MD5: 2ec78d335d88dcbc6bd74873b242ed92
SHA1: 7f967dff65e07fb61d2a1fe358d682a24da76495
SHA256: e36f5a05c634282392bddbcb4062c50a7a983c7638409c34ccd64f2d9301d3ac
SSDeep: 49152:5xMVFM0MG C70HCgA 5H9bnBJ6ZroERHMGge1/jjFMfO34HX tq:/H0MG a0HCgzbBJ2rpbge1rz34HX t
Size: 4599808 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: DBMS are
Created at: 2014-06-06 10:26:21
Analyzed on: WindowsXP SP3 32-bit

Summary:

Monitor. A surveillance tool used to observe activity on a computer system.

Payload

Process activity

The Monitor creates the following process(es):

AutoHotkey111402_Install(2).exe:1168
mscorsvw.exe:1924
AutoHotkey111402_Install.exe:884
vshovs.exe:1768
rinst.exe:608

The Monitor injects its code into the following process(es):

%original file name%.exe:1600
setup.exe:1780

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process AutoHotkey111402_Install(2).exe:1168 makes changes in the file system.
The Monitor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\rinst.exe (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\vshovswb.dll (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\pk.bin (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\vshovs.exe (2813 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\vshovshk.dll (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\inst.dat (1000 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\AutoHotkey111402_Install.exe (21374 bytes)

The Monitor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\AutoHotkey111402_Install.exe (0 bytes)

The process %original file name%.exe:1600 makes changes in the file system.
The Monitor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\AutoHotkey111402_Install(2).exe (17629 bytes)

The process AutoHotkey111402_Install.exe:884 makes changes in the file system.
The Monitor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Template.ahk (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AutoHotkey.chm (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AutoHotkeyU64.exe (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\license.txt (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\ANSI 32-bit.bin (3761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\readme.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\Unicode 64-bit.bin (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\Unicode 32-bit.bin (3885 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AutoHotkeyU32.exe (6347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AU3_Spy.exe (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AutoHotkeyA32.exe (3853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\setup.exe (6293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Installer.ahk (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\Ahk2Exe.exe (3911 bytes)

The process vshovs.exe:1768 makes changes in the file system.
The Monitor creates and/or writes to the following file(s):

%System%\pk.bin (4 bytes)
%System%\bpk.dat (138 bytes)

The process setup.exe:1780 makes changes in the file system.
The Monitor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process rinst.exe:608 makes changes in the file system.
The Monitor creates and/or writes to the following file(s):

%System%\rinst.exe (7 bytes)
%System%\vshovswb.dll (1552 bytes)
%System%\vshovs.exe (15168 bytes)
%System%\pk.bin (4 bytes)
%System%\inst.dat (996 bytes)
%System%\vshovshk.dll (784 bytes)

The Monitor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\rinst.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\vshovswb.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\pk.bin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\vshovs.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\vshovshk.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\inst.dat (0 bytes)

Registry activity

The process AutoHotkey111402_Install(2).exe:1168 makes changes in the system registry.
The Monitor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D C5 F5 1D 94 E5 B5 24 24 77 F7 DC EE 54 2C 0A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0]
"rinst.exe" = "rinst"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Monitor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Monitor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Monitor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:1600 makes changes in the system registry.
The Monitor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 55 01 B3 0B D1 A3 36 EA E5 8C 46 99 4D 2E 53"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"AutoHotkey111402_Install(2).exe" = "AutoHotkey111402_Install(2)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Monitor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Monitor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Monitor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process mscorsvw.exe:1924 makes changes in the system registry.
The Monitor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"

The process vshovs.exe:1768 makes changes in the system registry.
The Monitor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID]
"(Default)" = "PK.IE"

[HKCR\PK.IE\CurVer]
"(Default)" = "PK.IE.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]
"(Default)" = "IE Plugin Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0]
"(Default)" = "BPK IE Plugin Type Library"

[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}]
"(Default)" = "IViewSource"

[HKCR\PK.IE.1\CLSID]
"(Default)" = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32]
"(Default)" = "%System%\vshovswb.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\PK.IE.1]
"(Default)" = "IE Plugin Class"

[HKCR\PK.IE]
"(Default)" = "IE Class"

[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32]
"(Default)" = "%System%\vshovswb.dll"
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID]
"(Default)" = "PK.IE.1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib]
"(Default)" = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"

[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib]
"(Default)" = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 9B 13 A1 15 C1 E3 05 1F CD F7 51 A1 B8 DD 4D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR]
"(Default)" = "%System%\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\PK.IE\CLSID]
"(Default)" = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"

To automatically run itself each time Windows is booted, the Monitor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vshovs" = "%System%\vshovs.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]
"(Default)" = "PK IE Plugin"

The Monitor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The Monitor disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"vshovs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vshovs"

The process setup.exe:1780 makes changes in the system registry.
The Monitor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 B4 F0 94 57 73 4A 99 B2 FE 1B 5D B5 42 F9 1D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

The Monitor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Monitor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Monitor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process rinst.exe:608 makes changes in the system registry.
The Monitor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB C6 96 C8 FD 6D E4 DC DD 11 B0 7A 6E 7C 6A 41"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0]
"AutoHotkey111402_Install.exe" = "AutoHotkey Setup"

The Monitor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Monitor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Monitor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: Autohotkey.exe
Internal Name: Autohotkey.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Monitor connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

0WSSh

SSSSh

YSSSh

ujSSh

tn9.uc

tq9.uf

!"#$%&'()* ,-./012

!"#$%&'()* ,-./012345678

kw.dat

mc.dat

Software\Blazing Tools\Perfect Keylogger\1.2

readme.txt

inst.dat

rinst.exe

pk.bin

inst.bin

inst.tmp

bpk.dat

$#$#$#$#$#$#$#$#$#$#$#$#$#$

web.dat

bpkch.dat

keystrokes.html

websites.html

chats.html

Logs.zip

bpk.chm

apps.dat

titles.dat

temporary.bmp

th_temp.bmp

report.txt

http://www.blazingtools.com/

update.tmp

updates/bpk.dat

install.log

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

FtpPutFileA

FtpCreateDirectoryA

FtpSetCurrentDirectoryA

WININET.dll

MFC42.DLL

MSVCRT.dll

_acmdln

KERNEL32.dll

EnumChildWindows

GetKeyNameTextA

MapVirtualKeyA

MapVirtualKeyExA

GetKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutList

RegisterHotKey

UnregisterHotKey

USER32.dll

GDI32.dll

comdlg32.dll

RegCloseKey

RegCreateKeyA

RegOpenKeyExA

RegDeleteKeyA

RegOpenKeyA

ADVAPI32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

COMCTL32.dll

ole32.dll

OLEAUT32.dll

URLDownloadToFileA

urlmon.dll

WSOCK32.dll

MSVCP60.dll

RPCRT4.dll

.PAVCFileException@@

.PAVCException@@

.PAVCObject@@

0xx %d

%u 0xx

%d %d

%d %d %d

Ss=%d, Se=%d, Ah=%d, Al=%d

%d: dc=%d ac=%d

%d: %dhx%dv q=%d

0xx: %u, %u, =%d

RST%d

0xx, %d

to %d

%d = %d*%d*%d

%4u %4u %4u %4u %4u %4u %4u %4u

0xx, length %u

%d x %d

%d.d

%dx%d %d

= = = = = = = =

%d precision %d

0xx: 0xx

Ðxx 0xx, %d

0xx 0xx

0xx

Ss=%d Se=%d Ah=%d Al=%d

.PAVCOXJPEGException@@

options_alerts.htm

%d-%d-%d %d:%d:%d

%d-%d-%d %d:%d

options_ftp.htm

OLEACC.DLL

oleacc.dll

TskMultiChatForm.UnicodeClass

TMsgForm

__oxFrame.class__

icq.exe

options_notification.htm

The .EXE file is invalid

(non-Win32 .EXE or error in .EXE image).

%s action failed!

Failed to execute unknown action!

The operating system is out

The operating system denied

There was not enough memory to complete the operation.

d-d-%d d:d:d

WININET.DLL

%s <%s>

Content-Location: %s

Content-ID: %s

Content-Base: %s

Content-Type: %s; charset=%s

Content-Type: %s; charset=%s; Boundary="%s"

Content-Type: %s; charset=%s; name=%s

Content-Disposition: attachment; filename="%s"

Content-Type: %s; charset=%s; name=%s; Boundary="%s"

--%s--

Microsoft Outlook Express 6.00.2800.1437

Reply-To: %s

Content-Type: %s;

charset=%s

Content-Type: %s

Content-Type: %s; boundary="%s"

Subject: %s

Date: %s

X-Mailer: %s

Cc: %s

From: %s

To: %s

%a, %d %b %Y %H:%M:%S

=?%s?q?

EHLO %s

HELO %s

MAIL FROM:<%s>

RCPT TO:<%s>

Password:

AUTH LOGIN

AUTH LOGIN PLAIN

Opera

Mozilla

Firefox

code %d bits %d->%d

gen_codes: max_code %d

bl code -

opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u

last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)

Build 1.6.8.2

version.dll

options_common.htm

options_diary.htm

options_title.htm

options_email.htm

Perfect Keylogger Test

KERNEL32.DLL

Setup=rinst.exe

Program files (*.exe)

*.exe

All files (*.*)

explorer.exe

\shell32.dll

-$!.#"%&'(

d-d-%d d:d

user32.dll

EnableSpecialKeysLogging

main.htm

Windows

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Perfect Keylogger

%d-%d-%d_%d-%d-%d

th_%d-%d-%d_%d-%d-%d

th_%d-d-d_d-d-d-%d

%d-d-d_d-d-d-%d

nopass

d-d-d-d-d-d

CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32

i.dll

un.exe

vw.exe

wb.dll

hk.dll

r.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

psapi.dll

%s, %s
%s

 %s

%d/%d/%d %d:%d:%d

%s %s
%s
%s

%s, %s

%s - %s, %s
%s

advapi32.dll

\StringFileInfo\XX\FileDescription

Application files (*.exe)

options_ex_programs.htm

options_screenshots.htm

%ld%c

00000409

##.kkJ

):76666'$

<840.----#

33<<33::3399338833773333

33<<33::3399

8833773333

11<<11::119;66;811771111

))<<))::);

;)77))))

''<<%'::%

#!<<##::#

111111111111111

11111111111111111111

#-5874.*'&&()('#

'-.,(%&)0686.&

#-5874.*'&&()('"

& .010.- (%!

(17<>=<97641.)$

fdUD2(( -.CA*7

"(.67420' !'

%,27>=:97/)).

(.3431/...148

@?940.04

@?:5/,,.

%(()))** -.

, (&#! "#

  (&#""#

}@"7>>7&$

LOGIN PLAIN

version="1.0.0.0"

name="Microsoft.Windows.Manifest"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Password

Password required

Enter the password:

Perfect Keylogger can carry out visual surveillance. It means the screen capturing every time when the specified interval is elapsed and storing the compressed images on a disk. You can review it later using Log Viewer.

&Web log (websites visited)

&Also hide keylogger's icon when it will start next time

Please notice, that "Run on Windows startup" option is checked. This means, that keylogger's startup screen will appear after PC reboot. To remove that screen and use keylogger in the absolutely invisible mode, please buy it now.

&SMTP server:

Example: smtp.aol.com

&Port number:

&Password:

Text log (&keystrokes)

Password protection

&Try to upload logs by FTP every

HTML (can be viewed with a web browser)

Example: ftp.prohosting.com

Remote dir is the directory on the FTP server where you want to store log files. You can leave it blank to store logs at the initial directory.

Use passive &mode (this may be necessary for some firewalls)

T&est FTP

Capture mouse clicks &only in the following windows:

This software may be installed and evaluated for 5 days to ensure that it meets your needs. This screen will appear every time when keylogger starts until you buy the program.

Days remaining: %d.

Perfect Keylogger's Registration

Enter &old password:

Enter &new password:

&Repeat new password:

To remove the password, leave the fields blank.

To set or change the password for using keylogger, click Password button.

&Password...

&Monitor only online activity (disable keylogger when computer is offline)

&Use progressive method of keystroke interception

(flip this option if you have problems with keyboard logging)

&Include non-character keys in the log

Perfect Keylogger's Home Page

About Perfect Keylogger

www.blazingtools.com

[email protected]

Use the newest solution in the visual surveillance and keyboard monitoring!

&Run on Windows startup

Hotkeys

msctls_hotkey32

HotKey1

&Make the program invisible in the Windows startup list

Click here to uninstall keylogger

Welcome to the Remote Installation Wizard! This wizard will help you to create compact deployment package for Perfect Keylogger

The wizard will combine Perfect Keylogger and any other specified program. When somebody will run that program, keylogger will be immediately installed on the computer in the absolutely stealth mode.

Please configure keylogger before creating installation package. All current settings will be applied immediately after the stealth installation.

The wizard can also create package for removal of the installed keylogger.

&Automatically uninstall remote keylogger after

Now you can use this package to install keylogger on the another PC. You can copy it to the floppy disk or send by e-mail. When somebody will run this program, keylogger will be installed and activated in the stealth mode.

Keylogger will be installed into the following folder:

&Install new or update existing keylogger on the remote computer

Uninstall existing copy of the Perfect Keylogger on the remote computer

By FTP

Create a list of "on alert" words or phrases and Perfect Keylogger will continually monitor keyboard typing and web pages for these words.

When a keyword or phrase will be detected, Perfect Keylogger can immediately send you an instant alert via e-mail.

&Add keyword

Keyword detection action

BlazingTools Perfect Keylogger

PathYFile PSAPI.DLL not found in your system. Target applications feature will be unavailable.

Targets.Enter window title or its part (any substring)ASpecify an applications where you want Perfect Keylogger enabled:\Specify window titles or their parts (substrings), where you want Perfect Keylogger enabled:&Error writing program-exceptions file.#Error writing windows titles file.

This is a Perfect Keylogger report for computer "%s", IP address %s, user "%s".

[email protected] haven't specified the hotkey to put keylogger into the visible mode. Do you really want to disable hotkey?/Please, specify the destination e-mail address.

Perfect Keylogger report:

Keylogger is ready to work! Type any text in any application, then double click on Perfect Keylogger's icon to view the log. To hide the icon, right click on it and select "Hide program icon" from the context menu. Thank you for installing Perfect Keylogger!

Invalid password!

5An error occured on saving file "%s". Error code = %u

An error has occurred while creating the package. The wizard will be closed. Please make sure that keylogger is running from the original location.CType folder path here or click "Next" to install to "System" folder;"System" folder (path will be detected during installation)

www.blazingtools.com/bpk.html

www.blazingtools.comVPlease, first specify the hotkey to show the icon next time. Do you want to do it now?TYou're about to hide the program icon.

Attention: use %s to show the icon next time.

FTP server

OError while connecting to site. Please make sure that FTP settings are correct.

Unable to set FTP directory.

Incorrect hook DLL version.ZCan't to set hotkey combination #%d (already in use). Please, specify another combination.

Enter re&gistration code...ETo remove this screen and other trial limitations, please buy it now.)http://www.blazingtools.com/orderbpk.html_This is a Perfect Keylogger test message. If you've received it, all mail settings are correct.6Test message was sent succesfully. Check your mailbox.$COPYING TO THE CLIPBOARD WAS LOGGED:$Test file was uploaded successfully!HCongratulations! If you are reading this file, FTP settings are correct.5&Specify the program to combine with the uninstaller:6&Specify the program to combine it with the keylogger:

YA new version of Perfect Keylogger is available. Do you want to download the new version?

When somebody will run this package, it will stop running keylogger and remove it.

Attention: Perfect Keylogger version 1.45 or higher is required..Perfect Keylogger was installed successfully: ZPerfect Keylogger was installed on the computer %s, with IP address %s, user %s at %s, %s.KLog upload date: %s

Time: %s

Computer: %s

IP address: %s

User: %s

Please notice, that keylogger's startup screen will appear when installation package will be launched. To remove that screen and use keylogger in the absolutely invisible mode, please buy it now.

Perfect Keylogger Alert: ePerfect Keylogger has detected that keyword "%s" was typed by user %s at the computer %s.

Context: %s

Error launching Log Viewer.zPefect Keylogger has detected that web page %s contains keyword "%s". This page was visited by user %s at the computer %s.

AttentionARegistration succeeded. Thank you for choosing Perfect Keylogger!

Hide program &icon "Set new Perfect Keylogger password!Change Perfect Keylogger password

Wrong old password.

Passwords do not match.*http://www.blazingtools.com/downloads.html

Perfect Keylogger Test Message

This option forces the keylogger to delete itself from the Windows Startup to make it more stealth.

If you choose it, the keylogger won't run at Startup after the power failure or incorrect PC shutdown.

Password captured: %Where do you want to store your logs?3Select the folder where you want to store the logs:

Change ZIP file password

Set ZIP file password

AutoHotkey111402_Install.exe_884:

.text

`.rdata

@.data

.rsrc

;wTt%S

USER32.dll

ShellExecuteExW

SHELL32.dll

MSVCRT.dll

_acmdln

KERNEL32.dll

Decoder doesn't support this archive

There is no file to execute

AutoHotkey Setup

1.1.14.02

AutoHotkey

setup.exe_1780:

.text

`.rdata

@.data

.rsrc

!"#$%%&'())* ,-./0123456789:;<="">?

8D$%S

Wf9.ty

u$

GetProcessWindowStation

operator

InternetOpenUrlW

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

RegDeleteKeyExW

GdiplusShutdown

Error text not found (please report)

WSOCK32.dll

WINMM.dll

VERSION.dll

COMCTL32.dll

PSAPI.DLL

GetCPInfo

GetWindowsDirectoryW

KERNEL32.dll

GetKeyState

GetKeyboardLayout

SetWindowsHookExW

UnhookWindowsHookEx

RegisterHotKey

UnregisterHotKey

GetAsyncKeyState

GetKeyboardState

SetKeyboardState

keybd_event

VkKeyScanExW

MapVirtualKeyW

EnumChildWindows

EnumWindows

ExitWindowsEx

USER32.dll

GDI32.dll

COMDLG32.dll

RegCloseKey

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

RegCreateKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteExW

SHFileOperationW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetProcessHeap

zcÁ

; 

if !A_IsAdmin && !úlse%

MsgBox 0x31, AutoHotkey Setup,

(LTrim Join`s

IfMsgBox Cancel

DetectHiddenWindows On

InstallFile(exefile, "AutoHotkey.exe")

MsgBox 64, AutoHotkey Setup, The settings have been updated.

RunAutoHotkey_()

ProductName := "AutoHotkey"

ProductWebsite := "http://ahkscript.org/"

DefaultPath := (ProgramW6432 ? ProgramW6432 : A_ProgramFiles) "\AutoHotkey"

DefaultStartMenu := "AutoHotkey"

AutoHotkeyKey := "SOFTWARE\AutoHotkey"

UninstallKey := "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoHotkey"

FileTypeKey := "AutoHotkeyScript"

Loop ÞfaultPath%, 2

ViewHelp("/docs/Scripts.htm#install")

if WinExist("AutoHotkey Setup ahk_class AutoHotkeyGUI") {

MsgBox 0x30, AutoHotkey Setup, AutoHotkey Setup is already running!

Gui Add, ActiveX, vwb w600 h400 hwndhwb, Shell.Explorer

OnMessage(0x100, "gui_KeyDown", 2)

excpt := excpt.Message

MsgBox 0x10, AutoHotkey Setup, Setup failed to initialize its user interface and will now exit.

MsgBox 0x13, AutoHotkey Setup,

ÞfaultPath%

IfMsgBox Yes

else IfMsgBox No

Gui Show,, AutoHotkey Setup

MsgBox 0x34, AutoHotkey Setup, Are you sure you want to exit setup?

IfMsgBox No

local url, v

RegRead CurrentPath, HKLM, %AutoHotkeyKey%, InstallDir

RegRead CurrentVersion, HKLM, %AutoHotkeyKey%, Version

RegRead CurrentStartMenu, HKLM, %AutoHotkeyKey%, StartMenuFolder

RegRead url, HKLM, %UninstallKey%, URLInfoAbout

if (url = "http://www.autohotkey.net/~Lexikos/AutoHotkey_L/"

|| url = "http://l.autohotkey.net/")

CurrentName := "AutoHotkey_L"

CurrentName := "AutoHotkey"

FileAppend ExitApp `% (A_IsUnicode=1) << 8 | (A_PtrSize=8) << 9, %A_Temp%\VersionTest.ahk

RunWait %CurrentPath%\AutoHotkey.exe "%A_Temp%\VersionTest.ahk",, UseErrorLevel

FileDelete %A_Temp%\VersionTest.ahk

DefaultCompiler := FileExist(CurrentPath "\Compiler\Ahk2Exe.exe") != ""

RegRead v, HKCR, %FileTypeKey%\ShellEx\DropHandler

RegRead v, HKCR, Applications\AutoHotkey.exe, IsHostApp

RegRead v, HKCR, %FileTypeKey%\Shell\Open\Command

wb.Silent := true

wb.Navigate("about:blank")

while wb.ReadyState != 4

wb.Document.open()

wb.Document.write(html)

wb.Document.Close()

w := wb.Document.parentWindow

w.initOptions(CurrentName, CurrentVersion, CurrentType

w.installdir.disabled := true

w.installdir_browse.disabled := true

w.installcompiler.disabled := !DefaultCompiler

w.installcompilernote.style.display := "block"

w.ci_nav_install.innerText := "apply"

w.install_button.innerText := "Apply"

w.extract.style.display := "None"

w.opt1.disabled := true

w.opt1.firstChild.innerText := "Checking for updates..."

w.installcompiler.checked := DefaultCompiler

w.enabledragdrop.checked := DefaultDragDrop

w.separatebuttons.checked := DefaultIsHostApp

w.it_x64.style.display := "None"

w.separatebuttons.parentNode.style.display := "none"

w.switchPage("start")

w.document.body.focus()

logicalDPI := w.screen.logicalXDPI, deviceDPI := w.screen.deviceXDPI

w.document.body.style.zoom := A_ScreenDPI/96 * (logicalDPI/deviceDPI)

URLDownloadToFile http://ahkscript.org/download/1.1/version.txt, %A_Temp%\ahk_version.txt

FileRead latestVersion, %A_Temp%\ahk_version.txt

FileDelete %A_Temp%\ahk_version.txt

w.opt1.firstChild.innerText := "Reinstall (download required)"

w.opt1.firstChild.innerText := "Download v" latestVersion

w.opt1.href := "ahk://Download/"

w.opt1.disabled := false

w.opt1.innerText := "An error occurred while checking for updates."

gui_KeyDown(wParam, lParam, nMsg, hWnd) {

pipa := ComObjQuery(wb, "{00000117-0000-0000-C000-000000000046}")

VarSetCapacity(kMsg, 48), NumPut(A_GuiY, NumPut(A_GuiX

, NumPut(nMsg, NumPut(hWnd, kMsg)))), "uint"), "int"), "int")

r := DllCall(NumGet(NumGet(1*pipa) 5*A_PtrSize), "ptr", pipa, "ptr", &kMsg)

until wParam != 9 || wb.Document.activeElement != ""

wb_BeforeNavigate2(wb, url, flags, frame, postdata, headers, cancel) {

if !RegExMatch(url, "^ahk://(.*?)/(.*)", m)

prms.Insert(A_LoopField)

%func%(prms*)

wb_NavigateError(wb, url, frame, status, cancel) {

wb_BeforeNavigate2(wb, url, 0, frame, "", "", cancel)

(Join,

bufs.SetCapacity(bufn, (4   prms.MaxIndex()) * A_PtrSize)

buf := bufs.GetAddress(bufn)

if pOleObject := ComObjQuery(wb, "{00000112-0000-0000-C000-000000000046}")

, pOleObject, "ptr", WBClientSite.IOleClientSite, "uint")

static IID_IUnknown := "{00000000-0000-0000-C000-000000000046}"

static IID_IOleClientSite := "{00000118-0000-0000-C000-000000000046}"

static IID_IServiceProvider := "{6d5140c1-7436-11ce-8034-00aa006009fa}"

NumPut(WBClientSite.IOleClientSite, ppvObject 0)

NumPut(WBClientSite.IServiceProvider, ppvObject 0)

static IID_IInternetSecurityManager := "{79eac9ee-baf9-11ce-8c82-00aa004ba90b}"

NumPut(WBClientSite.IInternetSecurityManager, ppvObject 0)

return wb.document.parentWindow

ErrorExit(errMsg) {

MsgBox 16, AutoHotkey Setup, %errMsg%

WinGet w, List, ahk_class AutoHotkey

WinGet exe, ProcessPath, % "ahk_id " w%A_Index%

if (exe != "") {

if InStr(exe, installdir "\") != 1

exe := SubStr(exe, StrLen(installdir)   2)

if !RegExMatch(exe, "i)^(AutoHotkey(A32|U32|U64)?\.exe|Compiler\\Ahk2Exe.exe)$")

title := RegExReplace(title, " - AutoHotkey v.*")

close.Insert(w%A_Index%)

MsgBox 49, AutoHotkey Setup,

Loop % close.MaxIndex()

GroupAdd autoclosegroup, AutoHotkey_L Help ahk_class HH Parent

GroupAdd autoclosegroup, AutoHotkey Help ahk_class HH Parent

GroupAdd autoclosegroup, Active Window Info ahk_exe %installdir%\AU3_Spy.exe

GroupAdd autoclosegroup, Ahk2Exe v ahk_exe %installdir%\Compiler\Ahk2Exe.exe

getWindow().switchPage(page)

shellWindows := ComObjCreate("{9BA05972-F6A8-11CF-A442-00A0C90A8F39}")

desktop := shellWindows.Item(ComObj(19, 8))

, "{4C96BE40-915C-11CF-99D3-00AA004AE837}"

, "{000214E2-0000-0000-C000-000000000046}")

shell := ComObj(9,pdisp,1).Application

shell.ShellExecute(prms*)

getWindow().switchPage("custom-install")

SelectFolder(id, prompt="", root="::{20d04fe0-3aea-1069-a2d8-08002b30309d}") {

if !(field := wb.document.getElementById(id))

, % root " *" field.value

field.value := path

Run_(A_ScriptDir "\license.txt")

if FileExist("AutoHotkey.chm")

path := A_WorkingDir "\AutoHotkey.chm"

path := CurrentPath "\AutoHotkey.chm"

Run_("hh.exe", "mk:@MSITStore:" path "::" topic)

Run_("http://ahkscript.org" topic)

RunAutoHotkey() {

Run_("AutoHotkey.exe", """" A_WorkingDir "\Installer.ahk"" /runahk")

RunAutoHotkey_() {

script_path := A_MyDocuments "\AutoHotkey.ahk"

Run AutoHotkey.exe,,, pid

(LTrim Join`s

AutoHotkey has exited. You may need to edit your startup

to do, you can add a hotkey.

if WinExist("ahk_class AutoHotkey ahk_pid " pid) {

DetectHiddenWindows Off

MsgBox 0x40, AutoHotkey Setup, Your script is running in the background.

MsgBox % message_flags, AutoHotkey Setup, %message%`n`nYour script is located here:`n %script_path%`n`nDo you want to edit this file?

Run edit "%script_path%"

ViewWebsite() {

Run_(ProductWebsite)

shell := ComObjCreate("Shell.Application")

try FileCreateDir %dstDir%

dst := shell.NameSpace(dstDir)

src := shell.NameSpace(SourceDir)

try dst.CopyHere(src.Items, 256)

FileCopyDir %SourceDir%, %dstDir%, 1

MsgBox 48, AutoHotkey Setup, An unspecified error occurred.

Run %dstDir%

Run http://ahkscript.org/download/ahk-install.exe

(Join C

ahk2exe: DefaultCompiler,

(Join

(C Join

type: w.installtype.value,

path: w.installdir.value,

menu: w.startmenu.value,

ahk2exe: w.installcompiler.checked,

dragdrop: w.enabledragdrop.checked,

utf8: DefaultToUTF8, ;w.defaulttoutf8.checked

isHostApp: w.separatebuttons.checked

RegDelete HKLM, %UninstallKey%

RegDelete HKLM, %AutoHotkeyKey%

RegDelete HKCU, %AutoHotkeyKey%

RegDelete HKCR, .ahk

RegDelete HKCR, %FileTypeKey%

RegDelete HKCR, Applications\AutoHotkey.exe

RegDelete HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AutoHotkey.exe

FileDelete AutoHotkeyU32.exe

FileDelete AutoHotkeyA32.exe

FileDelete AutoHotkeyU64.exe

FileDelete AU3_Spy.exe

FileDelete AutoHotkey.chm

FileDelete license.txt

FileDelete Update.ahk

FileDelete %A_WinDir%\ShellNew\Template.ahk

FileDelete %ProductName% Website.url

FileRemoveDir %A_ProgramsCommon%\%CurrentStartMenu%, 1

MsgBox 64, AutoHotkey Setup

FileDelete AutoHotkey.exe

FileDelete Installer.ahk

FileRemoveDir %CurrentPath%

Run %ComSpec% /c "

(Join`s&`s

AutoHotkey.exe "%A_ScriptFullPath%" /kill %A_ScriptHwnd%

del Installer.ahk

del AutoHotkey.exe

rmdir "%CurrentPath%"

local exefile, binfile

if opt.type = "Unicode" {

exefile := "AutoHotkeyU32.exe"

binfile := "Unicode 32-bit.bin"

} else if opt.type = "x64" && A_Is64bitOS {

exefile := "AutoHotkeyU64.exe"

binfile := "Unicode 64-bit.bin"

} else if opt.type = "ANSI" {

exefile := "AutoHotkeyA32.exe"

binfile := "ANSI 32-bit.bin"

ErrorExit("Invalid installation type '" opt.type "'")

if !InStr(FileExist(opt.path), "D")

FileCreateDir % opt.path

ErrorExit("Unable to create installation directory ('" opt.path "')")

SetWorkingDir % opt.path

if (CurrentVersion <= "1.0.48.05") {

FileDelete Compiler\README.txt

FileDelete Compiler\upx.exe

FileDelete uninst.exe

local regView := (opt.type = "x64") ? 64 : 32

RegDelete HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Ahk2Exe.exe

if opt.ahk2exe

if !opt.ahk2exe

InstallFile("Compiler\" binfile, "Compiler\AutoHotkeySC.bin")

if opt.menu {

local smpath := A_ProgramsCommon "\" opt.menu

FileCreateDir %smpath%

FileCreateShortcut %A_WorkingDir%\AutoHotkey.exe, %smpath%\AutoHotkey.lnk

FileCreateShortcut %A_WorkingDir%\AU3_Spy.exe, %smpath%\AutoIt3 Window Spy.lnk

FileCreateShortcut %A_WorkingDir%\AutoHotkey.chm, %smpath%\AutoHotkey Help File.lnk

IniWrite %ProductWebsite%, %ProductName% Website.url, InternetShortcut, URL

FileCreateShortcut %A_WorkingDir%\%ProductName% Website.url, %smpath%\Website.lnk

FileCreateShortcut %A_WorkingDir%\Installer.ahk, %smpath%\AutoHotkey Setup.lnk

,,,, %A_WinDir%\System32\appwiz.cpl,, -1499

FileCreateShortcut %A_WorkingDir%\Compiler\Ahk2Exe.exe

, %smpath%\Convert .ahk to .exe.lnk

RegWrite REG_SZ, HKLM, %AutoHotkeyKey%, InstallDir, %A_WorkingDir%

RegWrite REG_SZ, HKLM, %AutoHotkeyKey%, Version, %ProductVersion%

if opt.menu

RegWrite REG_SZ, HKLM, %AutoHotkeyKey%, StartMenuFolder, % opt.menu

RegDelete HKLM, %AutoHotkeyKey%, StartMenuFolder

RegWrite REG_SZ, HKCR, .ahk,, %FileTypeKey%

RegWrite REG_SZ, HKCR, .ahk\ShellNew, FileName, Template.ahk

RegWrite REG_SZ, HKCR, %FileTypeKey%,, AutoHotkey Script

RegWrite REG_SZ, HKCR, %FileTypeKey%\DefaultIcon,, %A_WorkingDir%\AutoHotkey.exe`,1

RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\Open,, Run Script

RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\Edit,, Edit Script

RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\Compile,, Compile Script

RegRead value, HKCR, %FileTypeKey%\Shell,

RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell,, Open

RegRead value, HKCR, %FileTypeKey%\Shell\Edit\Command,

RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\Edit\Command,, notepad.exe `%1

RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\Compile\Command,, "%A_WorkingDir%\Compiler\Ahk2Exe.exe" /in "`%l"

local cmd

cmd = "%A_WorkingDir%\AutoHotkey.exe"

if opt.utf8

cmd = %cmd% /CP65001

cmd = %cmd% "`%1" `%*

RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\Open\Command,, %cmd%

RegRead value, HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, EnableLUA

RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\RunAs\Command,, "%A_WorkingDir%\AutoHotkey.exe" "`%1" `%*

if opt.dragdrop

RegWrite REG_SZ, HKCR, %FileTypeKey%\ShellEx\DropHandler,, {86C86720-42A0-1069-A2E8-08002B30309D}

RegDelete HKCR, %FileTypeKey%\ShellEx

RegWrite REG_SZ, HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AutoHotkey.exe,, %A_WorkingDir%\AutoHotkey.exe

RegWrite REG_SZ, HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Ahk2Exe.exe,, %A_WorkingDir%\Compiler\Ahk2Exe.exe

if opt.isHostApp

RegWrite REG_SZ, HKCR, Applications\AutoHotkey.exe, IsHostApp

RegWrite REG_SZ, HKLM, %UninstallKey%, DisplayName, %ProductName% %ProductVersion%

RegWrite REG_SZ, HKLM, %UninstallKey%, UninstallString, "%A_WorkingDir%\AutoHotkey.exe" "%A_WorkingDir%\Installer.ahk"

RegWrite REG_SZ, HKLM, %UninstallKey%, DisplayIcon, %A_WorkingDir%\AutoHotkey.exe

RegWrite REG_SZ, HKLM, %UninstallKey%, DisplayVersion, %ProductVersion%

RegWrite REG_SZ, HKLM, %UninstallKey%, URLInfoAbout, %ProductWebsite%

RegWrite REG_SZ, HKLM, %UninstallKey%, Publisher, %ProductPublisher%

RegWrite REG_SZ, HKLM, %UninstallKey%, NoModify, 1

Run AutoHotkeyU32.exe "%A_ScriptFullPath%" /fin %exefile% %A_ScriptHwnd% %SilentMode%

FileCopy %SourceDir%\%file%, %target%, 1

MsgBox 0x12, AutoHotkey Setup,

IfMsgBox Abort

IfMsgBox Ignore

InstallFile("AutoHotkeyU32.exe")

InstallFile("AutoHotkeyA32.exe")

InstallFile("AutoHotkeyU64.exe")

InstallFile("AU3_Spy.exe")

InstallFile("AutoHotkey.chm")

InstallFile("license.txt")

InstallFile("Installer.ahk")

if !FileExist(A_WinDir "\ShellNew\Template.ahk") {

InstallFile("Template.ahk", A_WinDir "\ShellNew\Template.ahk")

InstallFile("Compiler\Ahk2Exe.exe")

InstallFile("Compiler\ANSI 32-bit.bin")

InstallFile("Compiler\Unicode 32-bit.bin")

InstallFile("Compiler\Unicode 64-bit.bin")

FileDelete Compiler\Ahk2Exe.exe

FileDelete Compiler\ANSI 32-bit.bin

FileDelete Compiler\Unicode 32-bit.bin

FileDelete Compiler\Unicode 64-bit.bin

FileDelete Compiler\AutoHotkeySC.bin

.options {

.options a {

.marker {

a.button,

a.button {

a.button:visited,

.options a,

.options a:visited {

a.button:hover,

a.button:active,

.options a:hover,

.options a:active {

.options p {

.page {

.pager .page {

.nav {

.nav a, .nav a:visited {

.nav a:hover {

.nav .current {

.warning {

.textbox {

label.indent {

for (i = 0; i < arr.length;   i)

fn.apply(arr[i]);

ci_nav_list.length = 0;

forEach (ci_nav.getElementsByTagName("a"), function() {

this.tabIndex = 1000;

if (this.hash != "") {

var list = this.parentNode == ci_nav_list ? ci_nav_list : null;

list[list.length  ] = this;

this.onclick = function() {

forEach (list.getElementsByTagName("a"), function() {

this.className = "";

this.className = "current";

event.returnValue = switchPage(this.hash.substr(1));

if (curName == "AutoHotkey" && curVer <= "1.0.48.05") {

start_intro.innerText = curName   " v"   curVer   " is installed. What do you want to do?";

"ahk://Upgrade/ANSI", "Upgrade to v"   newVer   " ("   types.ANSI   ")", "Recommended for compatibility.",

warn = 'Note: Some AutoHotkey 1.0 scripts are not compatible with AutoHotkey 1.1.';

start_intro.innerText = "Please select the type of installation you wish to perform.";

start_intro.innerText = curName   " v"   curVer   curTypeName   " is installed. What do you want to do?";

for (i = 0; i < opt.length; i  = 3) {

html.push('', opt[i 1], '');

html.push('
', opt[i 2], '
');

html.push('
\u00BB
');

html.push('');

start_options.innerHTML = html.join("");

start_warning.innerHTML = warn;

start_warning.style.display = warn ? "block" : "none";

start_nav.innerHTML = 'version '   newVer   '';

installtype.value = defType;

installdir.value = instDir;

startmenu.value = smFolder;

startmenu.onblur();

forEach (document.getElementsByTagName("a"), function() {

if (/*this.className == "button" ||*/ this.parentNode.className == "options")

this.hideFocus = true;

document.onselectstart =

document.oncontextmenu =

document.ondragstart =

return window.event && event.srcElement.tagName == "INPUT" || false;

installtype.value = type;

ci_nav_list[1].click();

event.returnValue = false;

page = document.getElementById(page);

if (page.id == "start")

ci_nav_list[0].click();

for (var n = page.parentNode.firstChild; n; n = n.nextSibling) if (n.className == "page") {

n.style.display = "none";

n.style.display = "block";

switch (page.id) {

case "ci_version": f = "it_"   installtype.value; break;

try { document.getElementById(f).focus() } catch (ex) { }

if (startmenu.style.color == '#888')

startmenu.value = '';

AutoHotkey Setup

AutoHotkey is open source software: read license

Which version of AutoHotkey.exe should run by default?

 Browse

onfocus="if (style.color == '#888') value='', style.color = '';"
onblur="if (value == '') value = '(don\'t create shortcuts)', style.color = '#888';">
onclick = "startmenu.value=''; startmenu.onblur(); return false;">X
Next
Installs Ahk2Exe, a tool to convert any .ahk script into a stand-alone EXE.
Also adds a "Compile" option to .ahk context menus.
Download and re-run the installer to reinstall Ahk2Exe.
Files dropped onto a .ahk script will launch that script (the files will be passed as parameters). This can lead to accidental launching so some users may wish to disable it.
Causes each script which has visible windows to be treated as a separate program, but prevents AutoHotkey.exe from being pinned to the taskbar.
View Changes & New Features
View the Tutorial
Run AutoHotkey
Did you know AutoHotkey has a new home?
truePAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
AutoHotkey
%s[Object]: 0x%p
AppsKey
ListHotkeys
KeyHistory
DetectHiddenWindows
SetKeyDelay
KeyWait
URLDownloadToFile
MsgBox
IfMsgBox
Hotkey
AHK Keybd
Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.
Modifiers (Hook's Logical) = %s
Modifiers (Hook's Physical) = %s
Prefix key is down: %s
NOTE: Only the script's own keyboard events are shown
(not the user's), because the keyboard hook isn't installed.
NOTE: To disable the key history shown below, add the line "#KeyHistory 0" anywhere in the script. The same method can be used to change the size of the history buffer. For example: #KeyHistory 100 (Default is 40, Max is 500)
The oldest are listed first. VK=Virtual Key, SC=Scan Code, Elapsed=Seconds since the previous event. Types: h=Hook Hotkey, s=Suppressed (blocked), i=Ignored because it was generated by an AHK script, a=Artificial, #=Disabled via #IfWinActive/Exist, U=Unicode character (SendInput).
E7 X
X X
%u hotkeys have been received in the last %ums.
(see #MaxHotkeysPerInterval in the help file)
Nonexistent hotkey.
Nonexistent hotkey variant (IfWin).
Max hotkeys.
The AltTab hotkey "%s" must specify which key (L or R).
The AltTab hotkey "%s" must have exactly one modifier/prefix.
"%s" is not allowed as a prefix key.
"%s" is not a valid key name.
scX
vkX
%s[%Iu of %Iu]: %-1.60s%s
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_USERS
%s\%s
AutoHotkey2
Critical Error: %s
<>=/|^,:*&~!()[]{} -?."'\;`
>AUTOHOTKEY SCRIPT<
Could not extract script from EXE.
<>=/|^,:
<>=/|^,:. -*&!?~
Join
Hotkeys/hotstrings are not allowed inside functions.
Duplicate hotkey.
Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.
*%s::
if not GetKeyState("%s")
{Blind}%s%s{%s DownTemp}
*%s up::
{Blind}{%s Up}
#InstallKeybdHook
#HotkeyModifierTimeout
#HotkeyInterval
#MaxHotkeysPerInterval
#MaxThreadsPerHotkey
#KeyHistory
#MenuMaskKey
: -*/|&^.
<>=/|^,:*&~!()[]{} -?."
Invalid hotkey.
"%s" requires at least %d parameter%s.
"%s" requires that parameter #%u be non-blank.
<>=/|^,:*&~!()[]{}"
<>=/|^,:*&~!()[]{} -?
Quote marks are required around this key.
<>=/|^,:*&~!()[]{} -?.
%s.%s
Unsupported parameter default.
%s.%.*s := %.*s,
GetKey
HasKey
detecthiddenwindows
keydelay
subkey
thishotkey
priorhotkey
timesincethishotkey
timesincepriorhotkey
priorkey
Too many parameters passed to function.
Missing "key:" in object literal.
Too few parameters passed to function.
Unsupported method call syntax.
%s%s%s
%%%s%s%s
Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after it is in parentheses to the right (if not 0). The bottommost line's elapsed time is the number of seconds since it executed.
u:
if %s %s %s and %s
%s%s %s %s
For %s,%s in %s
%s (%d) : ==> %s
Specifically: %s
in #include file "%s"
%s%s:%s %-1.500s
Specifically: %-1.100s%s
Error at line %u
Line Text: %-1.100s%s
%s (%d) : ==> Warning: %s
%s (a %s variable%s)
%s (in function %s)
Local Variables for %s()%s
%sGlobal Variables (alphabetical)%s
Window: %s
Keybd hook: %s
Mouse hook: %s
Enabled Timers: %u of %u (%s)
Interrupted threads: %d%s
Paused threads: %d of %d (%d layers)
Modifiers (GetKeyState() now) = %s
Key History has been disabled via #KeyHistory 0.
System verbs unsupported with RunAs.
%s %s
.exe.bat.com.cmd.hta
kernel32.dll
Verb: <%s>
Action: <%-0.400s%s>%s
Params: <%-0.400s%s>
&#%d;
EndKey:
0xX
0xX
s%sLeft
%sTop
%sRight
%sBottom
\AU3_Spy.exe"
%sAU3_Spy.exe"
\AutoHotkey.chm"
%sAutoHotkey.chm"
hh.exe
http://ahkscript.org
Could not open URL http://ahkscript.org in default browser.
SOFTWARE\AutoHotkey
AutoHotkey v1.1.14.02
set cdaudio door %s wait
open %s type cdaudio alias cd wait shareable
set cd door %s wait
\\.\%c:
Mixer Doesn't Support This Component Type
Component Doesn't Support This Control Type
open "%s" alias AHK_PlayMe
Select File - %s
%s%c%sÊll Files (*.*)%c*.*%c
All Files (*.*)
Text Documents (*.txt)
*.txt
1.1.14.02
\AutoHotkey.exe
Pos%s
Len%s
Pos%d
Len%d
Compile error %d at offset %d: %hs
RunAs: Missing advapi32.dll.
0.0.0.0
Select Folder - %s
%u.%u.%u.%u
.----/01/01/01
0xX -
%s%ws
AutoHotkeyGUI
%sGui
Button%s
msctls_hotkey32
Report
Password
Supported only for the tray menu
&Suspend Hotkeys
Gdd
dddddd
The following %s name contains an illegal character:
The maximum number of MsgBoxes has been reached.
7-()[]{}:;'"/\,.?!
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\7z47B60374\setup.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0
&Lines most recently executed
&Hotkeys and their methods
&Key history and script info
&Web Site

setup.exe_1780_rwx_00089000_00001000:


%Documents and Settings%\%current user%\Local Settings\History\History.IE5\
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat
CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
\??\%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
%Documents and Settings%\%current user%\Local Settings\Tempor

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   AutoHotkey111402_Install(2).exe:1168
   mscorsvw.exe:1924
   AutoHotkey111402_Install.exe:884
   vshovs.exe:1768
   rinst.exe:608

2. Delete the original Monitor file.
   
3. Delete or disinfect the following files created/modified by the Monitor:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\rinst.exe (15 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\vshovswb.dll (80 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\pk.bin (12 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\vshovs.exe (2813 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\vshovshk.dll (48 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\inst.dat (1000 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\AutoHotkey111402_Install.exe (21374 bytes)
   %Documents and Settings%\%current user%\Application Data\AutoHotkey111402_Install(2).exe (17629 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Template.ahk (324 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AutoHotkey.chm (7386 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AutoHotkeyU64.exe (7386 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\license.txt (18 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\ANSI 32-bit.bin (3761 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\readme.txt (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\Unicode 64-bit.bin (7386 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\Unicode 32-bit.bin (3885 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AutoHotkeyU32.exe (6347 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AU3_Spy.exe (14 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AutoHotkeyA32.exe (3853 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\setup.exe (6293 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Installer.ahk (48 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\Ahk2Exe.exe (3911 bytes)
   %System%\pk.bin (4 bytes)
   %System%\bpk.dat (138 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %System%\rinst.exe (7 bytes)
   %System%\vshovswb.dll (1552 bytes)
   %System%\vshovs.exe (15168 bytes)
   %System%\inst.dat (996 bytes)
   %System%\vshovshk.dll (784 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "vshovs" = "%System%\vshovs.exe"

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.