Trojan.Generic.9176938_a3aa5a0ba8

by malwarelabrobot on October 18th, 2016 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.9176938 (B) (Emsisoft), Trojan.Generic.9176938 (AdAware), Trojan.Win32.IEDummy.FD, VirusVirut.YR (Lavasoft MAS)
Behaviour: Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a3aa5a0ba8b429d63d59e40c4f9fe471
SHA1: b3917a7bad5b38cb7862437f7caea02a5a10c4ab
SHA256: f8d128ad8f8f08866175b39a031d4dad672f3b078faec69d25dc4880840d2f92
SSDeep: 6144:K7ouwJmT6pNUOGSZatv8MH tZPPJFuBf:KzwJmT6bU/ltvdHkZPxFu
Size: 615424 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1976-09-11 21:14:18
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:492

The Trojan injects its code into the following process(es):

Rundll32.exe:704
iexplore.exe:472

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Rundll32.exe:704 makes changes in the file system.
The Trojan deletes the following file(s):

C:\~0002ftd.tmp (0 bytes)
C:\a3aa5a0ba8b429d63d59e40c4f9fe471 (0 bytes)

The process %original file name%.exe:492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\rundll32.exe (4185 bytes)
C:\~0002ftd.tmp (37 bytes)
%System%\rundII32.exe (57 bytes)
%System%\msng.exe (4185 bytes)

Registry activity

The process Rundll32.exe:704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\VB and VBA Program Settings\Svchost\Open]
"times" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 70 7B 48 1F 50 C4 63 2B CB C5 F2 AB 51 3A 31"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msng" = "%System%\msng.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 66 98 92 6B F2 BC C1 60 D7 5B 54 3D D3 1A 6C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"Rundll32.exe" = "Rundll32"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msng" = "%System%\msng.exe"

Dropped PE files

MD5 File path
ac2c9bc35a7ad096fe1a5173e50c7af6 c:\WINDOWS\system32\rundII32.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.Brenz.pl


Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
4096 122880 0 0 d41d8cd98f00b204e9800998ecf8427e
126976 16384 15872 5.4557 93d309fa36e44d38c4f31bfc14f0fec3
.rsrc 143360 328110 328192 4.71376 074d5103dc8a9945ea3ca55cb33b6165
vnnahww 475136 28672 28672 5.12838 67c1479411c9153e750ade8f593fdd19
nbmrrhn 503808 28672 28672 0 cf845a781c107ec1346e849c9dd1b7e8
zbebicl 532480 28672 28672 0 cf845a781c107ec1346e849c9dd1b7e8
enpxzut 561152 32768 31232 0 9cc544b7333c1f741765ce8afc8b8f27
owylroe 593920 184320 153088 0 d94085b36c265d5e7f49c6b6e817c992

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://openclose.ir/
hxxp://openclose.ir/wp-includes/js/wp-emoji-release.min.js?ver=4.5.3
hxxp://openclose.ir/wp-content/themes/twentysixteen/style.css?ver=4.5.3
hxxp://openclose.ir/wp-content/themes/twentysixteen/genericons/genericons.css?ver=3.4.1
hxxp://openclose.ir/wp-content/themes/twentysixteen/css/ie.css?ver=20160412
hxxp://openclose.ir/wp-content/themes/twentysixteen/css/ie8.css?ver=20160412
hxxp://openclose.ir/wp-content/themes/twentysixteen/css/ie7.css?ver=20160412
hxxp://openclose.ir/wp-content/plugins/wordpress-popup/css/animate.min.css?ver=4.5.3
hxxp://openclose.ir/wp-content/themes/twentysixteen/js/html5.js?ver=3.7.3
hxxp://openclose.ir/wp-content/themes/twentysixteen/genericons/Genericons.eot?") format("embedded-opentype
hxxp://openclose.ir/wp-content/themes/twentysixteen/genericons/Genericons.svg
hxxp://openclose.ir/wp-includes/js/jquery/jquery.js?ver=1.12.4
hxxp://openclose.ir/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
hxxp://openclose.zamenhost.org/?dm=cf124e2f14154e4ef1608115b6c316c6&action=load&blogid=2&siteid=1&t=1613335257&back=http://openclose.ir/ 8.5.1.51
hxxp://pagead.l.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=zamenhost.org&output=html&drid=as-drid-oo-1750951074443211
hxxp://openclose.ir/wp-content/themes/twentysixteen/js/skip-link-focus-fix.js?ver=20160412
hxxp://0.gravatar.com/avatar/ca85fd9144386f4e7420fdaa29adef2f?s=49&d=mm&r=g 192.0.73.2
hxxp://openclose.ir/wp-content/themes/twentysixteen/js/functions.js?ver=20160412
hxxp://openclose.ir/wp-content/plugins/wordpress-popup/js/public.min.js?ver=4.5.3
hxxp://openclose.ir/wp-includes/js/wp-embed.min.js?ver=4.5.3
hxxp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=zamenhost.org&output=html&drid=as-drid-oo-1750951074443211 173.194.113.217
hxxp://zamenhost.org/?dm=cf124e2f14154e4ef1608115b6c316c6&action=load&blogid=2&siteid=1&t=1613335257&back=http://openclose.ir/ 8.5.1.51
hxxp://www.openclose.ir/ 78.47.178.19
fonts.googleapis.com 74.125.131.95


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /?dm=cf124e2f14154e4ef1608115b6c316c6&action=load&blogid=2&siteid=1&t=1613335257&back=http://openclose.ir/ HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: zamenhost.org
Connection: Keep-Alive


HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 310
Content-Type: text/html; charset=utf-8
Location: hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=zamenhost.org&output=html&drid=as-drid-oo-1750951074443211
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
p3p: CP="CAO PSA OUR"
Set-Cookie: SessionID=54ad317b-41da-4d03-bec2-a01bb990df11; path=/
Set-Cookie: VisitorID=76e34220-2856-42a9-8684-bd935ada2fb8&Exp=10/16/2019 9:47:25 PM; expires=Thu, 17-Oct-2019 04:47:25 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 17 Oct 2016 04:47:25 GMT
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://dp.g.
doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedi
a_test_js&channel=mobile&domain_name=zamenhost.org&output=
html&drid=as-drid-oo-1750951074443211">here</a>.</h2&g
t;..</body></html>..HTTP/1.1 302 Found..Cache-Control: pri
vate..Content-Length: 310..Content-Type: text/html; charset=utf-8..Loc
ation: hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?clie
nt=ca-dp-demandmedia_test_js&channel=mobile&domain_name=zamenhost.org&
output=html&drid=as-drid-oo-1750951074443211..Server: Microsoft-IIS/8.
5..X-AspNet-Version: 4.0.30319..p3p: CP="CAO PSA OUR"..Set-Cookie: Ses
sionID=54ad317b-41da-4d03-bec2-a01bb990df11; path=/..Set-Cookie: Visit
orID=76e34220-2856-42a9-8684-bd935ada2fb8&Exp=10/16/2019 9:47:25 PM; e
xpires=Thu, 17-Oct-2019 04:47:25 GMT; path=/..X-Powered-By: ASP.NET..D
ate: Mon, 17 Oct 2016 04:47:25 GMT..<html><head><title&
gt;Object moved</title></head><body>..<h2>Obje
ct moved to <a href="hXXp://dp.g.doubleclick.net/apps/domainpark/do
mainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&d
omain_name=zamenhost.org&output=html&drid=as-drid-oo-175095107
4443211">here</a>.</h2>..</body></html>....
<<< skipped >>>


GET /wp-content/themes/twentysixteen/css/ie8.css?ver=20160412 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9


HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:02 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 3475
Connection: close
Content-Type: text/css
/*.Theme Name: Twenty Sixteen.Description: IE8 specific style..*/..cod
e {..background-color: transparent;..padding: 0;.}...entry-content a,.
.entry-summary a,..taxonomy-description a,..logged-in-as a,..comment-c
ontent a,..pingback .comment-body > a,..textwidget a,..entry-footer
 a:hover,..site-info a:hover {..text-decoration: underline;.}...entry-
content a:hover,..entry-content a:focus,..entry-summary a:hover,..entr
y-summary a:focus,..taxonomy-description a:hover,..taxonomy-descriptio
n a:focus,..logged-in-as a:hover,..logged-in-as a:focus,..comment-cont
ent a:hover,..comment-content a:focus,..pingback .comment-body > a:
hover,..pingback .comment-body > a:focus,..textwidget a:hover,..tex
twidget a:focus,..entry-content .wp-audio-shortcode a,..entry-content 
.wp-playlist a,..page-links a {..text-decoration: none;.}...site {..ma
rgin: 21px;.}...site-inner {..max-width: 710px;.}...site-header {..pad
ding-top: 3.9375em;..padding-bottom: 3.9375em;.}...site-branding {..fl
oat: left;..margin-top: 1.3125em;..margin-bottom: 1.3125em;.}...site-t
itle {..font-size: 28px;..line-height: 1.25;.}...site-description {..d
isplay: block;.}...menu-toggle {..float: right;..font-size: 16px;..mar
gin: 1.3125em 0;..padding: 0.8125em 0.875em 0.6875em;.}...site-header-
menu {..clear: both;..margin: 0;..padding: 1.3125em 0;.}...site-header
 .main-navigation   .social-navigation {..margin-top: 2.625em;.}...hea
der-image {..margin: 1.3125em 0;.}...site-main {..margin-bottom: 5.25e
m;.}...post-navigation {..margin-bottom: 5.25em;.}...post-navigati
<<< skipped >>>


GET /avatar/ca85fd9144386f4e7420fdaa29adef2f?s=49&d=mm&r=g HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 0.gravatar.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 17 Oct 2016 04:47:26 GMT
Content-Type: image/jpeg
Content-Length: 1124
Connection: keep-alive
Last-Modified: Wed, 11 Jan 1984 08:00:00 GMT
Link: <hXXps://VVV.gravatar.com/avatar/ca85fd9144386f4e7420fdaa29adef2f?s=49&d=mm&r=g>; rel="canonical"
Access-Control-Allow-Origin: *
Content-Disposition: inline; filename="ca85fd9144386f4e7420fdaa29adef2f.png"
X-nc: HIT fra 2
Accept-Ranges: bytes
Expires: Mon, 17 Oct 2016 04:52:26 GMT
Cache-Control: max-age=300
Source-Age: 154900
......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), qu
ality = 90....C.......................................................
.............C........................................................
...............1.1..".................................................
...........}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:C
DEFGHIJSTUVWXYZcdefghijstuvwxyz.......................................
......................................................................
.................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*
56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz................................
....................................................?...4...5.....6.!y
.`.....9..k.|?..J.-..P%..>y&.\..<c.V....... ...L|..(B..8?..x>
h..{D.....7./...GS............g.]W....&V~f3.M........[5=...W.OlYn#p...
.<}h..<....-F.S."...K...4O..w...Y.....Yb.{..r..@f>....|c1..nY
c.o..o....^...jx.S.......hn.`...,....Y......\.z(. .>.x.=6.-R.0.....
..Jz~'...2......ah...(q..S.._D...p.lP..........r.:.l>%.iaEMF%.n8.?.
...xs)F*....=E}5...|E..M.m.........?.h...E....:O...9i............A...(
.........#L......QE.qTQE......
<<< skipped >>>


GET /wp-includes/js/jquery/jquery.js?ver=1.12.4 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9


HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:23 GMT
Server: Apache
Last-Modified: Tue, 21 Jun 2016 18:03:33 GMT
Accept-Ranges: bytes
Content-Length: 97184
Connection: close
Content-Type: application/javascript
/*! jQuery v1.12.4 | (c) jQuery Foundation | jquery.org/license */.!fu
nction(a,b){"object"==typeof module&&"object"==typeof module.exports?m
odule.exports=a.document?b(a,!0):function(a){if(!a.document)throw new 
Error("jQuery requires a window with a document");return b(a)}:b(a)}("
undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.docum
ent,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.ha
sOwnProperty,l={},m="1.12.4",n=function(a,b){return new n.fn.init(a,b)
},o=/^[\s\uFEFF\xA0] |[\s\uFEFF\xA0] $/g,p=/^-ms-/,q=/-([\da-z])/gi,r=
function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,const
ructor:n,selector:"",length:0,toArray:function(){return e.call(this)},
get:function(a){return null!=a?0>a?this[a this.length]:this[a]:e.ca
ll(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);re
turn b.prevObject=this,b.context=this.context,b},each:function(a){retu
rn n.each(this,a)},map:function(a){return this.pushStack(n.map(this,fu
nction(b,c){return a.call(b,c,b)}))},slice:function(){return this.push
Stack(e.apply(this,arguments))},first:function(){return this.eq(0)},la
st:function(){return this.eq(-1)},eq:function(a){var b=this.length,c= 
a (0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},en
d:function(){return this.prevObject||this.constructor()},push:g,sort:c
.sort,splice:c.splice},n.extend=n.fn.extend=function(){var a,b,c,d,e,f
,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof 
g&&(j=g,g=arguments[h]||{},h  ),"object"==typeof g||n.isFunction(g
<<< skipped >>>


GET /wp-content/themes/twentysixteen/js/skip-link-focus-fix.js?ver=20160412 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9


HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:24 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 1059
Connection: close
Content-Type: application/javascript
/**. * Makes "skip to content" link work correctly in IE9, Chrome, and
 Opera. * for better accessibility.. *. * @link hXXp://VVV.nczonline.n
et/blog/2013/01/15/fixing-skip-to-content-links/. */.. ( function() {.
.var isWebkit = navigator.userAgent.toLowerCase().indexOf( 'webkit' ) 
> -1,...isOpera  = navigator.userAgent.toLowerCase().indexOf( 'oper
a' )  > -1,...isIE     = navigator.userAgent.toLowerCase().indexOf(
 'msie' )   > -1;...if ( ( isWebkit || isOpera || isIE ) && documen
t.getElementById && window.addEventListener ) {...window.addEventListe
ner( 'hashchange', function() {....var id = location.hash.substring( 1
 ),.....element;.....if ( ! ( /^[A-z0-9_-] $/.test( id ) ) ) {.....ret
urn;....}.....element = document.getElementById( id );.....if ( elemen
t ) {.....if ( ! ( /^(?:a|select|input|button|textarea)$/i.test( eleme
nt.tagName ) ) ) {......element.tabIndex = -1;.....}......element.focu
s();......// Repositions the window on jump-to-anchor to account for a
dmin bar and border height......window.scrollBy( 0, -53 );....}...}, f
alse );..}.} )();...



GET /wp-includes/js/wp-embed.min.js?ver=4.5.3 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9


HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:25 GMT
Server: Apache
Last-Modified: Thu, 25 Feb 2016 10:23:27 GMT
Accept-Ranges: bytes
Content-Length: 1403
Connection: close
Content-Type: application/javascript
!function(a,b){"use strict";function c(){if(!e){e=!0;var a,c,d,f,g=-1!
==navigator.appVersion.indexOf("MSIE 10"),h=!!navigator.userAgent.matc
h(/Trident.*rv:11\./),i=b.querySelectorAll("iframe.wp-embedded-content
");for(c=0;c<i.length;c  )if(d=i[c],!d.getAttribute("data-secret"))
{if(f=Math.random().toString(36).substr(2,10),d.src ="#?secret=" f,d.s
etAttribute("data-secret",f),g||h)a=d.cloneNode(!0),a.removeAttribute(
"security"),d.parentNode.replaceChild(a,d)}else;}}var d=!1,e=!1;if(b.q
uerySelector)if(a.addEventListener)d=!0;if(a.wp=a.wp||{},!a.wp.receive
EmbedMessage)if(a.wp.receiveEmbedMessage=function(c){var d=c.data;if(d
.secret||d.message||d.value)if(!/[^a-zA-Z0-9]/.test(d.secret)){var e,f
,g,h,i,j=b.querySelectorAll('iframe[data-secret="' d.secret '"]'),k=b.
querySelectorAll('blockquote[data-secret="' d.secret '"]');for(e=0;e&l
t;k.length;e  )k[e].style.display="none";for(e=0;e<j.length;e  )if(
f=j[e],c.source===f.contentWindow){if(f.removeAttribute("style"),"heig
ht"===d.message){if(g=parseInt(d.value,10),g>1e3)g=1e3;else if(200&
gt;~~g)g=200;f.height=g}if("link"===d.message)if(h=b.createElement("a"
),i=b.createElement("a"),h.href=f.getAttribute("src"),i.href=d.value,i
.host===h.host)if(b.activeElement===f)a.top.location.href=d.value}..



GET /wp-content/themes/twentysixteen/genericons/Genericons.svg HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9


HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:23 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 76980
Connection: close
Content-Type: image/svg xml
<?xml version="1.0" standalone="no"?>.<!DOCTYPE svg PUBLIC "-
//W3C//DTD SVG 1.1//EN" "hXXp://VVV.w3.org/Graphics/SVG/1.1/DTD/svg11.
dtd" >.<!--.2015-9-18: Created with FontForge (hXXp://fontforge.
org).-->.<svg xmlns="hXXp://VVV.w3.org/2000/svg" xmlns:xlink="ht
tp://VVV.w3.org/1999/xlink" version="1.1">.<metadata>.Created
 by FontForge 20150618 at Fri Sep 18 10:24:13 2015. By Joen Asmussen.C
opyright (c) 2015, Joen Asmussen.</metadata>.<defs>.<fo
nt id="Genericons" horiz-adv-x="2048" >.  <font-face .    font-f
amily="Genericons".    font-weight="400".    font-stretch="normal".   
 units-per-em="2048".    panose-1="2 0 5 3 0 0 0 0 0 0".    ascent="20
48".    descent="0".    bbox="-0.0140489 0 2048.01 2048".    underline
-thickness="102.4".    underline-position="-204.8".    unicode-range="
U 0020-F517".  />.    <missing-glyph />.    <glyph glyph-n
ame="space" unicode=" " horiz-adv-x="200" . />.    <glyph glyph-
name="uniF413" unicode="" .d="M256 1280c565.504 0 1024 -458.49
6 1024 -1024h-256c0 423.552 -344.448 768 -768 768v256zM256 1792c848.25
6 0 1536 -687.744 1536 -1536h-256c0 705.792 -574.208 1280 -1280 1280v2
56zM448 640c106.112 0 192 -86.0156 192 -192s-85.8877 -192 -192 -192.s-
192 86.0156 -192 192s85.8877 192 192 192z" />.    <glyph glyph-n
ame="uniF462" unicode="" .d="M618.502 1337l-213.004 142.004l-3
03.335 -455.002l303.335 -455.002l213.004 142.004l-208.665 312.998zM164
2.5 1479l-213.004 -142.004l208.665 -312.998l-208.665 -312.998l213.
<<< skipped >>>


GET /wp-content/themes/twentysixteen/genericons/genericons.css?ver=3.4.1 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9


HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:02 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 28266
Connection: close
Content-Type: text/css
/**...Genericons..*/.../* IE8 and below use EOT and allow cross-site e
mbedding. .   IE9 uses WOFF which is base64 encoded to allow cross-sit
e embedding..   So unfortunately, IE9 will throw a console error, but 
it'll still work..   When the font is base64 encoded, cross-site embed
ding works in Firefox */.@font-face {.  font-family: "Genericons";.  s
rc: url("./Genericons.eot");.  src: url("./Genericons.eot?") format("e
mbedded-opentype");.  font-weight: normal;.  font-style: normal;.}..@f
ont-face {.  font-family: "Genericons";.  src: url("data:application/x
-font-woff;charset=utf-8;base64,d09GRgABAAAAADakAA0AAAAAVqwAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAABGRlRNAAA2iAAAABoAAAAcdeu6KE9TLzIAAAGgAAAARQAAAGBk
LHXFY21hcAAAAogAAACWAAABsqlys6FjdnQgAAADIAAAAAQAAAAEAEQFEWdhc3AAADaAAA
AACAAAAAj//wADZ2x5ZgAABFQAAC7AAABIkKrsSc5oZWFkAAABMAAAAC8AAAA2C2BCV2ho
ZWEAAAFgAAAAHQAAACQQuAgGaG10eAAAAegAAACfAAABOFjwU3Jsb2NhAAADJAAAATAAAA
Ewy4vdrm1heHAAAAGAAAAAIAAAACAA6QEZbmFtZQAAMxQAAAE5AAACN1KGf59wb3N0AAA0
UAAAAjAAAAXo9iKXv3jaY2BkYGAAYqUtWvLx/DZfGbg5GEDgkmLVWhj9/ycDAwcbWJyDgQ
lEAQABJgkgAHjaY2BkYOBgAIIdHAz/fwLZbAyMDKiAFQBE7gLWAAAAAAEAAACXAOgAEAAA
AAAAAgAAAAEAAQAAAEAALgAAAAB42mNgYf/MOIGBlYGB1Zh1JgMDoxyEZr7OkMYkxMDAxM
DKzAADjAIMCBCQ5prC0MCg8FWcA8TdwQFVg6REgYERAPvTCMQAAAB42i1PsRXCUAg8SApr
l7FN4QZqb2WZGRjAIVLrHj4be4ews7OJHAd54cMBd Af7JHmt3RPYAOHAYFweFhmYE4jlj
 uVb8nshCzd/qVeNUCLysG8lgwrojfSW/pcTK6o7rWX82En6HJwIEv wbi28IwpndxRu/J
aJGStHRDq5EB OKCNumZLlSVl2TnOFVtl9nR5t7woR0QzVT D7cKLeIAeNpjYGBgZoBgGQ
ZGBhBYA QxgvksDBOAtAIQsoDoj5yfOD9JflL7zPGF84vkF80vll88v0R yfxS9lX8
<<< skipped >>>


GET /wp-content/themes/twentysixteen/js/functions.js?ver=20160412 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9


HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:25 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 6820
Connection: close
Content-Type: application/javascript
/* global screenReaderText */./**. * Theme functions file.. *. * Conta
ins handlers for navigation and widget area.. */..( function( $ ) {..v
ar body, masthead, menuToggle, siteNavigation, socialNavigation, siteH
eaderMenu, resizeTimer;...function initMainNavigation( container ) {..
..// Add dropdown toggle that displays child menu items....var dropdow
nToggle = $( '<button />', {....'class': 'dropdown-toggle',....'
aria-expanded': false...} ).append( $( '<span />', {....'class':
 'screen-reader-text',....text: screenReaderText.expand...} ) );....co
ntainer.find( '.menu-item-has-children > a' ).after( dropdownToggle
 );....// Toggle buttons and submenu items with active children menu i
tems....container.find( '.current-menu-ancestor > button' ).addClas
s( 'toggled-on' );...container.find( '.current-menu-ancestor > .sub
-menu' ).addClass( 'toggled-on' );....// Add menu items with submenus 
to aria-haspopup="true"....container.find( '.menu-item-has-children' )
.attr( 'aria-haspopup', 'true' );....container.find( '.dropdown-toggle
' ).click( function( e ) {....var _this            = $( this ),.....sc
reenReaderSpan = _this.find( '.screen-reader-text' );.....e.preventDef
ault();...._this.toggleClass( 'toggled-on' );...._this.next( '.childre
n, .sub-menu' ).toggleClass( 'toggled-on' );.....// jscs:disable...._t
his.attr( 'aria-expanded', _this.attr( 'aria-expanded' ) === 'false' ?
 'true' : 'false' );....// jscs:enable....screenReaderSpan.text( scree
nReaderSpan.text() === screenReaderText.expand ? screenReaderText.
<<< skipped >>>


GET /wp-content/themes/twentysixteen/css/ie7.css?ver=20160412 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9


HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:02 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 2565
Connection: close
Content-Type: text/css
/*.Theme Name: Twenty Sixteen.Description: IE7 specific style..*/...si
te-inner {..max-width: 656px;.}...post-navigation,..pagination,..image
-navigation,..entry-header,..entry-summary,..entry-content,..entry-foo
ter,..page-header,..page-content,..post-thumbnail,..content-bottom-wid
gets,..comments-area {..margin-right: 28px;..margin-left: 28px;..max-w
idth: 100%;.}...site-header,..sidebar,..site-footer,..widecolumn {..pa
dding-right: 28px;..padding-left: 28px;.}...search-submit {..height: a
uto;..margin-top: 28px;..padding: 15px 0 8px;..position: relative;..wi
dth: auto;.}...search-submit .screen-reader-text {..height: auto;..pos
ition: relative !important;..width: auto;.}...image-navigation .nav-pr
evious,..image-navigation .nav-next,..comment-navigation .nav-previous
,..comment-navigation .nav-next {..*display: inline;..zoom: 1;.}...ima
ge-navigation .nav-previous   .nav-next,..comment-navigation .nav-prev
ious   .nav-next {..margin-left: 14px;.}...pagination .nav-links {..pa
dding: 0;.}...pagination .page-numbers {..line-height: 1;..margin: -4p
x 14px 0;..padding: 18px 0;.}...pagination .prev,..pagination .next {.
.display: inline-block;..font-size: 16px;..font-weight: 700;..height: 
auto;..left: 0;..line-height: 1;..margin: 0;..padding: 18px 14px;..pos
ition: relative;..right: 0;..text-transform: none;..width: auto;.}...d
ropdown-toggle {..display: none;.}...main-navigation ul ul {..display:
 block;.}...social-navigation {..margin-top: 1.75em;.}...social-naviga
tion a {..height: auto;..padding: 3px 7px;..width: auto;.}...socia
<<< skipped >>>


GET /wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9


HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:23 GMT
Server: Apache
Last-Modified: Tue, 21 Jun 2016 18:03:33 GMT
Accept-Ranges: bytes
Content-Length: 10056
Connection: close
Content-Type: application/javascript
/*! jQuery Migrate v1.4.1 | (c) jQuery Foundation and other contributo
rs | jquery.org/license */."undefined"==typeof jQuery.migrateMute&&(jQ
uery.migrateMute=!0),function(a,b,c){function d(c){var d=b.console;f[c
]||(f[c]=!0,a.migrateWarnings.push(c),d&&d.warn&&!a.migrateMute&&(d.wa
rn("JQMIGRATE: " c),a.migrateTrace&&d.trace&&d.trace()))}function e(b,
c,e,f){if(Object.defineProperty)try{return void Object.defineProperty(
b,c,{configurable:!0,enumerable:!0,get:function(){return d(f),e},set:f
unction(a){d(f),e=a}})}catch(g){}a._definePropertyBroken=!0,b[c]=e}a.m
igrateVersion="1.4.1";var f={};a.migrateWarnings=[],b.console&&b.conso
le.log&&b.console.log("JQMIGRATE: Migrate is installed" (a.migrateMute
?"":" with logging active") ", version " a.migrateVersion),a.migrateTr
ace===c&&(a.migrateTrace=!0),a.migrateReset=function(){f={},a.migrateW
arnings.length=0},"BackCompat"===document.compatMode&&d("jQuery is not
 compatible with Quirks Mode");var g=a("<input/>",{size:1}).attr
("size")&&a.attrFn,h=a.attr,i=a.attrHooks.value&&a.attrHooks.value.get
||function(){return null},j=a.attrHooks.value&&a.attrHooks.value.set||
function(){return c},k=/^(?:input|button)$/i,l=/^[238]$/,m=/^(?:autofo
cus|autoplay|async|checked|controls|defer|disabled|hidden|loop|multipl
e|open|readonly|required|scoped|selected)$/i,n=/^(?:checked|selected)$
/i;e(a,"attrFn",g||{},"jQuery.attrFn is deprecated"),a.attr=function(b
,e,f,i){var j=e.toLowerCase(),o=b&&b.nodeType;return i&&(h.length<4
&&d("jQuery.fn.attr( props, pass ) is deprecated"),b&&!l.test(o)&&
<<< skipped >>>


GET /wp-content/themes/twentysixteen/genericons/Genericons.eot?") format("embedded-opentype HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9


HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:23 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 22374
Connection: close
Content-Type: application/vnd.ms-fontobject
fW...V............................LP.........................*."......
..............G.e.n.e.r.i.c.o.n.s.....R.e.g.u.l.a.r... .V.e.r.s.i.o.n.
 .0.0.1...0.0.0. .....G.e.n.e.r.i.c.o.n.s................PFFTMu..(..V.
....OS/2d,u....X...`cmap.r..........cvt .D..........gasp......V.....gl
yf..I.......H.head.`BW.......6hhea...........$hmtxX.Sr.......8loca....
.......0maxp.......8... nameR.....Nh...7post."....P.............".*._.
<..........!z......!z..............................................
[email protected].......
f..............................PfEd... ........................... ...
..D...................................................................
......................................U...............................
......`.........S.....................................................
........................f...................................@.....7...
T.n............................................................... . .
.... .......&.......).9.I.Y.i.v....... ....... ....... [email protected].`.p.....
..........).2.,.&. ...................................................
......................................................................
......................................................................
......................................................................
................................................D.....,.,.,.,.Z.......
....F.........L...........b...0.....$.H.......8...........<.~...$.F
.b.......2.....0.f.....H.......@.^.z....... .X.........J......... 
<<< skipped >>>


GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.openclose.ir
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Date: Mon, 17 Oct 2016 04:47:00 GMT
Server: Apache
X-Powered-By: PHP/5.5.35
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=3691cdf9ddd4c88824ebbe538153b99d; path=/
Location: hXXp://openclose.ir/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /wp-content/plugins/wordpress-popup/css/animate.min.css?ver=4.5.3 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9


HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:02 GMT
Server: Apache
Last-Modified: Thu, 26 May 2016 08:55:22 GMT
Accept-Ranges: bytes
Content-Length: 52287
Connection: close
Content-Type: text/css
/*! PopUp Free - v4.7.11. * hXXps://wordpress.org/plugins/wordpress-po
pup/. * Copyright (c) 2015; * Licensed GPLv2  */../*!.Animate.css - ht
tp://daneden.me/animate.Licensed under the MIT license - hXXp://openso
urce.org/licenses/MIT..Copyright (c) 2014 Daniel Eden.hXXps://raw.gith
ubusercontent.com/daneden/animate.css/master/animate.css.*/.animated{-
webkit-animation-duration:1s;animation-duration:1s;-webkit-animation-f
ill-mode:both;animation-fill-mode:both}.animated.infinite{-webkit-anim
ation-iteration-count:infinite;animation-iteration-count:infinite}.ani
mated.hinge{-webkit-animation-duration:2s;animation-duration:2s}@-webk
it-keyframes bounce{0%,20%,53%,80%,100%{transition-timing-function:cub
ic-bezier(0.215,.61,.355,1);-webkit-transform:translate3d(0,0,0);trans
form:translate3d(0,0,0)}40%,43%{transition-timing-function:cubic-bezie
r(0.755,.05,.855,.06);-webkit-transform:translate3d(0,-30px,0);transfo
rm:translate3d(0,-30px,0)}70%{transition-timing-function:cubic-bezier(
0.755,.05,.855,.06);-webkit-transform:translate3d(0,-15px,0);transform
:translate3d(0,-15px,0)}90%{-webkit-transform:translate3d(0,-4px,0);tr
ansform:translate3d(0,-4px,0)}}@keyframes bounce{0%,20%,53%,80%,100%{t
ransition-timing-function:cubic-bezier(0.215,.61,.355,1);-webkit-trans
form:translate3d(0,0,0);transform:translate3d(0,0,0)}40%,43%{transitio
n-timing-function:cubic-bezier(0.755,.05,.855,.06);-webkit-transform:t
ranslate3d(0,-30px,0);transform:translate3d(0,-30px,0)}70%{transition-
timing-function:cubic-bezier(0.755,.05,.855,.06);-webkit-transform
<<< skipped >>>


GET /wp-content/themes/twentysixteen/js/html5.js?ver=3.7.3 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9


HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:11 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 10330
Connection: close
Content-Type: application/javascript
/**.* @preserve HTML5 Shiv 3.7.3 | @afarkas @jdalton @jon_neal @rem | 
MIT/GPL2 Licensed.*/.;(function(window, document) {./*jshint evil:true
 */.  /** version */.  var version = '3.7.3';..  /** Preset options */
.  var options = window.html5 || {};..  /** Used to skip problem eleme
nts */.  var reSkip = /^<|^(?:button|map|select|textarea|object|ifr
ame|option|optgroup)$/i;..  /** Not all elements can be cloned in IE *
*/.  var saveClones = /^(?:a|b|code|div|fieldset|h1|h2|h3|h4|h5|h6|i|l
abel|li|ol|p|q|span|strong|style|table|tbody|td|th|tr|ul)$/i;..  /** D
etect whether the browser supports default html5 styles */.  var suppo
rtsHtml5Styles;..  /** Name of the expando, to work with multiple docu
ments or to re-shiv one document */.  var expando = '_html5shiv';..  /
** The id for the the documents expando */.  var expanID = 0;..  /** C
ached data for each document */.  var expandoData = {};..  /** Detect 
whether the browser supports unknown elements */.  var supportsUnknown
Elements;..  (function() {.    try {.        var a = document.createEl
ement('a');.        a.innerHTML = '<xyz></xyz>';.        /
/if the hidden property is implemented we can assume, that the browser
 supports basic HTML5 Styles.        supportsHtml5Styles = ('hidden' i
n a);..        supportsUnknownElements = a.childNodes.length == 1 || (
function() {.          // assign a false positive if unable to shiv.  
        (document.createElement)('a');.          var frag = document.c
reateDocumentFragment();.          return (.            typeof fra
<<< skipped >>>


GET /wp-content/themes/twentysixteen/css/ie.css?ver=20160412 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9


HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:02 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 748
Connection: close
Content-Type: text/css
/*.Theme Name: Twenty Sixteen.Description: Global Styles for older IE 
versions (previous to IE10)..*/...site-header-main:before,..site-heade
r-main:after,..site-footer:before,..site-footer:after {..content: "";.
.display: table;.}...site-header-main:after,..site-footer:after {..cle
ar: both;.}..@media screen and (min-width: 56.875em) {...site-branding
,...site-info {...float: left;..}....site-header-menu,...site-footer .
social-navigation {...float: right;..}....site-footer .social-navigati
on {...margin-left: 7px;..}....rtl .site-branding,...rtl .site-info {.
..float: right;..}....rtl .site-header-menu,...rtl .site-footer .socia
l-navigation {...float: left;..}....rtl .site-footer .social-navigatio
n {...margin-right: 7px;...margin-left: 0;..}.}...



GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:01 GMT
Server: Apache
X-Powered-By: PHP/5.5.35
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Link: <hXXp://openclose.ir/wp-json/>; rel="hXXps://api.w.org/"
Set-Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9; path=/
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
68..<!DOCTYPE html>.<html lang="en-US" prefix="og: hXXp://ogp
.me/ns#" class="no-js">.<head>..<meta charset="..fc..UTF-8
">..<meta name="viewport" content="width=device-width, initial-s
cale=1">..<link rel="profile" href="hXXp://gmpg.org/xfn/11">.
..<script>(function(html){html.className = html.className.replac
e(/\bno-js\b/,'js')})(document.documentElement);</script>...42..
<title>openclose - Just another parking system Sites site</ti
tle>...6d...<!-- This site is optimized with the Yoast SEO plugi
n v3.2.5 - hXXps://yoast.com/wordpress/plugins/seo/ -->...4c..<m
eta name="description" content="Just another parking system Sites site
"/>...26..<meta name="robots" content="noodp"/>...34..<lin
k rel="canonical" href="hXXp://openclose.ir" />...24..<meta prop
erty="og:locale" content="..38..en_US" />.<meta property="og:typ
e" content="website" />...23..<meta property="og:title" content=
"..47..openclose - Just another parking system Sites site" />.<m
eta property="..2dd2..og:description" content="Just another parking sy
stem Sites site" />.<meta property="og:url" content="hXXp://open
close.ir" />.<meta property="og:site_name" content="openclose" /
>.<meta name="twitter:card" content="summary" />.<meta nam
e="twitter:description" content="Just another parking system Sites sit
e" />.<meta name="twitter:title" content="openclose - Just anoth
er parking system Sites site" />.<script type='application/l
<<< skipped >>>


GET /apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=zamenhost.org&output=html&drid=as-drid-oo-1750951074443211 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: dp.g.doubleclick.net


HTTP/1.1 200 OK
P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Encoding: gzip
Date: Mon, 17 Oct 2016 04:47:26 GMT
Server: domainserver
Cache-Control: private
Content-Length: 3281
X-XSS-Protection: 1; mode=block
...........[.....~.B..dI.v.-..}....B.,[email protected].`&.23....7J.)
uK.-...$...nq......*u.S..1.0.L.....;...|`.k...... ...%..{..w:.......3.
.78L.y....l.3.~1..0..f...u...<.`.k...9..J3_.~.l.[.zk.`..:.....~...x
Kx.H.....I].1...32Ap.tU.^.K.....v...:..... .d.9.........bxK'..........
...:.d....c._..!....{.....mhy.0.M$r...k.).`6..e.7......{..... .i....yO
{2......#[email protected]>H.77..1..tT...Ed.."..@.<.p....><$$....Rj..
KT(}V..UK<%.....W..<).7a.m....../..r...T......1...h./.<..].U!
^....$.q.=....a...........0....6.X.1.)......7..V".u.Xp.......A.{.%c...
....6%ZH...ds..X2...!.RW@.~...{...v...*.W".kh.....nLm...,.QW.1'r0..G|S
.q$Wv.......w.}....g.....A......F...W...6.x._..V2..e_...-.KbV..$.!.1.3
..?N....P&.t.zN....(.c|... ..S.9~p..tVU....3.px.^.d.d..D..U.......p...
.......L.Jy....|$.3..l;.8.5..|..*..\.a9".\....a.Q.f.G.#.O.jh...2....YP
b4..DA.!..!.H6...!.d...f,..L.0.:e...P$JA...$..1u...C.E......TT[p...;..
.2.9../*[&.}F 9..c....0....!..;.#q*..#.=K/!.1.{V.5.."M...d.....bzQS.E.
.8.L..KH..a.k....h....zhS<..0..,....$.......`F......-..F-..$..g1...
..lw.3@..!T....A.........H.A.$ED'^.CI.S.m<....D/b..,.*I^.w2..W.F..v
n.G..........;(Y..D(.%.l:...X,..p...}..b..u....7.....m^....R .-.......
.......`..E..........u ...&T3.)..."ocb..h.Z...6.jO..t.3..l.#A.....`...
..S..JHn...... S/..... ya.?J....t.}.......kly.z.7.H..j2...jK.....;*.tj
 ...^%...N.F.Jx....Bz.....Q,8...M...m.'h.0l;..,..T....CRG..~K.i$If. O.
L....[..2t62.I...o.-.....7..y.%....."}...t.P.....c.b..D.Q...b.##..<
...<U.Dm...2. >P3..&mG5.0......o.vgm.|^.........#..u%...|.R)
<<< skipped >>>


GET /wp-content/themes/twentysixteen/style.css?ver=4.5.3 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9


HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:02 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 68939
Connection: close
Content-Type: text/css
/*.Theme Name: Twenty Sixteen.Theme URI: hXXps://wordpress.org/themes/
twentysixteen/.Author: the WordPress team.Author URI: hXXps://wordpres
s.org/.Description: Twenty Sixteen is a modernized take on an ever-pop
ular WordPress layout ... the horizontal masthead with an optional rig
ht sidebar that works perfectly for blogs and websites. It has custom 
color options with beautiful default color schemes, a harmonious fluid
 grid using a mobile-first approach, and impeccable polish in every de
tail. Twenty Sixteen will make your WordPress look beautiful everywher
e..Version: 1.2.License: GNU General Public License v2 or later.Licens
e URI: hXXp://VVV.gnu.org/licenses/gpl-2.0.html.Tags: black, blue, gra
y, red, white, yellow, dark, light, one-column, two-columns, right-sid
ebar, fixed-layout, responsive-layout, accessibility-ready, custom-bac
kground, custom-colors, custom-header, custom-menu, editor-style, feat
ured-images, flexible-header, microformats, post-formats, rtl-language
-support, sticky-post, threaded-comments, translation-ready.Text Domai
n: twentysixteen..This theme, like WordPress, is licensed under the GP
L..Use it to make something cool, have fun, and share what you've lear
ned with others..*/.../**. * Table of Contents. *. * 1.0 - Normalize. 
* 2.0 - Genericons. * 3.0 - Typography. * 4.0 - Elements. * 5.0 - Form
s. * 6.0 - Navigation. *   6.1 - Links. *   6.2 - Menus. * 7.0 - Acces
sibility. * 8.0 - Alignments. * 9.0 - Clearings. * 10.0 - Widgets. * 1
1.0 - Content. *    11.1 - Header. *    11.2 - Posts and pages. * 
<<< skipped >>>


GET /wp-includes/js/wp-emoji-release.min.js?ver=4.5.3 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9


HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:02 GMT
Server: Apache
Last-Modified: Sun, 13 Mar 2016 20:30:27 GMT
Accept-Ranges: bytes
Content-Length: 9802
Connection: close
Content-Type: application/javascript
// Source: wp-includes/js/twemoji.min.js.var twemoji=function(){"use s
trict";function a(a){return document.createTextNode(a)}function b(a){r
eturn a.replace(u,h)}function c(a,b){return"".concat(b.base,b.size,"/"
,a,b.ext)}function d(a,b){for(var c,e,f=a.childNodes,g=f.length;g--;)c
=f[g],e=c.nodeType,3===e?b.push(c):1!==e||v.test(c.nodeName)||d(c,b);r
eturn b}function e(a){return o(a.indexOf(t)<0?a.replace(s,""):a)}fu
nction f(b,c){for(var f,g,h,i,j,k,l,m,n,o,p,q,s,t=d(b,[]),u=t.length;u
--;){for(h=!1,i=document.createDocumentFragment(),j=t[u],k=j.nodeValue
,m=0;l=r.exec(k);){if(n=l.index,n!==m&&i.appendChild(a(k.slice(m,n))),
p=l[0],q=e(p),m=n p.length,s=c.callback(q,c)){o=new Image,o.onerror=c.
onerror,o.setAttribute("draggable","false"),f=c.attributes(p,q);for(g 
in f)f.hasOwnProperty(g)&&0!==g.indexOf("on")&&!o.hasAttribute(g)&&o.s
etAttribute(g,f[g]);o.className=c.className,o.alt=p,o.src=s,h=!0,i.app
endChild(o)}o||i.appendChild(a(p)),o=null}h&&(m<k.length&&i.appendC
hild(a(k.slice(m))),j.parentNode.replaceChild(i,j))}return b}function 
g(a,c){return m(a,function(a){var d,f,g=a,h=e(a),i=c.callback(h,c);if(
i){g="<img ".concat('class="',c.className,'" ','draggable="false" '
,'alt="',a,'"',' src="',i,'"'),d=c.attributes(a,h);for(f in d)d.hasOwn
Property(f)&&0!==f.indexOf("on")&&-1===g.indexOf(" " f "=")&&(g=g.conc
at(" ",f,'="',b(d[f]),'"'));g=g.concat(">")}return g})}function h(a
){return q[a]}function i(){return null}function j(a){return"number"==t
ypeof a?a "x" a:a}function k(a){var b="string"==typeof a?parseInt(
<<< skipped >>>


GET /wp-content/plugins/wordpress-popup/js/public.min.js?ver=4.5.3 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9


HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:25 GMT
Server: Apache
Last-Modified: Thu, 26 May 2016 08:55:22 GMT
Accept-Ranges: bytes
Content-Length: 9740
Connection: close
Content-Type: application/javascript
/*! PopUp Free - v4.7.11. * hXXps://wordpress.org/plugins/wordpress-po
pup/. * Copyright (c) 2015; * Licensed GPLv2  */.(function(){function 
e(e){"closed"===l?e._show()?(h=e,l="open"):t(e):c[c.length]=e}function
 t(){if(l="closed",h=null,c.length>0){var t=c.shift();e(t)}}functio
n i(e,t,i){var o,r,a=0,l=s("" window.location),c=s("" document.referre
r),h=null,u=function u(t){h=jQuery.extend({},e),h.popup=t,n(h)};return
 void 0!==window.force_popover&&(a="" window.force_popover),void 0!==t
&&(a="" t),e.ajax_data=e.ajax_data||{},r=jQuery.extend({},e.ajax_data)
,r.action="inc_popup",r["do"]=e["do"],r.thefrom=l,r.thereferrer=c,a&&(
r.po_id=a),i&&(r.data=i),e.preview&&(r.preview=!0),o={url:e.ajaxurl,da
taType:"jsonp",jsonpCallback:"po_data",data:r,success:function(e){u(e)
},complete:function(){jQuery(document).trigger("popup-load-done",[h])}
},jQuery.ajax(o)}function n(e){if(void 0!==e){var t=function t(e){void
 0!==e&&(void 0!==e.popup&&void 0!==e.popup.html&&(jQuery('<style t
ype="text/css">' e.popup.styles "</style>").appendTo("head"),
jQuery(e.popup.html).appendTo("body").hide()),window.inc_popup=new a(e
),window.inc_popups[window.inc_popups.length]=window.inc_popup,jQuery(
document).trigger("popup-initialized",[window.inc_popup]),e.noinit||e.
preview||window.inc_popup.init())};if(e.popup instanceof Array)for(var
 i=0;e.popup.length>i;i =1){var n=jQuery.extend({},e);n.popup=e.pop
up[i],t(n)}else e instanceof Object&&t(e)}}function s(e){for(var t=[],
i=0;e.length>i;i  ){if(e.length>i 1){var n=e.charCodeAt(i),s
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







Rundll32.exe_704:




.rsrc
WgM[A V?V5%SM=
x=.UVY5@
a%SbeQ
advapi32.dll
RegOpenKeyExA
RegCloseKey
VBA6.DLL
RegCreateKeyA
shell32.dll
wininet.dll
ShellExecuteA
.text
.data
.tN@2NH
3333333330
3333330
333333333333330
.LjR=W
.Jbjx=
^_^\^_\^[__^^_^^__^^^^___^__^\_\\_^^^^\^^_[__^^__^_^__^^\[^^_^_^^_^\_^_^^\^\^[^[[__^\^^^\-
4444444
333333333333333
444444444
33333333333333
KERNEL32.DLL
MSVBVM60.DLL
.r~.uQv
$YZ.mC
1by%X
ADVAPI32.DLL
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ru.brans.pl
core.ircgalaxy.pl
NICK zabfersu
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
windowsupdate
drweb
ilo.brenz.pl
ant.trenz.pl
NICK slbqoipf
 .fe`/
2007.04.30
Scripting.FileSystemObject
msng.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
rundll32.exe
Rundll32.exe
rundII32.exe
RundII32.exe
explorer.exe hXXp://VVV.OpenClose.ir
C:\~0002ftd.tmp
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
iexplore.exe*
firefox.exe*
explorer.exe

Rundll32.exe_704_rwx_00401000_00022000:




advapi32.dll
RegOpenKeyExA
RegCloseKey
VBA6.DLL
RegCreateKeyA
shell32.dll
wininet.dll
ShellExecuteA
.text
.data
.rsrc
.tN@2NH
2007.04.30
Scripting.FileSystemObject
msng.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
rundll32.exe
Rundll32.exe
rundII32.exe
RundII32.exe
explorer.exe hXXp://VVV.OpenClose.ir
C:\~0002ftd.tmp
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
iexplore.exe*
firefox.exe*
explorer.exe

Rundll32.exe_704_rwx_00436000_00001000:




KERNEL32.DLL
MSVBVM60.DLL

Rundll32.exe_704_rwx_00458000_00016000:




ADVAPI32.DLL
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ru.brans.pl
core.ircgalaxy.pl
NICK zabfersu
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
KERNEL32.DLL
windowsupdate
drweb
ilo.brenz.pl
ant.trenz.pl
NICK slbqoipf

iexplore.exe_472:




%?9-*09,*19}*09
.text
.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
%U#`JU
.koZsL
P-.WNd
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512

iexplore.exe_472_rwx_00401000_00002000:




Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
MsgWaitForMultipleObjects
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
IExplorer.EXE
browseui.dll
shdocvw.dll

iexplore.exe_472_rwx_00418000_00007000:




%U#`JU
.koZsL
P-.WNd
6.00.2900.5512 (xpsp.080413-2105)
IEXPLORE.EXE
Windows
Operating System
6.00.2900.5512






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Scan a system with an anti-rootkit tool.
    2. 

  2. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:492
    

    3. 

  3. Delete the original Trojan file.
    4. 

  4. Delete or disinfect the following files created/modified by the Trojan:
    

    %System%\rundll32.exe (4185 bytes)
    C:\~0002ftd.tmp (37 bytes)
    %System%\rundII32.exe (57 bytes)
    %System%\msng.exe (4185 bytes)
    

    5. 

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msng" = "%System%\msng.exe"

    

    6. 

  6. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    7. 

  7. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    8. 

  8. Reboot the computer.
    9. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now