Trojan.Generic.5325758_52badfde88

by malwarelabrobot on September 4th, 2016 in Malware Descriptions.

Susp_Dropper (Kaspersky), Trojan.Generic.5325758 (AdAware), Backdoor.Win32.PcClient.FD, Trojan.NSIS.StartPage.FD, Tdl4.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 52badfde88a0ee73f28b070519156057
SHA1: ca510f7efe1973edee837569fc53b6325abc6b59
SHA256: 90c9cbd3223f04ee03ae0a8d371082553c47f52fbe45256a038363db7613e303
SSDeep: 12288:nKHFvHmWbA7dB44i2sQ3r/ksIac4CnV/XptFg1AY8es91YfwKGbZq/TcjOO1:nKHF/mWbACQbqJfi1AYHEUnrc31
Size: 818603 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: MONOGRAM Multimedia, s.r.o.
Created at: 2009-02-21 21:46:23
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

Done.exe:636
%original file name%.exe:580
WinInstall.exe:912
ntvdm.exe:2244
Rich.exe:1688
E4U.exe:1416
IC.exe:1232
EuroP.exe:1460
tbp.exe:1692
SLFAT.exe:1392
rundll32.exe:2848

The Trojan injects its code into the following process(es):

stb1.exe:444
tenn2.exe:564
Gi.exe:2008
willwnd.exe:424
rundll32.exe:1636
svchost.exe:1108
Explorer.EXE:1140
spoolsv.exe:1448

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process stb1.exe:444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\px[1].js (346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\px[1].js (346 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (487 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@admarketplace[1].txt (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\zcredirect[1].htm (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\10990-28346606.ampxchange[1].htm (1056 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CANRFMN5.htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\track[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xt.exe (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\12224[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@admarketplace[2].txt (446 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\quickdomainfwd[1].net&pid=9PO755G95 (2266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\js3[1].js (2843 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@quickdomainfwd[1].txt (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\quickdomainfwd[1].htm (5 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4820 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (252 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\83de2468-71e2-11e6-a14b-0ad4d45a4925[1].htm (1007 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAX8W3TD (726 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\quickdomainfwd[1].net&pid=9PO755G95 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sk-logabpstatus[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\quickdomainfwd[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\zcredirect[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@admarketplace[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\83de2468-71e2-11e6-a14b-0ad4d45a4925[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAX8W3TD (0 bytes)

The process Done.exe:636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WinInstall.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaC.tmp (45 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsaD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB.tmp (0 bytes)

The process %original file name%.exe:580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\EuroP.exe (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\SLFAT.exe (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\tenn2.exe (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\E4U.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\converter7.exe (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\Gi.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\Rich.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\tbp.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\IC.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp (15568 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\EuroP.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\tenn2.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\E4U.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\converter7.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\Gi.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\tbp.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\Rich.exe (0 bytes)

The process tenn2.exe:564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\track[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAN1TMRA.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\park.lwken[1].htm (1 bytes)

The process WinInstall.exe:912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\stb1.exe (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshF.tmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\willwnd.exe (784 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshE.tmp (0 bytes)

The process ntvdm.exe:2244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\px[1].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss7.tmp (4185 bytes)
C:\ (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\px[1].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\APPLICATION DATA (4 bytes)
%WinDir%\assembly (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%WinDir%\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (2996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319 (672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (344 bytes)
%WinDir%\Microsoft.NET\Framework (96 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
%Documents and Settings%\%current user%\MY DOCUMENTS (4 bytes)
%WinDir%\Fonts (632 bytes)
%WinDir%\Temp\scs11.tmp (33880 bytes)
C:\$Directory (2240 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%System%\dllcache (648 bytes)
%System% (6264 bytes)
%WinDir%\Microsoft.NET\Framework\V2.0.50727 (768 bytes)
%WinDir% (972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DF39BF.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012016090320160904\index.dat (400 bytes)
%Documents and Settings%\All Users\DOCUMENTS (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
%System%\config (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_678.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\zcredirect[1].htm (4 bytes)
%WinDir%\Temp\scs12.tmp (10145 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN (4 bytes)
%WinDir%\MICROSOFT.NET (4 bytes)
%Documents and Settings%\%current user%\Cookies (96 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\scs11.tmp (0 bytes)
%WinDir%\Temp\scs12.tmp (0 bytes)

The process IC.exe:1232 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (601 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\5.tmp (0 bytes)

The process EuroP.exe:1460 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Scv..bat (166 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

The process tbp.exe:1692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\packcrt.dll (90 bytes)

The process SLFAT.exe:1392 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\7za.exe (18424 bytes)
%Documents and Settings%\%current user%\Application Data\Done.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a1.7z (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss7.tmp (12234 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd6.tmp (0 bytes)

Registry activity

The process stb1.exe:444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"xt.exe" = "xt"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 FB 29 30 A0 25 76 03 46 85 89 BC 7E 86 60 16"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Done.exe:636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 4C 49 81 44 A7 68 75 D0 90 58 88 75 0D 25 D0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"WinInstall.exe" = "WinInstall"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Temp\7]
"7" = "http://www.flvtube.net/12224"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9.tmp, , \??\%WinDir%\TEMP\A.tmp, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\EuroP.exe,"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp]
"tbp.exe" = "checkactivate"
"E4U.exe" = "Pagefile Manager"
"Rich.exe" = "Rich"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp]
"SLFAT.exe" = "SLFAT"
"tenn2.exe" = "DrawOverWindows"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp]
"EuroP.exe" = ".KLite Codec Pack"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp]
"Gi.exe" = "Gi"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp]
"converter7.exe" = "Systray .exe stub"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 A8 DC F0 F3 DC 63 2F 98 7C 34 66 12 3F 0A 18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp]
"ic.exe" = "CTF Loader"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process tenn2.exe:564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090320160904]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090320160904]
"CachePrefix" = ":2016090320160904:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090320160904]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090320160904]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090320160904]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016090320160904\"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 77 22 3D 3C 71 F4 E1 5E 48 75 6C CF EF 6E 2E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process WinInstall.exe:912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 31 20 8D 95 CD DB 4B 8E B6 B0 33 25 65 A2 C2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"stb1.exe" = "stb1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"willwnd.exe" = "willwnd"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process Gi.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B AF 1D 4B 20 32 55 41 04 58 8F 78 F8 3D 71 B3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ntvdm.exe:2244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED FC 87 38 C7 2F FB 77 34 30 72 1A 02 B0 96 6F"

The process willwnd.exe:424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 BE A3 3E 64 E2 92 29 A2 9E 7E 3D 74 46 8B FF"

The process Rich.exe:1688 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 1A DF 3C A7 36 15 EF 28 DA EE 3F 51 67 C9 8D"

The process E4U.exe:1416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 5F D5 DA 84 BB F5 A5 E5 BE 5A 7F 30 3E DF F0"

The process IC.exe:1232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE BC CB D3 E7 CD 3D F1 71 48 66 45 BB D9 18 B7"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9.tmp,"

The process EuroP.exe:1460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\]
"1806" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 4C 5C A5 C5 95 0F B6 75 4B FE DC 6A 56 C0 47"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process tbp.exe:1692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 B7 D1 A8 52 C2 00 C1 78 55 05 BC 26 43 C0 1B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"
"Ydapup" = "36 01 31 03 3D 05 43 07 49 09 3B 0B 3E 0D 3A 0F"

The process SLFAT.exe:1392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 C4 A2 6F 2C F4 76 F1 AB 5E C7 BC EE BC CC 52"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"done.exe" = "Done"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process rundll32.exe:2848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 C6 89 2D 36 46 68 76 0C 1C 22 0D 25 1A 8D 13"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"

The process rundll32.exe:1636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE A6 13 F1 EB 04 53 40 65 6E 3E AE D5 DD 2A 2C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Eqegaqojoqoka" = "180"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\packcrt.dll,Startup"

Dropped PE files

MD5	File path
718854b7caba09012abffa7d5836d782	c:\Documents and Settings\"%CurrentUserName%"\Application Data\Done.exe
e92604e043f51c604b6d1ac3bcd3a202	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7za.exe
2511bf2b50a5741cc0d2b91972896c0c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\9.tmp
ab8f527334017fec45cc285a063e4340	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WinInstall.exe
12896823fb95bfb3dc9b46bcaedc9923	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\explorer.dat
12e654572c6ebbf9fec73577d14ce83f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\Gi.exe
67ce715c6f59d2ebbbebae9564fcf97b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\SLFAT.exe
cb8f046e6b9fa5026d38fe5abb8f28fc	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\tbp.exe
a94c45db924030d107edafebc29a8f09	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\tenn2.exe
04bcec7b6cef5cd941e5097b7401b55e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\stb1.exe
0ba8663c43440ea72fbd8f4b7890914d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\willwnd.exe
ed0ef0a136dec83df69f04118870003e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\winlogon.dat
a2133bda7bb648bdc433a117af905e81	c:\WINDOWS\Temp\A.tmp
a61da3b3f1b85cd2e94e0a7996b94229	c:\WINDOWS\packcrt.dll
8e28886e4a4fff518e51a9528b1482d4	c:\WINDOWS\system32\ms.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "UNKNOWN" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver ROOTKITPATH the Trojan intercepts DriverStartIO in a miniport driver of a hard drive controller (ATAPI) to handle request to its own files:

StartIo

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23458	23552	4.5133	2cec663f64ef38694dc96bb9f9cb766d
.rdata	28672	4496	4608	3.58909	db16645055619c0cc73276ff5c3adb75
.data	36864	3774424	1024	3.26654	b9d0aa986d9e766521436f5ad38cd7c5
.ndata	3813376	32768	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	3846144	1736	2048	2.01899	2f2678dd9e97ae3fdffce33f180dbf60

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 78
13ab683047580206713a0f19ebe0427e
3a9d59d3c0513d9e09bdd7cd0913317a
09af02fa44c6bf227bb0d6e199a19499
6df0f423fb672c7925de87b12e214f89
6c77646a57ca346f85955675f504c751
35f27015c54bef542f360a7c2ba5c229
09044e8d1e7cb7f6883f983c17d17bcc
0503370605c61ff728ff008dc03a1825
709c892167fce654126edb577421be29
1dc8f3bb2a983d7137276a217b4d705b
0f339065053ebd425e75b23558963750
ca5d6a20d387eb2e49389f6a39636da9
8a2f117c3e780d2a0ee0aefc9602d738
14e473d02dd6b3107715a02a70cfc4ca
450999c36485a084aa7dd1b603da875b
a51b0e4d59528d3c37c089b3920aefe1
2f92f621850cf288ff8a61cc0a7e1034
0092c82b8f71c849b1799747344a0013
848bd0a9a22e7e72609328d19e9ac880
273bae01660db7dac324f798d2c8812b
e612517c3e59b53ffb829dab9699a8f7
5853e9ba1c8d75393dcef359471d5a9e
90eeaf37ac1ec866ddf48f1f56edf745
65b18506a33d72ec059fb281acf7f87e
485f7cc7b007342caccad569a8eb6b44

URLs

URL	IP
hxxp://www.flvtube.net/12224
hxxp://parkingcrew.net/assets/scripts/js3.js
hxxp://www.flvtube.net/track.php?domain=flvtube.net&toggle=browserjs&uid=MTQ3MjkxMjgzNS45MzQ4OmZlMDBkYjAzODc3ZTlhY2MxZjE1ZWMxODk4MjJiMDMzNWM3MGU2ZjI4YWYyMmExNjZkZjMzOGM3Nzc1OGYwYTE6NTdjYWRkYzNlNDNlNg==
hxxp://quickdomainfwd.com/?dn=flvtube.net&pid=9PO755G95	208.91.196.46
hxxp://lwken.com/click/?s=151123&c=255416	5.61.39.56
hxxp://767113.parkingcrew.net/?s=151123&c=255416
hxxp://quickdomainfwd.com/trf?&o=HFRAMAuCnlXeP3KlHXkYsOaly3GLenZ43pkQYGb+kpYA3tdDpxVqycjzk0vZlLhmGTzHXDjkpFGw/hS+I0X3ab/EkOEHSzp73cgAf4qbq4bfg3ScSql5j38kDQdoDeTo940aU35X4R5MRgNwHOfuhnNPytAMxBdz6gYmLqR5GR1gSOVGM7L/c8EMxIJyqkCACGH/GsNsaNdlltxCL+jtpeOK3Gxtz1dJ/UGL60Kfy2cx9fMm6T+W2q3iOMLZArmpZm0ckskx5HiV35MeMlv7j5vogltbEqj7L3e+JoKSuohXkldg8P8XS6XbdIqaMdcNQ4NlyqEst3uWjLqb26QeMFEAhuCESyP0f5prwASk7rnIlaGGCt+SvF7c3wBXH6PV&c=21242204584369804966200&n=0HmIW0ZsBwY7+oKbpKNcMiiKkOzszstU7HHWkQbByqvIrsfAI7LfUkRWNyPpF2uOeDQ4If5H/i5T8wG2ZSOY7wxw/30Du/yxzk2gf9GX2tKIl3p0TeDh+Hu0h+BBqijdnJUcbBc67/CVtbVvhDwJJGaog6PNwQ2nKD0et8n9PVnziOlPt6yqALR3mZBjGM0H4UTVrc7uCNQYIaU8CFtpYbBqojnfHym9be7B06zeqcDxZzHWG+ayL2xo/ipyy4alk3Pde9zCfkPsHsh3NiWc8LWnXj62vDnnh+nM/Da+srej7n36z+AwlQ9Fqd2AOjpcmSxyjCy6F8o1kNGZjQ53Uax1HQdyBa76IFpTxPu52fzpm/rKDuInKBLFgP7ixEt+Opt4MpYPKLbciIV4Wvmq1leNoP6wFRgRR4V83keVYblPeCDs3/aa31zxQPGtc9aN&kgp=0&jccheck=1	208.91.196.46
hxxp://767113.parkingcrew.net/track.php?domain=lwken.com&toggle=browserjs&uid=MTQ3MjkxMjgzNy4yODUzOjQ0MTQ4YTgwNDM1ZGI0NjE0OGJjY2NjNDIyMzlhN2NlNGExYjIyN2UzMjM3MmM4NmYxOTA2M2JmMTFmNzAzMWQ6NTdjYWRkYzU0NWFhNQ==
hxxp://767113.parkingcrew.net/track.php?click=5b53ccd02792a79936184954fc4d1abe5dbbc818&domain=lwken.com&uid=MTQ3MjkxMjgzNy4yODUzOjQ0MTQ4YTgwNDM1ZGI0NjE0OGJjY2NjNDIyMzlhN2NlNGExYjIyN2UzMjM3MmM4NmYxOTA2M2JmMTFmNzAzMWQ6NTdjYWRkYzU0NWFhNQ==&ts=fHx8ZDQxZDh8fHxidWNrZXQwMzl8fHx8NTdjYWRkYzU0NDk5MXx8fDE0NzI5MTI4MzcuODAxM3w5ZjJjNjEwNTU0MzMwNTI4NjRkZDc5MjMzNTliODk5MjVkNTUzYTA5fHx8fHwxfHx8MHw1N2NhZGRjNThlNDdlYWE3MTc4YjRjODh8fHx8fHx8fDB8MHx8fHx8fHx8fA==&kw=&search=&pcat=&rxid=&bucket=&clientID=&adtest=off
hxxp://quickdomainfwd.com/px.js?ch=1	208.91.196.46
hxxp://quickdomainfwd.com/px.js?ch=2	208.91.196.46
hxxp://quickdomainfwd.com/sk-logabpstatus.php?a=STZaRExrSldTVVBEeGVNQnlDc0NnQkVNa2lZUXE5VVA2NXlvVkFoc29HWE9aUkdTT1pJa0hCVmVDakczMjhFa1hMM1lIZEEyTVBkdUNRdmFFY3VucTlubGhsUmxLSk9JYVFQdkJtMmszVnM9&b=false	208.91.196.46
hxxp://zu1.sierra-fox.com/zcvisitor/83de2468-71e2-11e6-a14b-0ad4d45a4925?	52.3.56.61
hxxp://zu1.sierra-fox.com/zcredirect?visitid=83de2468-71e2-11e6-a14b-0ad4d45a4925&type=js&browserWidth=589&browserHeight=317&iframeDetected=false	52.3.56.61
hxxp://bridge.sf.admarketplace.net/ct?version=16.0.0&ci=1472912837068.10890&key=1472912837200800018.1	72.28.103.32
hxxp://bridge.sf.admarketplace.net/ct?cid=1472912840200100000&cide=95644800000&ctcookie_value=1472912840012.1AAD0654AC6B559CA3902EF6F5E24EDA&csession=1&version=16.0.0&ci=1472912837068.10890&key=1472912837200800018.1	72.28.103.32
hxxp://geo-static.ampxchange.com.akadns.net/?sid=NUEmXTQIGzkoGShQXgs5J1ADAzY2UCoXPQhBNn8DfgYKW3l0AUdBamcCfwljXQU2fAd4Ah5acmEFRFNrZwl9DmlfBTZ/Dn0aAV55YgxBXWhmCzMI
hxxp://bridge.sf.admarketplace.net/bounce?click_id=1472912840200100000&m_width=1276&m_height=846&b_width=589&b_height=317&b_top=155&b_left=136&in_iframe=0	72.28.103.32
hxxp://tzpzc.com/px.js?ch=1	208.91.196.46
hxxp://tzpzc.com/trf?&o=HFRAMAuCnlXeP3KlHXkYsOaly3GLenZ43pkQYGb+kpYA3tdDpxVqycjzk0vZlLhmGTzHXDjkpFGw/hS+I0X3ab/EkOEHSzp73cgAf4qbq4bfg3ScSql5j38kDQdoDeTo940aU35X4R5MRgNwHOfuhnNPytAMxBdz6gYmLqR5GR1gSOVGM7L/c8EMxIJyqkCACGH/GsNsaNdlltxCL+jtpeOK3Gxtz1dJ/UGL60Kfy2cx9fMm6T+W2q3iOMLZArmpZm0ckskx5HiV35MeMlv7j5vogltbEqj7L3e+JoKSuohXkldg8P8XS6XbdIqaMdcNQ4NlyqEst3uWjLqb26QeMFEAhuCESyP0f5prwASk7rnIlaGGCt+SvF7c3wBXH6PV&c=21242204584369804966200&n=0HmIW0ZsBwY7+oKbpKNcMiiKkOzszstU7HHWkQbByqvIrsfAI7LfUkRWNyPpF2uOeDQ4If5H/i5T8wG2ZSOY7wxw/30Du/yxzk2gf9GX2tKIl3p0TeDh+Hu0h+BBqijdnJUcbBc67/CVtbVvhDwJJGaog6PNwQ2nKD0et8n9PVnziOlPt6yqALR3mZBjGM0H4UTVrc7uCNQYIaU8CFtpYbBqojnfHym9be7B06zeqcDxZzHWG+ayL2xo/ipyy4alk3Pde9zCfkPsHsh3NiWc8LWnXj62vDnnh+nM/Da+srej7n36z+AwlQ9Fqd2AOjpcmSxyjCy6F8o1kNGZjQ53Uax1HQdyBa76IFpTxPu52fzpm/rKDuInKBLFgP7ixEt+Opt4MpYPKLbciIV4Wvmq1leNoP6wFRgRR4V83keVYblPeCDs3/aa31zxQPGtc9aN&kgp=0&jccheck=1	208.91.196.46
hxxp://park.lwken.com/track.php?domain=lwken.com&toggle=browserjs&uid=MTQ3MjkxMjgzNy4yODUzOjQ0MTQ4YTgwNDM1ZGI0NjE0OGJjY2NjNDIyMzlhN2NlNGExYjIyN2UzMjM3MmM4NmYxOTA2M2JmMTFmNzAzMWQ6NTdjYWRkYzU0NWFhNQ==	54.72.9.51
hxxp://park.lwken.com/track.php?click=5b53ccd02792a79936184954fc4d1abe5dbbc818&domain=lwken.com&uid=MTQ3MjkxMjgzNy4yODUzOjQ0MTQ4YTgwNDM1ZGI0NjE0OGJjY2NjNDIyMzlhN2NlNGExYjIyN2UzMjM3MmM4NmYxOTA2M2JmMTFmNzAzMWQ6NTdjYWRkYzU0NWFhNQ==&ts=fHx8ZDQxZDh8fHxidWNrZXQwMzl8fHx8NTdjYWRkYzU0NDk5MXx8fDE0NzI5MTI4MzcuODAxM3w5ZjJjNjEwNTU0MzMwNTI4NjRkZDc5MjMzNTliODk5MjVkNTUzYTA5fHx8fHwxfHx8MHw1N2NhZGRjNThlNDdlYWE3MTc4YjRjODh8fHx8fHx8fDB8MHx8fHx8fHx8fA==&kw=&search=&pcat=&rxid=&bucket=&clientID=&adtest=off	54.72.9.51
hxxp://10990-28346606.ampxchange.com/?sid=NUEmXTQIGzkoGShQXgs5J1ADAzY2UCoXPQhBNn8DfgYKW3l0AUdBamcCfwljXQU2fAd4Ah5acmEFRFNrZwl9DmlfBTZ/Dn0aAV55YgxBXWhmCzMI	72.28.103.31
hxxp://zu1.zeroredirect11.com/zcredirect?visitid=83de2468-71e2-11e6-a14b-0ad4d45a4925&type=js&browserWidth=589&browserHeight=317&iframeDetected=false	52.3.56.61
hxxp://tzpzc.com/px.js?ch=2	208.91.196.46
hxxp://park.lwken.com/?s=151123&c=255416	54.72.9.51
hxxp://tzpzc.com/sk-logabpstatus.php?a=STZaRExrSldTVVBEeGVNQnlDc0NnQkVNa2lZUXE5VVA2NXlvVkFoc29HWE9aUkdTT1pJa0hCVmVDakczMjhFa1hMM1lIZEEyTVBkdUNRdmFFY3VucTlubGhsUmxLSk9JYVFQdkJtMmszVnM9&b=false	208.91.196.46
2b.perfectexe.com	204.11.56.48
www.facebook.com	31.13.92.36
google.co.id	216.58.214.195
youporn.com	31.192.116.24
katie.dntrx.com	54.173.213.61

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /?sid=NUEmXTQIGzkoGShQXgs5J1ADAzY2UCoXPQhBNn8DfgYKW3l0AUdBamcCfwljXQU2fAd4Ah5acmEFRFNrZwl9DmlfBTZ/Dn0aAV55YgxBXWhmCzMI HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: 10990-28346606.ampxchange.com


HTTP/1.1 200 OK

Date: Sat, 03 Sep 2016 14:27:20 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 4349

Keep-Alive: timeout=15

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
..<html>..<head>..<title>Page Loading...</title&g
t;..<meta http-equiv="cache-control" content="no-cache" >..<m
eta http-equiv="pragma" content="no-cache" >..<meta http-equiv="
refresh" content="1;url=hXXp://bridge.sf.admarketplace.net/bounce?clic
k_id=1472912840200100000" >..</head>..<body>..<div s
tyle="height:300px"><a href="hXXp://bridge.sf.admarketplace.net/
bounce?click_id=1472912840200100000&isaction=5" id="redirect" style="c
olor: #FFFFFF">click here!</a></div>..<script type="
text/javascript">..function screenSizeParameters() { if (window.scr
een !== undefined) { return '&m_width='   window.screen.width   '&m_he
ight='   window.screen.height; } else if (window.java !== undefined) {
 var oScreen = ava.awt.Toolkit.getDefaultToolkit().getScreenSize().scr
een; return '&m_width='   oScreen.width   '&m_height='   oScreen.heigh
t; } else { return '&m_width=&m_height='; }};..function docSizeParamet
ers() { var doc = window.document; if (typeof window.innerWidth === 'n
umber') { return '&b_width='   window.innerWidth   '&b_height='   wind
ow.innerHeight;} else if (doc.documentElement !== undefined && doc.doc
umentElement.clientWidth !== undefined && doc.documentElement.clientWi
dth !== 0) { return '&b_width='   doc.documentElement.clientWidth   '&
b_height='   doc.documentElement.clientHeight; } else if (doc.body !==
 undefined && doc.body.clientWidth !== undefined) { return '&b_width='
   doc.body.clientWidth   '&b_height='   doc.body.clientHeight; } <<< skipped >>>

GET /zcredirect?visitid=83de2468-71e2-11e6-a14b-0ad4d45a4925&type=js&browserWidth=589&browserHeight=317&iframeDetected=false HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: zu1.zeroredirect11.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: no-store, no-cache, pre-check=0, post-check=0

content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'

x-content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'

X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline'

redirected: JS

Content-Type: text/html;charset=UTF-8

Transfer-Encoding: chunked

Date: Sat, 03 Sep 2016 14:27:19 GMT

Server: ZeroPark-Traffic
180..<!DOCTYPE html>.<html>..<head>...<META http-
equiv="refresh" content="1;URL='hXXp://bridge.sf.admarketplace.net/ct?
version=16.0.0&ci=1472912837068.10890&key=1472912837200800018.1'">.
.</head>..<body>...<script type="text/javascript">..
..window.location="hXXp://bridge.sf.admarketplace.net/ct?version=16.0.
0&ci=1472912837068.10890&key=1472912837200800018.1";...</script>
..</body>.</html>..0..HTTP/1.1 200 OK..Cache-Control: no-s
tore, no-cache, pre-check=0, post-check=0..content-security-policy: de
fault-src 'self'; script-src 'self' 'unsafe-inline'..x-content-securit
y-policy: default-src 'self'; script-src 'self' 'unsafe-inline'..X-Web
Kit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline'..redire
cted: JS..Content-Type: text/html;charset=UTF-8..Transfer-Encoding: ch
unked..Date: Sat, 03 Sep 2016 14:27:19 GMT..Server: ZeroPark-Traffic..
180..<!DOCTYPE html>.<html>..<head>...<META http-
equiv="refresh" content="1;URL='hXXp://bridge.sf.admarketplace.net/ct?
version=16.0.0&ci=1472912837068.10890&key=1472912837200800018.1'">.
.</head>..<body>...<script type="text/javascript">..
..window.location="hXXp://bridge.sf.admarketplace.net/ct?version=16.0.
0&ci=1472912837068.10890&key=1472912837200800018.1";...</script>
..</body>.</html>..0..<<< skipped >>>

GET /12224 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.flvtube.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Sat, 03 Sep 2016 14:05:55 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

X-Language: english

X-Template: tpl_CleanPeppermintBlack_twoclick

Content-Encoding: gzip
370.............T]s.H.}...a.b. DAGF.V.....$.1.2.6..|9..tk..6BjI......q
...=}._4......O..{\.~.....(n.;Q.,.{[email protected]..(....>..o.X..PJ
B..D.Y....5.....Rp.._....U.%...c...4h.{6.1t..lN...k/z.....%Of..s.q..1.
......."xS..4.8.....<..K.)..Xs.q..Y..ZPo0..S..e..r....)..7.x.\..].w
,.b.....u..f...0H8...$.F.?;..$.U`.F....A....I2HX.dw.?..q|......6......
.X.o...!...1*S.e...C3.`cH...9.A.7..... N...h....hh.vi[...\bo.C.."..g..
-5..(|g.xy0.q...8..dmet..*,.V.a...g. ..Y...s[..w..<.Q.....\y....O..
....t).O......!=B.N..Bl.....R..~.0.'.2\...a.....\$.$...95............f
Y...../..&*..*.7 ....=Z...u....S.....W.O#Wc2z..u.......1Z3..H.}5.]....
192...24...f.....V82.Uhn.>....,.M.1...qa5X.mY.*=m-..e..L....1..m}..
..Ac[.so[.......M-.N..b.....=t...... q.RH.(..$."A.J...........p~~.z.ql
...g....Z_.......... ... .E...L..W.#E.o..X.&..........h.......B.3.1V..
..0.6 . ].........r..\Uy4....2.g....]....a..l.]...^.v......0..HTTP/1.1
 200 OK..Server: nginx..Date: Sat, 03 Sep 2016 14:05:55 GMT..Content-T
ype: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection:
 keep-alive..Vary: Accept-Encoding..X-Check: 3c12dc4d54f8e22d666785b73
3b0052100c53444..X-Language: english..X-Template: tpl_CleanPeppermintB
lack_twoclick..Content-Encoding: gzip..370.............T]s.H.}...a.b. 
DAGF.V.....$.1.2.6..|9..tk..6BjI......q...=}._4......O..{\.~.....(n.;Q
.,.{[email protected]..(....>..o.X..PJB..D.Y....5.....Rp.._....U.%...
c...4h.{6.1t..lN...k/z.....%Of..s.q..1........"xS..4.8.....<..K.)..
Xs.q..Y..ZPo0..S..e..r....)..7.x.\..].w,.b.....u..f...0H8...$.F.?;<<< skipped >>>

GET /track.php?domain=flvtube.net&toggle=browserjs&uid=MTQ3MjkxMjgzNS45MzQ4OmZlMDBkYjAzODc3ZTlhY2MxZjE1ZWMxODk4MjJiMDMzNWM3MGU2ZjI4YWYyMmExNjZkZjMzOGM3Nzc1OGYwYTE6NTdjYWRkYzNlNDNlNg== HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: hXXp://VVV.flvtube.net/12224

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.flvtube.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Sat, 03 Sep 2016 14:05:55 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Access-Control-Allow-Origin: *

Content-Encoding: gzip

14........................0..HTTP/1.1 200 OK..Server: nginx..Date: Sat
, 03 Sep 2016 14:05:55 GMT..Content-Type: text/html; charset=UTF-8..Tr
ansfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encodin
g..Access-Control-Allow-Origin: *..Content-Encoding: gzip..14.........
...............0..

GET /?s=151123&c=255416 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: park.lwken.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Sat, 03 Sep 2016 14:29:59 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

Content-Encoding: gzip
3ec.............T.r.8.].....B...6S....I0......y%.r<.."....[6..T.M..
|..t...N~h..a>.9.F!.......vW...L.4C.^..x.$^.....G.$F. .a.k......<
;..\...M0....%.....=..mj.o[..."..L.M.i<...Y...%.f...z4$.a.....ep..h
"......._...y?x.j{.....k.{....R...T...p.EiF.z.Nw...[2.z{.Q..v.X.}.#..B
.....s-....vn[.(..$B^..\...3z...s....a-.....Z.........[.K.\i.j..E. ...
C.H.{]..\\./}..}..%.B..`......%.m*[email protected]."XM .]..a...)0....w
.\.....=.|2c.hz G..%....)c{.......J.{[email protected].'[email protected]^|.~!
.F.#7dS.5...9%.'...'!&.....5K..9Iw..z 8%9..*...!;%e.....u.'....--}...(
F;m].4w..={....:g*.....jA...#G........P..J..@..;..35..........?.;....*
h.......,.2.i...Y.E}.E.1....'..n.5;4.s..X1.'.u...r..,..=.....z3.N.zb%v
y>.o5..{...|.......b\o..k.....\}...e3..aBg..W.7~Ne..L.\.u^..V_...{.
q...cy ..q_q.bK."}...H...oZ.4..a...c..)q..f.elY..&.......@..<[...M.
D.1B.P....B..`..-ih.,Dd..{..O/i..r)........Hk.a.t.{\....%.-.<.....@
]....#&......r........0...D\.........hd.....aQ!....!...3 ...........R.
....|.f....(..3-..U....}......!N.............L......0..HTTP/1.1 200 OK
..Server: nginx..Date: Sat, 03 Sep 2016 14:29:59 GMT..Content-Type: te
xt/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-a
live..Vary: Accept-Encoding..X-Check: 3c12dc4d54f8e22d666785b733b00521
00c53444..Content-Encoding: gzip..3ec.............T.r.8.].....B...6S..
..I0......y%.r<.."....[6..T.M..|..t...N~h..a>.9.F!.......vW...L.
4C.^..x.$^.....G.$F. .a.k......<..\...M0....%.....=..mj.o[..."..L.M
.i<...Y...%.f...z4$.a.....ep..h"......._...y?x.j{.....k.{....R.<<< skipped >>>

GET /track.php?domain=lwken.com&toggle=browserjs&uid=MTQ3MjkxMjgzNy4yODUzOjQ0MTQ4YTgwNDM1ZGI0NjE0OGJjY2NjNDIyMzlhN2NlNGExYjIyN2UzMjM3MmM4NmYxOTA2M2JmMTFmNzAzMWQ6NTdjYWRkYzU0NWFhNQ== HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: hXXp://park.lwken.com/?s=151123&c=255416

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: park.lwken.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Sat, 03 Sep 2016 14:29:59 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Access-Control-Allow-Origin: *

Content-Encoding: gzip
14........................0......


GET /track.php?click=5b53ccd02792a79936184954fc4d1abe5dbbc818&domain=lwken.com&uid=MTQ3MjkxMjgzNy4yODUzOjQ0MTQ4YTgwNDM1ZGI0NjE0OGJjY2NjNDIyMzlhN2NlNGExYjIyN2UzMjM3MmM4NmYxOTA2M2JmMTFmNzAzMWQ6NTdjYWRkYzU0NWFhNQ==&ts=fHx8ZDQxZDh8fHxidWNrZXQwMzl8fHx8NTdjYWRkYzU0NDk5MXx8fDE0NzI5MTI4MzcuODAxM3w5ZjJjNjEwNTU0MzMwNTI4NjRkZDc5MjMzNTliODk5MjVkNTUzYTA5fHx8fHwxfHx8MHw1N2NhZGRjNThlNDdlYWE3MTc4YjRjODh8fHx8fHx8fDB8MHx8fHx8fHx8fA==&kw=&search=&pcat=&rxid=&bucket=&clientID=&adtest=off HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: hXXp://park.lwken.com/?s=151123&c=255416

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: park.lwken.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Sat, 03 Sep 2016 14:29:59 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Access-Control-Allow-Origin: *

Content-Encoding: gzip

14........................0..HTTP/1.1 200 OK..Server: nginx..Date: Sat
, 03 Sep 2016 14:29:59 GMT..Content-Type: text/html; charset=UTF-8..Tr
ansfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encodin
g..Access-Control-Allow-Origin: *..Content-Encoding: gzip..14.........
...............0..

GET /trf?&o=HFRAMAuCnlXeP3KlHXkYsOaly3GLenZ43pkQYGb+kpYA3tdDpxVqycjzk0vZlLhmGTzHXDjkpFGw/hS+I0X3ab/EkOEHSzp73cgAf4qbq4bfg3ScSql5j38kDQdoDeTo940aU35X4R5MRgNwHOfuhnNPytAMxBdz6gYmLqR5GR1gSOVGM7L/c8EMxIJyqkCACGH/GsNsaNdlltxCL+jtpeOK3Gxtz1dJ/UGL60Kfy2cx9fMm6T+W2q3iOMLZArmpZm0ckskx5HiV35MeMlv7j5vogltbEqj7L3e+JoKSuohXkldg8P8XS6XbdIqaMdcNQ4NlyqEst3uWjLqb26QeMFEAhuCESyP0f5prwASk7rnIlaGGCt+SvF7c3wBXH6PV&c=21242204584369804966200&n=0HmIW0ZsBwY7+oKbpKNcMiiKkOzszstU7HHWkQbByqvIrsfAI7LfUkRWNyPpF2uOeDQ4If5H/i5T8wG2ZSOY7wxw/30Du/yxzk2gf9GX2tKIl3p0TeDh+Hu0h+BBqijdnJUcbBc67/CVtbVvhDwJJGaog6PNwQ2nKD0et8n9PVnziOlPt6yqALR3mZBjGM0H4UTVrc7uCNQYIaU8CFtpYbBqojnfHym9be7B06zeqcDxZzHWG+ayL2xo/ipyy4alk3Pde9zCfkPsHsh3NiWc8LWnXj62vDnnh+nM/Da+srej7n36z+AwlQ9Fqd2AOjpcmSxyjCy6F8o1kNGZjQ53Uax1HQdyBa76IFpTxPu52fzpm/rKDuInKBLFgP7ixEt+Opt4MpYPKLbciIV4Wvmq1leNoP6wFRgRR4V83keVYblPeCDs3/aa31zxQPGtc9aN&kgp=0&jccheck=1 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: tzpzc.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 03 Sep 2016 14:27:18 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

ntCoent-Length: 4909

Keep-Alive: timeout=5, max=122

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

Cache-Control: private

Content-Encoding: gzip

Content-Length:       2061
...........Xyo......)<<M....B7HG].. ......j.$.I.....Q..;...Uu.;V
.z9..wV;.C50}...O.2%K.|...W.'.. ...~....?.Ga.Je.R.... ..6T.i...K.M5.V.
.7Ij.cI'z....\d`W.......D.../...b*.....HB..F.qiC...d`.6....\.q....B...
`..b......a.A~...2x.5y6;......./Tq..[.1n...?.....=.a/f..S.GW..G...d...
`.8.9..l....1.-c4j......<;....Ts....Y..v.\.....}..n.f.{...#'\....."
.k.......5...W;7L[.p-..w.S... ..z.g.z5].{mx..aM.2.:G...:6..k'..@>EW
.|W..?^........~>....m...`,K....o..'?...t...b...^.N?.*7O.S*..9.?...
.....swQ..n"..E..Z..V.Xl....r.M....y.Bt/ .7A.. ....[[email protected]
sB......$.VQ...`6\..e.M ua.&.....F.....A........VG..X.h........dg.J..|
..;...... .,.6.D..,..-...7b.U. ..t......k....U.{..h. ......S.]8.:..F..
......D.. A.m.U3.y.....KW.k...._...6..............G.u._.Dz.....c-.zw.&
lt;<....|..........q/.....7.F..o.....h9&.j.O.._...*.O....w.....C..@
uv.B........t........wsy.).;.....s....P...{......]....{..K:.C.K\..h2Y.
..&..^....a..T6...V.._q_by.G...W.<.......Z....`B.3B.8J.X .......n6.
O.i.C.. ..km@t.^Y.........~ l....J*<..s..u.a.8&hL...P..H...`q..8.S;
.n.nI.?{....Su..X..i <q...w.N(pJ.....O...2..d_bh..7x.....=.....U...
h...7.n. [email protected](....0.LG......]? TGB-....-qCB.^C..[.I..{E.CL.....&.3.
cc#.T........yK.......Z.<.!....Q.C..,.4l...q"...L....)!..r.W... ...
....~...LD)....p%G.....C.'..=.pI.Bc.U"...c.%kZ.PbA@`1.o...x...].T3...&
lt;.T...-9?...y..H..h.}..G.Z7]p$ ..Vn..;.....MbSP....dV#.m.#..`.4 .|..
..Q.n.{.yc;.....xJ43.......-..0..Q.xH!n ..j.b...K...VS.B...E.v....TS.P
...c...._H..c....L...Xz&'....J.. ..v..m.......~(xb.LAj&w........[.<<< skipped >>>

GET /px.js?ch=1 HTTP/1.1

Accept: */*

Referer: hXXp://tzpzc.com/trf?&o=HFRAMAuCnlXeP3KlHXkYsOaly3GLenZ43pkQYGb+kpYA3tdDpxVqycjzk0vZlLhmGTzHXDjkpFGw/hS+I0X3ab/EkOEHSzp73cgAf4qbq4bfg3ScSql5j38kDQdoDeTo940aU35X4R5MRgNwHOfuhnNPytAMxBdz6gYmLqR5GR1gSOVGM7L/c8EMxIJyqkCACGH/GsNsaNdlltxCL+jtpeOK3Gxtz1dJ/UGL60Kfy2cx9fMm6T+W2q3iOMLZArmpZm0ckskx5HiV35MeMlv7j5vogltbEqj7L3e+JoKSuohXkldg8P8XS6XbdIqaMdcNQ4NlyqEst3uWjLqb26QeMFEAhuCESyP0f5prwASk7rnIlaGGCt+SvF7c3wBXH6PV&c=21242204584369804966200&n=0HmIW0ZsBwY7+oKbpKNcMiiKkOzszstU7HHWkQbByqvIrsfAI7LfUkRWNyPpF2uOeDQ4If5H/i5T8wG2ZSOY7wxw/30Du/yxzk2gf9GX2tKIl3p0TeDh+Hu0h+BBqijdnJUcbBc67/CVtbVvhDwJJGaog6PNwQ2nKD0et8n9PVnziOlPt6yqALR3mZBjGM0H4UTVrc7uCNQYIaU8CFtpYbBqojnfHym9be7B06zeqcDxZzHWG+ayL2xo/ipyy4alk3Pde9zCfkPsHsh3NiWc8LWnXj62vDnnh+nM/Da+srej7n36z+AwlQ9Fqd2AOjpcmSxyjCy6F8o1kNGZjQ53Uax1HQdyBa76IFpTxPu52fzpm/rKDuInKBLFgP7ixEt+Opt4MpYPKLbciIV4Wvmq1leNoP6wFRgRR4V83keVYblPeCDs3/aa31zxQPGtc9aN&kgp=0&jccheck=1

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: tzpzc.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 03 Sep 2016 14:27:18 GMT

Server: Apache

Last-Modified: Thu, 11 Jun 2015 06:47:35 GMT

Accept-Ranges: bytes

Content-Length: 346

Cache-Control: max-age=1209600

Expires: Sat, 17 Sep 2016 14:27:18 GMT

Vary: Accept-Encoding,User-Agent

Keep-Alive: timeout=5, max=115

Connection: Keep-Alive

Content-Type: application/x-javascript
var abp=abp||false;var scripts=document.getElementsByTagName("script")
;var script=scripts[scripts.length-1];if(script){var query=script.src.
replace(/^[^\?] \??/,"").split("&");var params={};for(var i=0;i<que
ry.length;i  ){var param=query[i].split("=");params[param[0]]=param[1]
}if(params["ch"]==1)abp=true;else if(params["ch"]==2)abp=abp&&false};<
/font>....

GET /px.js?ch=2 HTTP/1.1

Accept: */*

Referer: hXXp://tzpzc.com/trf?&o=HFRAMAuCnlXeP3KlHXkYsOaly3GLenZ43pkQYGb+kpYA3tdDpxVqycjzk0vZlLhmGTzHXDjkpFGw/hS+I0X3ab/EkOEHSzp73cgAf4qbq4bfg3ScSql5j38kDQdoDeTo940aU35X4R5MRgNwHOfuhnNPytAMxBdz6gYmLqR5GR1gSOVGM7L/c8EMxIJyqkCACGH/GsNsaNdlltxCL+jtpeOK3Gxtz1dJ/UGL60Kfy2cx9fMm6T+W2q3iOMLZArmpZm0ckskx5HiV35MeMlv7j5vogltbEqj7L3e+JoKSuohXkldg8P8XS6XbdIqaMdcNQ4NlyqEst3uWjLqb26QeMFEAhuCESyP0f5prwASk7rnIlaGGCt+SvF7c3wBXH6PV&c=21242204584369804966200&n=0HmIW0ZsBwY7+oKbpKNcMiiKkOzszstU7HHWkQbByqvIrsfAI7LfUkRWNyPpF2uOeDQ4If5H/i5T8wG2ZSOY7wxw/30Du/yxzk2gf9GX2tKIl3p0TeDh+Hu0h+BBqijdnJUcbBc67/CVtbVvhDwJJGaog6PNwQ2nKD0et8n9PVnziOlPt6yqALR3mZBjGM0H4UTVrc7uCNQYIaU8CFtpYbBqojnfHym9be7B06zeqcDxZzHWG+ayL2xo/ipyy4alk3Pde9zCfkPsHsh3NiWc8LWnXj62vDnnh+nM/Da+srej7n36z+AwlQ9Fqd2AOjpcmSxyjCy6F8o1kNGZjQ53Uax1HQdyBa76IFpTxPu52fzpm/rKDuInKBLFgP7ixEt+Opt4MpYPKLbciIV4Wvmq1leNoP6wFRgRR4V83keVYblPeCDs3/aa31zxQPGtc9aN&kgp=0&jccheck=1

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: tzpzc.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 03 Sep 2016 14:27:18 GMT

Server: Apache

Last-Modified: Thu, 11 Jun 2015 06:47:35 GMT

Accept-Ranges: bytes

Content-Length: 346

Cache-Control: max-age=1209600

Expires: Sat, 17 Sep 2016 14:27:18 GMT

Vary: Accept-Encoding,User-Agent

Keep-Alive: timeout=5, max=121

Connection: Keep-Alive

Content-Type: application/x-javascript
var abp=abp||false;var scripts=document.getElementsByTagName("script")
;var script=scripts[scripts.length-1];if(script){var query=script.src.
replace(/^[^\?] \??/,"").split("&");var params={};for(var i=0;i<que
ry.length;i  ){var param=query[i].split("=");params[param[0]]=param[1]
}if(params["ch"]==1)abp=true;else if(params["ch"]==2)abp=abp&&false};H
TTP/1.1 200 OK..Date: Sat, 03 Sep 2016 14:27:18 GMT..Server: Apache..L
ast-Modified: Thu, 11 Jun 2015 06:47:35 GMT..Accept-Ranges: bytes..Con
tent-Length: 346..Cache-Control: max-age=1209600..Expires: Sat, 17 Sep
 2016 14:27:18 GMT..Vary: Accept-Encoding,User-Agent..Keep-Alive: time
out=5, max=121..Connection: Keep-Alive..Content-Type: application/x-ja
vascript..var abp=abp||false;var scripts=document.getElementsByTagName
("script");var script=scripts[scripts.length-1];if(script){var query=s
cript.src.replace(/^[^\?] \??/,"").split("&");var params={};for(var i=
0;i<query.length;i  ){var param=query[i].split("=");params[param[0]
]=param[1]}if(params["ch"]==1)abp=true;else if(params["ch"]==2)abp=abp
&&false};....


GET /sk-logabpstatus.php?a=STZaRExrSldTVVBEeGVNQnlDc0NnQkVNa2lZUXE5VVA2NXlvVkFoc29HWE9aUkdTT1pJa0hCVmVDakczMjhFa1hMM1lIZEEyTVBkdUNRdmFFY3VucTlubGhsUmxLSk9JYVFQdkJtMmszVnM9&b=false HTTP/1.1

Accept: */*

Referer: hXXp://tzpzc.com/trf?&o=HFRAMAuCnlXeP3KlHXkYsOaly3GLenZ43pkQYGb+kpYA3tdDpxVqycjzk0vZlLhmGTzHXDjkpFGw/hS+I0X3ab/EkOEHSzp73cgAf4qbq4bfg3ScSql5j38kDQdoDeTo940aU35X4R5MRgNwHOfuhnNPytAMxBdz6gYmLqR5GR1gSOVGM7L/c8EMxIJyqkCACGH/GsNsaNdlltxCL+jtpeOK3Gxtz1dJ/UGL60Kfy2cx9fMm6T+W2q3iOMLZArmpZm0ckskx5HiV35MeMlv7j5vogltbEqj7L3e+JoKSuohXkldg8P8XS6XbdIqaMdcNQ4NlyqEst3uWjLqb26QeMFEAhuCESyP0f5prwASk7rnIlaGGCt+SvF7c3wBXH6PV&c=21242204584369804966200&n=0HmIW0ZsBwY7+oKbpKNcMiiKkOzszstU7HHWkQbByqvIrsfAI7LfUkRWNyPpF2uOeDQ4If5H/i5T8wG2ZSOY7wxw/30Du/yxzk2gf9GX2tKIl3p0TeDh+Hu0h+BBqijdnJUcbBc67/CVtbVvhDwJJGaog6PNwQ2nKD0et8n9PVnziOlPt6yqALR3mZBjGM0H4UTVrc7uCNQYIaU8CFtpYbBqojnfHym9be7B06zeqcDxZzHWG+ayL2xo/ipyy4alk3Pde9zCfkPsHsh3NiWc8LWnXj62vDnnh+nM/Da+srej7n36z+AwlQ9Fqd2AOjpcmSxyjCy6F8o1kNGZjQ53Uax1HQdyBa76IFpTxPu52fzpm/rKDuInKBLFgP7ixEt+Opt4MpYPKLbciIV4Wvmq1leNoP6wFRgRR4V83keVYblPeCDs3/aa31zxQPGtc9aN&kgp=0&jccheck=1

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: tzpzc.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 03 Sep 2016 14:27:18 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Content-Length: 0

Keep-Alive: timeout=5, max=123

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

HTTP/1.1 200 OK..Date: Sat, 03 Sep 2016 14:27:18 GMT..Server: Apache..
Vary: Accept-Encoding,User-Agent..Content-Length: 0..Keep-Alive: timeo
ut=5, max=123..Connection: Keep-Alive..Content-Type: text/html; charse
t=UTF-8..

GET /click/?s=151123&c=255416 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: lwken.com

Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently

Date: Sat, 03 Sep 2016 05:01:30 GMT

Server: Apache/2.2.15 (CentOS)

Location: hXXp://park.lwken.com?s=151123&c=255416

Content-Length: 326

Connection: close

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://park.lwken.com?s=151123&c=255
416">here</a>.</p>.<hr>.<address>Apache/2.2
.15 (CentOS) Server at lwken.com Port 80</address>.</body>
</html>...

GET /zcvisitor/83de2468-71e2-11e6-a14b-0ad4d45a4925? HTTP/1.1

Referer: hXXp://zu1.sierra-fox.com/zcvisitor/83de2468-71e2-11e6-a14b-0ad4d45a4925?

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Accept: */*

Host: zu1.sierra-fox.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: no-store, no-cache, pre-check=0, post-check=0

content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'

x-content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'

X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline'

Content-Type: text/html;charset=UTF-8

Transfer-Encoding: chunked

Date: Sat, 03 Sep 2016 14:27:19 GMT

Server: ZeroPark-Traffic
3ef..<!DOCTYPE html>.<html>..<head>...<META http-
equiv="refresh" content="1;URL='hXXp://zu1.zeroredirect11.com/zcredire
ct?visitid=83de2468-71e2-11e6-a14b-0ad4d45a4925&type=meta'">..</
head>..<body>...<script type="text/javascript">....setT
imeout(function () {.....var pageWidth = window.innerWidth ? window.in
nerWidth : (document.documentElement && document.documentElement.clien
tWidth ? document.documentElement.clientWidth : document.getElementsBy
TagName('body')[0].clientWidth);.....var pageHeight = window.innerHeig
ht ? window.innerHeight : (document.documentElement && document.docume
ntElement.clientHeight ? document.documentElement.clientHeight : docum
ent.getElementsByTagName('body')[0].clientHeight);.....var iframeDetec
ted = window.self !== window.top;.....window.location="hXXp://zu1.zero
redirect11.com/zcredirect?visitid=83de2468-71e2-11e6-a14b-0ad4d45a4925
&type=js&browserWidth="   pageWidth  "&browserHeight="   pageHeight  "
&iframeDetected="   iframeDetected;....}, 1);...</script>..</
body>.</html>..0..

GET /ct?version=16.0.0&ci=1472912837068.10890&key=1472912837200800018.1 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bridge.sf.admarketplace.net

Connection: Keep-Alive


HTTP/1.1 302 Found

Server: Apache-Coyote/1.1

Set-Cookie: JSESSIONID=1AAD0654AC6B559CA3902EF6F5E24EDA; Path=/; HttpOnly

P3P: CP="CAO IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"

Set-Cookie: bridge_v2=1472912840012.1AAD0654AC6B559CA3902EF6F5E24EDA; Expires=Wed, 02-Nov-2016 14:27:20 GMT

Set-Cookie: bridge_v2=1472912840012.1AAD0654AC6B559CA3902EF6F5E24EDA; Domain=.admarketplace.net; Expires=Wed, 02-Nov-2016 14:27:20 GMT

Set-Cookie: csession_1472912840200100000=1472912840012; Expires=Sat, 03-Sep-2016 14:57:20 GMT

Set-Cookie: csession_1472912840200100000=1472912840012; Domain=.admarketplace.net; Expires=Sat, 03-Sep-2016 14:57:20 GMT

Location: hXXp://bridge.sf.admarketplace.net/ct?cid=1472912840200100000&cide=95644800000&ctcookie_value=1472912840012.1AAD0654AC6B559CA3902EF6F5E24EDA&csession=1&version=16.0.0&ci=1472912837068.10890&key=1472912837200800018.1

Content-Length: 0

Date: Sat, 03 Sep 2016 14:27:19 GMT
....


GET /ct?cid=1472912840200100000&cide=95644800000&ctcookie_value=1472912840012.1AAD0654AC6B559CA3902EF6F5E24EDA&csession=1&version=16.0.0&ci=1472912837068.10890&key=1472912837200800018.1 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bridge.sf.admarketplace.net

Connection: Keep-Alive

Cookie: JSESSIONID=1AAD0654AC6B559CA3902EF6F5E24EDA; bridge_v2=1472912840012.1AAD0654AC6B559CA3902EF6F5E24EDA; csession_1472912840200100000=1472912840012; bridge_v2=1472912840012.1AAD0654AC6B559CA3902EF6F5E24EDA; csession_1472912840200100000=1472912840012


HTTP/1.1 302 Found

Server: Apache-Coyote/1.1

Location: hXXp://10990-28346606.ampxchange.com?sid=NUEmXTQIGzkoGShQXgs5J1ADAzY2UCoXPQhBNn8DfgYKW3l0AUdBamcCfwljXQU2fAd4Ah5acmEFRFNrZwl9DmlfBTZ/Dn0aAV55YgxBXWhmCzMI

Content-Length: 0

Date: Sat, 03 Sep 2016 14:27:19 GMT

HTTP/1.1 302 Found..Server: Apache-Coyote/1.1..Location: hXXp://10990-
28346606.ampxchange.com?sid=NUEmXTQIGzkoGShQXgs5J1ADAzY2UCoXPQhBNn8Dfg
YKW3l0AUdBamcCfwljXQU2fAd4Ah5acmEFRFNrZwl9DmlfBTZ/Dn0aAV55YgxBXWhmCz
MI..Content-Length: 0..Date: Sat, 03 Sep 2016 14:27:19 GMT.....
.

GET /bounce?click_id=1472912840200100000&m_width=1276&m_height=846&b_width=589&b_height=317&b_top=155&b_left=136&in_iframe=0 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://10990-28346606.ampxchange.com/?sid=NUEmXTQIGzkoGShQXgs5J1ADAzY2UCoXPQhBNn8DfgYKW3l0AUdBamcCfwljXQU2fAd4Ah5acmEFRFNrZwl9DmlfBTZ/Dn0aAV55YgxBXWhmCzMI

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bridge.sf.admarketplace.net

Connection: Keep-Alive

Cookie: JSESSIONID=1AAD0654AC6B559CA3902EF6F5E24EDA; bridge_v2=1472912840012.1AAD0654AC6B559CA3902EF6F5E24EDA; csession_1472912840200100000=1472912840012; bridge_v2=1472912840012.1AAD0654AC6B559CA3902EF6F5E24EDA; csession_1472912840200100000=1472912840012


HTTP/1.1 302 Found

Server: Apache-Coyote/1.1

Location: hXXps://VVV.facebook.com/campaign/landing.php?campaign_id=1565112697068002&partner_id=admarket&placement=Ukraine&extra_1=1472912840200100000

Content-Length: 0

Date: Sat, 03 Sep 2016 14:27:20 GMT

HTTP/1.1 302 Found..Server: Apache-Coyote/1.1..Location: hXXps://VVV.f
acebook.com/campaign/landing.php?campaign_id=1565112697068002&partner_
id=admarket&placement=Ukraine&extra_1=1472912840200100000..Content-Len
gth: 0..Date: Sat, 03 Sep 2016 14:27:20 GMT..

GET /zcvisitor/83de2468-71e2-11e6-a14b-0ad4d45a4925? HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://tzpzc.com/trf?&o=HFRAMAuCnlXeP3KlHXkYsOaly3GLenZ43pkQYGb+kpYA3tdDpxVqycjzk0vZlLhmGTzHXDjkpFGw/hS+I0X3ab/EkOEHSzp73cgAf4qbq4bfg3ScSql5j38kDQdoDeTo940aU35X4R5MRgNwHOfuhnNPytAMxBdz6gYmLqR5GR1gSOVGM7L/c8EMxIJyqkCACGH/GsNsaNdlltxCL+jtpeOK3Gxtz1dJ/UGL60Kfy2cx9fMm6T+W2q3iOMLZArmpZm0ckskx5HiV35MeMlv7j5vogltbEqj7L3e+JoKSuohXkldg8P8XS6XbdIqaMdcNQ4NlyqEst3uWjLqb26QeMFEAhuCESyP0f5prwASk7rnIlaGGCt+SvF7c3wBXH6PV&c=21242204584369804966200&n=0HmIW0ZsBwY7+oKbpKNcMiiKkOzszstU7HHWkQbByqvIrsfAI7LfUkRWNyPpF2uOeDQ4If5H/i5T8wG2ZSOY7wxw/30Du/yxzk2gf9GX2tKIl3p0TeDh+Hu0h+BBqijdnJUcbBc67/CVtbVvhDwJJGaog6PNwQ2nKD0et8n9PVnziOlPt6yqALR3mZBjGM0H4UTVrc7uCNQYIaU8CFtpYbBqojnfHym9be7B06zeqcDxZzHWG+ayL2xo/ipyy4alk3Pde9zCfkPsHsh3NiWc8LWnXj62vDnnh+nM/Da+srej7n36z+AwlQ9Fqd2AOjpcmSxyjCy6F8o1kNGZjQ53Uax1HQdyBa76IFpTxPu52fzpm/rKDuInKBLFgP7ixEt+Opt4MpYPKLbciIV4Wvmq1leNoP6wFRgRR4V83keVYblPeCDs3/aa31zxQPGtc9aN&kgp=0&jccheck=1

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: zu1.sierra-fox.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: no-store, no-cache, pre-check=0, post-check=0

content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'

x-content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'

X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline'

Content-Type: text/html;charset=UTF-8

Transfer-Encoding: chunked

Date: Sat, 03 Sep 2016 14:27:18 GMT

Server: ZeroPark-Traffic
3ef..<!DOCTYPE html>.<html>..<head>...<META http-
equiv="refresh" content="1;URL='hXXp://zu1.zeroredirect11.com/zcredire
ct?visitid=83de2468-71e2-11e6-a14b-0ad4d45a4925&type=meta'">..</
head>..<body>...<script type="text/javascript">....setT
imeout(function () {.....var pageWidth = window.innerWidth ? window.in
nerWidth : (document.documentElement && document.documentElement.clien
tWidth ? document.documentElement.clientWidth : document.getElementsBy
TagName('body')[0].clientWidth);.....var pageHeight = window.innerHeig
ht ? window.innerHeight : (document.documentElement && document.docume
ntElement.clientHeight ? document.documentElement.clientHeight : docum
ent.getElementsByTagName('body')[0].clientHeight);.....var iframeDetec
ted = window.self !== window.top;.....window.location="hXXp://zu1.zero
redirect11.com/zcredirect?visitid=83de2468-71e2-11e6-a14b-0ad4d45a4925
&type=js&browserWidth="   pageWidth  "&browserHeight="   pageHeight  "
&iframeDetected="   iframeDetected;....}, 1);...</script>..</
body>.</html>..0..

GET /assets/scripts/js3.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.flvtube.net/12224

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: parkingcrew.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Sat, 03 Sep 2016 14:05:55 GMT

Content-Type: application/javascript

Content-Length: 17915

Connection: keep-alive

Last-Modified: Tue, 23 Feb 2016 09:02:42 GMT

ETag: "56cc2032-45fb"

Accept-Ranges: bytes
var web2dspl = num_ads;..function getU(name) { ..var pattern = "[\?&]"
 name "=([^&#]*)"; ..var regex=new RegExp(pattern); ..var res=regex.ex
ec(document.location.href); ..if(res==null){return ""}else{return deco
deURIComponent(res[1])}.}..function checkWebsrc() {..if (reqt == 's' &
& got_ads) {...prepWebres();....if( document.getElementById('webrsc') 
) {....window.setTimeout(function() {.....document.getElementById('web
rsc').setAttribute('src', scriptPath   '/scripts/webres.php?max=' enco
deURIComponent(web2dspl) '&c=' encodeURIComponent(country) '&xbase=' e
ncodeURIComponent(xbase) '&search=' encodeURIComponent(afs_q) "&d=" en
codeURIComponent(domain) "&auto_load=" encodeURIComponent(xt_auto_load
));....}, 200);...}..} else {...window.setTimeout(function() {....if(d
ocument.getElementById('webresults')) document.getElementById('webresu
lts').innerHTML = '';...}, 100);..}.}..function prepWebres() {..if(ass
et_path == undefined) asset_path = '';..if(document.getElementById('we
bresults')) document.getElementById('webresults').innerHTML = '<spa
n id="ajaxloaderHolder"><img src="' asset_path '/images/ajax-loa
der.gif" class="ajax-loader" /></span>';.}..var fallback_done
 = false;.function afdFallback() {..if (reqt == 's' && !got_ads && nav
igator.appVersion.search("WebKit") <= 0) {.//..google_afd_request =
 { 'adtest': adtest, client: clientIDd, domain_name: domain, num_radli
nks: 0, hl: xlang, ad: 'w'   num_ads, 'num_ads': num_ads, token: searc
h_token, kw: keyword, q: afs_q, user_search: is_UserSearch };...tr<<< skipped >>>

GET /?dn=flvtube.net&pid=9PO755G95 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: quickdomainfwd.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 03 Sep 2016 14:27:16 GMT

Server: Apache

Set-Cookie: vsid=924vr2204584367504966; expires=Thu, 02-Sep-2021 14:27:16 GMT; path=/; domain=quickdomainfwd.com; httponly

Expires: Mon, 22 Jul 2002 11:12:01 GMT

Cache-Control: private, no-cache

Pragma: no-cache

Vary: Accept-Encoding,User-Agent

ntCoent-Length: 5020

Keep-Alive: timeout=5, max=120

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

Content-Encoding: gzip

Content-Length:       1399
...........X...8.}....#:...Jc..]e..7p.,......b1;.......YU.=SY..c=.E:..
.....6....F.1...k..8.....r....J...a.Q....%K<..|n6q.....~.'.o.!'....
g..;".Yx..=......D...D..$...#7:..6&Q...x)].z.../lK.8...L..J......#....
.U.......x...q[7-f.7...0=w.2.....6.......HkK............Q..._....nY.e/
H.%......_....cA$=B*..lx....1...).F.q.2^.`',Yja.4.....[.:.1.(...'~t.).
.n...=....]...5.<.O.Kw. ....6Yh.]..zj..a..1.5....-{E<M1....X....
fS....M.Rf'Jn...&....a....:.B.6:.........4M.;.6..{T...4E=..%...uNG.S.8
..=Z.Pr....i..]W...J...u..&?.....>.....LA.U{nv..r:..M.........2.$#.
"/].2.......D..Ml.O...4.....^vP.A.$2..................,&........Q<.
.E./....]......>..l,.Nsm...pt.Gqx.L...:..(.D1...R<.$.V,.<....
..y...._.MWM..fd..{.Cp...u..U..D...Xi....aKb.7o..... ........v..[.,./.
......2...e..h..Y.6..'t.b....h9....O.uT".....X.........<$.*{.......
1...tOE.I...McZe.R......Z.G.@s8..[.....i....\.<....X..keY..1..\MV&g
t;..}...m..zZ.........W.9......=.Gu..n.."..G@..%..y.i.j}n......-..4..I
.......0AY.....j...=..0q".<-.2.B\..]...:.EDz0.q.O.C..U......if.@...
.........4.=........Z.*... .|.u....x......'.J$....F..../......4*.....g
..g........?..j...4..8.|?F.n..!. .nk.......A....9...'N`5Z?I.j.Y.8..r.l
..%....$.gI...j...}$.o.O.....W..;..W..Z.r....6...z........{/..rx/...r.
..~.....~....D..S...B..U.x..Y.o.8....jU.xNP.i.5*...?..bh7P.QT.*.~%..&l
t;....Q..N."R...............3..3w.....Jg.c....Q..M~.p........M....... 
..Zw....]..?t`.......K.........6........<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

SLFAT.exe_1392:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

cuments and Settings\"%CurrentUserName%"\Application Data\Done.exe

open "%Documents and Settings%\%current user%\Application Data\Done.exe"

"%Documents and Settings%\%current user%\Application Data\Done.exe"

.reloc

q.cf&

MB, # %s =

RAM %s

N)0.BG

:\Documents and Settings\"%CurrentUserName%"\Application Data\Done.exe"

"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\SLFAT.exe"

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp

SLFAT.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd6.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\SLFAT.exe

Gi.exe_2008:

`.rsrc

Ludps

WebBrtsLr

vb6chs.dll

.Create

udpsocket

AutoDownload.Socket

WebBrowser1

SHDocVwCtl.WebBrowser

shdocvw.dll

WebBrowser

VBA6.DLL

InternetOpenUrlA

wininet.dll

HttpQueryInfoA

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

%System%\shdocvw.oca

2rudpsocket

advapi32.dll

RegCreateKeyA

RegCloseKey

RegOpenKeyA

shell32.dll

udpstop

ws2_32.dll

%System%\msvbvm60.dll\3

RemotePort

LocalPort

netapi32.dll

GetProcessHeap

SAFE_OsrrW8QT3oyL2DrXBq0HbxrLleTcp1wv

Returns/Sets the port to be connected to on the remote computer

lngPort

Returns/Sets the port used on the local computer

Binds socket to specific port and adapter

Occurs after a send operation has completed

.text

`.data

.rsrc

qo%S2

ld2%S2 of

4%S WL

S2%S\Wo

deXEQ

we2%S

O!2%S2W AS2%Stla%S2%nt"*

).eX!

S2%Sher0

KERNEL32.DLL

MSVBVM60.DLL

*\AS:\Worker\tempvbp\AutoDownload.vbp

USER32.DLL

ADVAPI32.DLL

WININET.DLL

RegOpenKeyExA

@*\AS:\Worker\tempvbp\AutoDownload.vbp

dick.exe

tenn2.exe_564_rwx_05F40000_00010000:

s@SShi

LHGDbeXEwwo

rundll32.exe_1636:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

Gi.exe_2008_rwx_00401000_00058000:

.Create

udpsocket

AutoDownload.Socket

WebBrowser1

SHDocVwCtl.WebBrowser

vb6chs.dll

shdocvw.dll

WebBrowser

VBA6.DLL

InternetOpenUrlA

wininet.dll

HttpQueryInfoA

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

%System%\shdocvw.oca

2rudpsocket

advapi32.dll

RegCreateKeyA

RegCloseKey

RegOpenKeyA

shell32.dll

udpstop

ws2_32.dll

%System%\msvbvm60.dll\3

RemotePort

LocalPort

netapi32.dll

GetProcessHeap

SAFE_OsrrW8QT3oyL2DrXBq0HbxrLleTcp1wv

Returns/Sets the port to be connected to on the remote computer

lngPort

Returns/Sets the port used on the local computer

Binds socket to specific port and adapter

Occurs after a send operation has completed

.text

`.data

.rsrc

qo%S2

ld2%S2 of

4%S WL

S2%S\Wo

deXEQ

we2%S

*\AS:\Worker\tempvbp\AutoDownload.vbp

USER32.DLL

KERNEL32.DLL

ADVAPI32.DLL

WININET.DLL

RegOpenKeyExA

@*\AS:\Worker\tempvbp\AutoDownload.vbp

rundll32.exe_1636_rwx_00970000_00010000:

s@SShi

LHGDbeXEwwo

willwnd.exe_424:

.text

`.data

.rsrc

MSVBVM60.DLL

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

user32.dll

VBA6.DLL

@*\AC:\Users\Sean\Desktop\stbnes\willwind\Project1.vbp

killwnd.exe

rundll32.exe_1636_rwx_10000000_00001000:

.text

`.data

.reloc

willwnd.exe_424_rwx_00E60000_00010000:

s@SShi

LHGDbeXEwwo

stb1.exe_444:

.text

`.data

.rsrc

MSVBVM60.DLL

Project1.UserControl1

SHDocVwCtl.WebBrowser

StrUrl

ieframe.dll

WebBrowser

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

C:\Windows\System32\ieframe.oca

user32.dll

EnumWindows

shell32.dll

ShellExecuteA

VBA6.DLL

EnumChildWindows

WinHttp

.HTTPDownload

 .C:\Windows\system32\winhttp.dll

C:\Windows\system32\mshtml.tlb

*\AC:\Users\Sean\Desktop\stbnes\Project1.vbp

\xt.exe

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

@*\AC:\Users\Sean\Desktop\stbnes\Project1.vbp

1.00.0011

stb1.exe

stb1.exe_444_rwx_033B0000_00010000:

s@SShi

LHGDbeXEwwo

svchost.exe_1108_rwx_00A70000_00012000:

t.FE;l$

winmm.dll

ole32.dll

maxhttpredirects

software\microsoft\windows\currentversion\internet settings

enablehttp1_1

software\microsoft\windows\currentversion\internet settings\zones\3

%s\%s

hXXp://%s/?xurl=%s&xref=%s

clk=%s&bid=%s&aid=%s&sid=%s&rd=%s

atl.dll

oleaut32.dll

n%D,3

Global\3006345f-6baf-4669-a7e1-aaa310564be9

kdmf.tmp

%d|%d|%s|%s

Mozilla/4.0 (compatible; MSIE 1.0; Windows NT; CMD3)

DownloadAndExecute

DownloadCryptedAndExecute

DownloadCryptedAndExecute2

%[^.].%[^(](%[^)])

command|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s

setup.exe

google;yahoo;bing.;live.com;msn.com;altavista.com;ask.com;exalead.com;excite.com;dogpile.com;metacrawler.com;webcrawler.com;alltheweb.com;.lycos.;gigablast.com;cuil.com;.aol.;entireweb.com;.search.com;mamma.com;mytalkingbuddy.com;about.com;myspace.com;answers.com;conduit.com;alexa.com;alltheinternet.com;blinkx.com;macromedia.com;adobe.com;amazon.com;facebook.com;youtube.com;wikipedia.org;wikimedia.org;twitter.com;aolcdn.com;othersonline.com;everesttech.net;adrevolver.com;tribalfusion.com;adbureau.net;abmr.net;gstatic.com;virtualearth.net;atdmt.com;ivwbox.;powerset.net;yimg.com;2mdn.net;doubleclick.net;iwon.com;scorecardresearch.com;66.235.120.66;66.235.120.67;ytimg.com;infospace.com;edgesuite.net;superpages.com;lygo.com;compete.com;firmserve.com;worthathousandwords.com;yieldmanager.com;wazizu.com;meedea.com;atwola.com;doubleverify.com;tacoda.net;truveo.com;openx.org;adcertising.com;twimg.com;picsearch.com;oneriot.com;.com.com;flickr.com;searchvideo.com;.tqn.com;myspacecdn.com;fimservecdn.com;alexametrics.com

HTTP/1.1 302 Found

Location: %s

HTTP/1.1 200 OK

Content-Length: %d

<html><head><script type="text/javascript">function f(){var url="%s";try{var x=document.getElementById("_a");x.href=url;x.click()}catch(e){try{var x=document.getElementById("_f");x.action=url;x.submit()}catch(e){}}}</script></head><body onload="f()"><a id="_a"></a><form id="_f" method="get"></form></body></html>

<html><body onload="javascript:history.back()"></body></html>

hXXps://68b6b6b6.com/;hXXps://61.61.20.132/;hXXps://34jh7alm94.asia/;hXXps://61.61.20.135/;hXXps://nyewrika.in/;hXXps://rukkieanno.in/

hXXp://rudolfdisney.com/;hXXp://crozybanner.com/;hXXp://imagemonstar.com/;hXXp://funimgpixson.com/;hXXp://bunnylandisney.com/

hXXp://cri71ki813ck.com/

hXXp://lkckclckl1i1i.com/

cfg.ini

urlmon.dll

bckfg.tmp

svchost.exe

Global\9e6af8f3-75f3-4b67-877a-c80125d7bc08

*firefox*

*chrome*

*opera*

Global\a68d7de8-eba6-4a54-90e0-9cb9d93b3ed7

Global\cc51461b-e32a-4883-8e97-e0706dc65415

keywords

Accept-Language: %s

%s hXXp://%s/?xurl=%s&xref=%s

%s %s

1.6|%s|%s|%s|%s|%s|%s

0123456789

software\classes\http\shell\open\command

firefox

<>:"/\|?*

%s-%s

. d SP.%s

%s.dll

kernel32.dll

.text

.rdata

Global\452fefe0-a06e-400f-8d6b-6a12a0a09d4b

VVV.google.

/webhp

search.yahoo.com

.altavista.com

/web/results

.ask.com

VVV.exalead.com

/search/web/results

VVV.alltheweb.com

search.lycos.

tab=web

gigablast.com

cuil.com

.aol.

entireweb.com

md=web

VVV.search.com

VVV.mamma.com

mytalkingbuddy.com

searchservice.myspace.com

type=web

search.conduit.com

search.toolbars.alexa.com

alltheinternet.com

/ws/results/web/

%u|%u

ver=%s&bid=%s&aid=%s&sid=%s&rd=%s&eng=%s&q=%s

hXXp://%s%s

?xurl=

http/1.

mozilla

windowsupdate

\\?\globalroot\device\00000a8a\3edcdc2b\kdmf.tmp

%WinDir%\System32\svchost.exe

1078081533

\\?\globalroot\device\00000a8a\3edcdc2b

cmd.dll

\\?\globalroot\device\00000a8a\3edcdc2b\keywords

\\?\globalroot\device\00000a8a\3edcdc2b\cfg.ini

WinExec

SHEnumKeyExA

FindFirstUrlCacheEntryW

UnlockUrlCacheEntryFileW

DeleteUrlCacheEntryW

FindNextUrlCacheEntryW

InternetCrackUrlA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoW

FindCloseUrlCache

`.rdata

@.data

.reloc

KERNEL32.DLL

ADVAPI32.dll

imagehlp.dll

ntdll.dll

SHLWAPI.dll

USER32.dll

WININET.dll

WebBrowser

%s-%d

eplorer\iexplore.exe" -nohome

Explorer.EXE_1140_rwx_00FF0000_00009000:

.exeu]

%szptfzubjhp.php?adv=adv468&code1=%s&code2=%s&id=%d&p=%s&b=%s

Chrome

Firefox

Opera

%swtlj.exe

%ssjnlgn.php?adv=adv468

%stmvspdwr.exe

%styfnhc.php?adv=adv468

%sifdla.exe

%sxbvqxsa.php?adv=adv468

%syset.exe

%sxavdxsz.php?adv=adv468

%sldnhp.exe

%shyfaitavt.php?adv=adv468

%sbekyd.exe

%sqhlkrzhf.php?adv=adv468

%sbxxlpcxo.exe

%skbwdyfeyta.php?adv=adv468

%shywgxge.exe

%smmaucwe.php?adv=adv468

%sokyqih.exe

%scptrlg.php?adv=adv468

%snyjq.exe

%sizgowq.php?adv=adv468

%saydvhkl.exe

%siztbjhowu.php?adv=adv468

%sultamgbih.php?adv=adv468

hXXp://bbpolis.com/timuo/

hXXp://abretor.com/timuo/

psapi.dll

ddraw.dll

urlmon.dll

shell32.dll

kernel32.dll

user32.dll

wininet.dll

ntdll.dll

\svchost.exe

explorer.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\E4U.exe

ShellExecuteExA

InternetOpenUrlA

HttpQueryInfoA

.text

`.rdata

@.data

.reloc

%szptfzubjhp.p

ChromeFirefox

httpo%u

fnhcifdla$%sxbvk

polis.Qm/timuo/

`.rd!!

KERNEL32.DLL

ADVAPI32.dll

DDRAW.dll

PSAPI.DLL

SHELL32.dll

SHLWAPI.dll

USER32.dll

WININET.dll

spoolsv.exe_1448_rwx_012E0000_00100000:

.tesx

`.rdat

.config

Ng.

.Lu;;:

DP%xU

.cV#~E

O.BY#

{|.eB

t&`%f

.text

`.rdata

@.data

.reloc

N. d SP.

%x%x%x%x%x%x

%s|%s|%s|%x|%x|%s|prn3

%[^;];%[^;];%[^;];

ntdll.dll

system\currentcontrolset\services\%x

\\?\globalroot%wZ\cmd.dll

\\?\globalroot%wZ\cfg.ini

\\?\globalroot%wZ\bckfg.tmp

cmd.dll

%[^|]|%[^|]|%s

\\?\globalroot%wZ\ldr16

\\?\globalroot%wZ\ldr32

\\?\globalroot%wZ\ldr64

\\?\globalroot%wZ\drv64

\\?\globalroot%wZ\cmd64.dll

cmd64.dll

\\?\globalroot%wZ\drv32

aid=%s

sid=%s

*=cmd.dll

* (x64)=cmd64.dll

[cmd]

srv=%s

wsrv=%s

psrv=%s

cfg.ini

bckfg.tmp

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"><ms_asmv2:security><ms_asmv2:requestedPrivileges><ms_asmv2:requestedExecutionLevel level="requireAdministrator"></ms_asmv2:requestedExecutionLevel></ms_asmv2:requestedPrivileges></ms_asmv2:security></ms_asmv2:trustInfo></assembly>

ZwConnectPort

GetWindowsDirectoryW

KERNEL32.dll

RegCreateKeyA

RegCloseKey

ADVAPI32.dll

SHDeleteKeyA

SHLWAPI.dll

imagehlp.dll

PSAPI.DLL

RPCRT4.dll

InternetCrackUrlA

HttpOpenRequestA

HttpSendRequestA

WININET.dll

ShellExecuteW

SHELL32.dll

ole32.dll

WINSPOOL.DRV

Error loading operating system

Missing operating system

`.reloc

kdcom.dll

ntoskrnl.exe

`.pdata

.pdata

@.reloc

tùXXt

\\?\globalroot%S

%s (x64)

KeDelayExecutionThread

ZwOpenKey

ZwQueryValueKey

ZwSetValueKey

!Win64 .DLL.

.MPRESS1

.MPRESS2*

%X%XLA

AndExecu

https:/

alm94.as(ia

wrika.in

pG&$.KG

DB.fD

9=!%F

\{x-x-x-x-xx}

\registry\machine\%S

\??\physicaldrive%d

services.exe

\??\globalroot\systemroot\system32\tasks\%x

\\?\globalroot%s

%s.manifest

%s\setup%u.exe

%s\%S

*\KERNEL32.DLL

\device\%s

%s\cfg.ini

%s\mbr

Explorer.EXE_1140_rwx_01E00000_00013000:

HTTP/1.1

Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry

SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore

\user32.dll

ms.dll

task32.dll

\updhlp.dat

<script src="hXXp://

Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

19792079

[%subid]

[%key]

google.com/

**http://

search.yahoo.com

bing.com

.info/message.php

\temp.ini

\admin.txt

.aspx

iexplore.exe

&HTTP_REFERER=

\server.dat

\Windows

\winhelp.exe

<h3 class="r"><a href="hXXp://

<h3 class=r><a href="hXXp://

yschttl spt" href="hXXp://

<div><a href="hXXp://rds.yahoo.com

<a href="hXXp://

sb_tlst"><h3><a href="hXXp://

19091979

HTTP/1.1 302 Moved Temporarily

HTTP/1.1 200 OK

<html><head><script language="JavaScript">function f(){var form = document.forms["rr"];form.submit();}if(document.cookie==""){if (history.length!=0) document.cookie="k=1";window.onload=f;}else{document.cookie="k=1;expires=Mon, 01-Jan-2001 00:00:00 GMT";history.back();}</script></head><body><form action="hXXp://

<html><head></head><body><script type="text/javascript">location.href="hXXp://

keyword

hXXp://

HTTP/1.

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

ntdll.dll

kernel32.dll

user32.dll

ws2_32.dll

advapi32.dll

shell32.dll

Wininet.dll

version.dll

ole32.dll

Dnsapi.dll

hXXp://google.ru/s.php?dd=giuy

c:\feed1.txt

:VVV.u

google.com

\windows\

sfc_os.dll

wininit.exe

winlogon.exe

dllcache\winlogon.exe

explorer.exe

dllcache\explorer.exe

z.exe

.datj

5xplorer.exe

opera.exe

firefox.exe

chrome.exe

8.texu5

8.datu

\e.exe

5$555$$$

$$  $$$$555

554761032=<?>98;:%$'&! #"-,/.)( *

5 555)55595553555

5{555,5558?

k5%WU5%kT5%xZO\YYT

_5_5_5]*5:5

5C.ee

_cb

755_3_4_7

555_6_5_4]555

5:5_5_5_5]

_5_5_5_5

0|*5U55

%5%f@

];!5%]?!5%

 5%6x9

 5
U]

555_7_5_6]555

@=_5]5155

1de]%f_1_

*5%]^'5%

.text

`.rdata

@.data

.reloc

dll.dll

%System%\dll

fchrome.exe

lms.dll

le.exe

mgoogle.com

Explorer.EXE_1140_rwx_021F0000_00001000:

.text

`.data

.reloc

Explorer.EXE_1140_rwx_02520000_00010000:

s@SShi

LHGDbeXEwwo

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

Done.exe:636
%original file name%.exe:580
WinInstall.exe:912
ntvdm.exe:2244
Rich.exe:1688
E4U.exe:1416
IC.exe:1232
EuroP.exe:1460
tbp.exe:1692
SLFAT.exe:1392
rundll32.exe:2848
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\px[1].js (346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\px[1].js (346 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (487 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@admarketplace[1].txt (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\zcredirect[1].htm (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\10990-28346606.ampxchange[1].htm (1056 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CANRFMN5.htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\track[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xt.exe (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\12224[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@admarketplace[2].txt (446 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\quickdomainfwd[1].net&pid=9PO755G95 (2266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\js3[1].js (2843 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@quickdomainfwd[1].txt (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\quickdomainfwd[1].htm (5 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4820 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (252 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\83de2468-71e2-11e6-a14b-0ad4d45a4925[1].htm (1007 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAX8W3TD (726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WinInstall.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaC.tmp (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\EuroP.exe (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\SLFAT.exe (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\tenn2.exe (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\E4U.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\converter7.exe (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\Gi.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\Rich.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\tbp.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\IC.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp (15568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\track[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAN1TMRA.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\park.lwken[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\stb1.exe (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshF.tmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\willwnd.exe (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss7.tmp (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\APPLICATION DATA (4 bytes)
%WinDir%\assembly (4 bytes)
%WinDir%\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (2996 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319 (672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (344 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
%Documents and Settings%\%current user%\MY DOCUMENTS (4 bytes)
%WinDir%\Fonts (632 bytes)
%WinDir%\Temp\scs11.tmp (33880 bytes)
C:\$Directory (2240 bytes)
%System%\dllcache (648 bytes)
%WinDir%\Microsoft.NET\Framework\V2.0.50727 (768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DF39BF.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012016090320160904\index.dat (400 bytes)
%Documents and Settings%\All Users\DOCUMENTS (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
%System%\config (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_678.dat (4 bytes)
%WinDir%\Temp\scs12.tmp (10145 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (388 bytes)
%WinDir%\MICROSOFT.NET (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Scv..bat (166 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%WinDir%\packcrt.dll (90 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7za.exe (18424 bytes)
%Documents and Settings%\%current user%\Application Data\Done.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a1.7z (5 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\packcrt.dll,Startup"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.