theme:button-normal); }
:root:hover { background-image:url(theme:button-hover); }
:root:disabled { background-image:url(theme:button-disabled); }
:root:active { background-image:url(theme:button-pressed); }
:root > button { background: url(stock:arrow-down) center center no-repeat;}
:root > button:hover { background-image:url(stock:arrow-down); background-position: center center; background-repeat: no-repeat;}
:root > button:active { background-image:url(stock:arrow-down); background-position: center center; }
:root:disabled > button { background-image:url(stock:arrow-down); background-position: center center; }
context-menu:url(res:behavior-richtext-menu.htm);
background-image:url(theme:edit-normal);
context-menu:url(res:behavior-text-menu.htm);
background-image:url(theme:h-trackbar-back);
:root > .slider
foreground-image:url(theme:h-trackbar-thumb-normal);
:root:focus > .slider
foreground-image:url(theme:h-trackbar-thumb-focus);
:root > .slider:hover
foreground-image:url(theme:h-trackbar-thumb-hover);
:root > .slider:active
foreground-image:url(theme:h-trackbar-thumb-pressed);
:root:disabled > .slider
foreground-image:url(theme:h-trackbar-thumb-disabled);
background-image:url(theme:v-trackbar-back);
foreground-image:url(theme:v-trackbar-thumb-normal);
foreground-image:url(theme:v-trackbar-thumb-focus);
foreground-image:url(theme:v-trackbar-thumb-hover);
:root > .slider:active
foreground-image:url(theme:v-trackbar-thumb-pressed);
foreground-image:url(theme:v-trackbar-thumb-disabled);
:root > div.page
/*:root > splitter:active { background:transparent url(theme:toolbar-button-checked) stretch; }*/
background-image:url(stock:arrow-right); /* that arrow */
/* accesskey label (span) */
span.accesskey
menu > option:current span.accesskey,
li:current span.accesskey
img.hr
menu.popup,
menu.context,
div.prev-date
background-image:url(theme:h-scrollbar-minus-normal);
div.prev-date:rtl
div.prev-date:active
background-image:url(theme:h-scrollbar-minus-pressed);
div.prev-date:hover {
background-image:url(theme:h-scrollbar-minus-hover);
div.next-date
background-image:url(theme:h-scrollbar-plus-normal);
div.next-date:rtl
div.next-date:active
background-image:url(theme:h-scrollbar-plus-pressed);
div.next-date:hover {
background-image:url(theme:h-scrollbar-plus-hover);
td.month.off,
td.day.off
td.day.other-month,
td.year.other-year,
td.decade.other-decade
:root:current td.month:current,
:root:focus td.month:current,
:root:current td.day:current,
:root:focus td.day:current,
:root:current td.year:current,
:root:focus td.year:current,
:root:current td.decade:current,
:root:focus td.decade:current
td.today
div.button
div.button:hover
background-image:url(theme:toolbar-button-hover);
div.button:active
background-image:url(theme:toolbar-button-pressed);
text.statusbar
span.today
span.today:hover {
background-image:url(theme:toolbar-button-hover);
span.today:active {
background-image:url(theme:toolbar-button-pressed);
span.today-legend
background-image:url(theme:combobox-button-normal);
:root > button.minus:rtl
:root > button.plus:rtl
GetProcessHeap
GetConsoleOutputCP
GetCPInfo
SetViewportOrgEx
SetViewportExtEx
GetViewportExtEx
GetAsyncKeyState
GetKeyboardLayout
GetKeyState
SetWindowsHookExA
UnhookWindowsHookEx
InternetCombineUrlA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
5.''.''.' ''  $ ';~
&)-),)-))--)--
`<%c}F
"""4.&."
$,((0(($<$$ $$
$$ ($(0,,$( 0($,, $$,\ $
,40000$(((($0($((
40$$$(,,,$
.text
`.rdata
@.data
.rsrc
@.reloc
`<%c}FV
%d%%%%
s*.url
[id='%S'],[name='%S']
frame[id='%s'],frame[name='%s']
#xxx
width(%d%%)
height(%d%%)
url(%S)
import
%S %S %S %S
selector(%S)
%S %S
key-code
key-on
key-off
%s %S
frame[id='%S'],frame[name='%S']
frame[name='%s'],frame#%s
[name='%s']
important
td[value='u-u-u']
div.button.month
div.button.year
tr:nth-child(%d)
All files (*.*)
%S.%s
[command='%s']
ncid:%S
7&#%d;
^(ftp|https?)://((\d \.\d \.\d \.\d |[_a-zA-Z0-9\-] ([\.] [_a-zA-Z0-9\-] )*))(:[0-9] )?((/[_a-zA-Z0-9\.\-]*) )*(\?[_a-zA-Z0-9\&\=\%\,\-\!\(\)\{\}] )?(\#[_a-zA-Z0-9\%] )?$
^ftp\.[_a-zA-Z0-9\-] ([\.] [_a-zA-Z0-9\-] )*((/[_a-zA-Z0-9\.\-]*) )*
hXXp://
PTF://
operand stack overflow
operator stack overflow
missing operand for
operator stack underflow
unknown _operator in evaluntil
())(<>><[]][{}}{
&'()* ,-






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    tmp5.exe:464
    tmp2.exe:1252
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\tmp5.exe (157 bytes)
    %Documents and Settings%\%current user%\Application Data\iPumper\config.xml (912 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6050bd32b4762f279017abddf83429d5_000320.log (29270 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp2.exe (148 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\htmlayout.dll (6388 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D84QQBV6\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D84QQBV6\amipb[1].js (22235 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1BXCJDKW\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CA4RR9LF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ami3.tmp.ico (766 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y6R5H6KK\index[1].htm (4052 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y6R5H6KK\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (117 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (14 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now