Trojan.Win32.Swrort_1fff7bd6e7

by malwarelabrobot on May 31st, 2014 in Malware Descriptions.

Susp_Dropper (Kaspersky), Gen:Variant.Adware.Symmi.22722 (B) (Emsisoft), Gen:Variant.Adware.Symmi.22722 (AdAware), Trojan.Win32.Swrort.4.FD, TrojanSwrort.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 1fff7bd6e78823938788b78f061e9f22
SHA1: 15b716eafc5619059d64fb86ae0fe58a6ba1b649
SHA256: a25403010ef5b9c6677ea63bc62a2f8e847e223c72155eb60666236390b4e5e6
SSDeep: 24576:gS6tR11v135OHZn /1Pw6PR4zYYOxVKeBz7:OOZal7xV/h7
Size: 1124864 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Premium Installer
Created at: 2014-05-09 23:40:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

eztxlgh3eya2.exe:5788
%original file name%.exe:208
eztxlgimbya2.exe:5336
eztxlgh173a2hngphm.exe:2804
yylmxehclwot.exe:2160
lqbgvgoko.exe:2656
lqbgvgoko.exe:4688

The Trojan injects its code into the following process(es):
No processes have been created.

File activity

The process %original file name%.exe:208 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ynpyflreisd\tst (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eztxlgh173a2hngphm.exe (7386 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\eztxlgh173a2hngphm.exe (0 bytes)

The process eztxlgh173a2hngphm.exe:2804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ynpyflreisd\tst (10 bytes)
%System%\lqbgvgoko.exe (7547 bytes)
%System%\ynpyflreisd\etc (10 bytes)
%System%\drivers\etc\hosts (22 bytes)

The Trojan deletes the following file(s):

%System%\drivers\etc\hosts (0 bytes)

The process yylmxehclwot.exe:2160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ynpyflreisd\tst (10 bytes)

The process lqbgvgoko.exe:2656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ynpyflreisd\tst (10 bytes)
%WinDir%\Temp\eztxlgimbya2.exe (35 bytes)
%System%\ynpyflreisd\aol\exefile (14580 bytes)
%System%\win64mrocli2.exe (76437 bytes)
%System%\drivers\etc\hosts (904 bytes)
%System%\yylmxehclwot.exe (7547 bytes)
%System%\ynpyflreisd\cfg (479 bytes)
%System%\ynpyflreisd\aol\zip.exe (10500 bytes)
%WinDir%\Temp\eztxlgh3eya2.exe (35 bytes)
%System%\ynpyflreisd\ihst (224 bytes)
%System%\ynpyflreisd\run (10 bytes)
%System%\ynpyflreisd\rng (12 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\eztxlgh3eya2.exe (0 bytes)

The process lqbgvgoko.exe:4688 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ynpyflreisd\tst (10 bytes)

Registry activity

The process eztxlgh3eya2.exe:5788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 A8 72 1A D3 CA BA 75 0E ED 4D A7 94 D7 EF CF"

The process eztxlgimbya2.exe:5336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 29 CC F7 75 43 0A 90 34 CB 21 6E A0 E6 BC 26"

The process eztxlgh173a2hngphm.exe:2804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 E0 63 B6 E9 67 E1 A6 8B 4A 4F 99 EB 38 94 9E"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Port Tracking Encrypting Block Profile Netlogon" = "%System%\lqbgvgoko.exe"

The process lqbgvgoko.exe:2656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 A0 4E F0 35 B3 CE AE A5 33 B3 EA 33 1F 89 21"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 804 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.facebook.com
127.0.0.1 facebook.com
127.0.0.1 mail.yahoo.com
127.0.0.1 my.ebay.com
127.0.0.1 cgi.ebay.com
127.0.0.1 offer.ebay.com
127.0.0.1 feedback.ebay.com
127.0.0.1 motors.search.ebay.com
127.0.0.1 search.ebay.com
127.0.0.1 pages.ebay.com
127.0.0.1 pages.motors.ebay.com
127.0.0.1 myworld.ebay.com
127.0.0.1 motors.listings.ebay.com
127.0.0.1 cgi1.ebay.com
127.0.0.1 contact.ebay.com
127.0.0.1 srx.ebaymotors.ebayrtm.com
127.0.0.1 motors.shop.ebay.com
127.0.0.1 forums.ebay.com
127.0.0.1 answercenter.ebay.com
127.0.0.1 shop.ebay.com
127.0.0.1 ocs.ebay.com
127.0.0.1 cschatlb-na.corp.ebay.com
127.0.0.1 cschat1-na.corp.ebay.com
127.0.0.1 cschat.ebay.com
127.0.0.1 helpdesk.corp.ebay.com
127.0.0.1 qu.corp.ebay.com
127.0.0.1 www.ebay.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 670966 671232 4.71613 70cbe95925e60a302c4b2a794ca37ecd
.rdata 675840 53310 53760 3.65249 f1edcb9a2f467a07d91928819f2a0f8a
.data 733184 432860 398848 4.47251 e9353eb510247b143109f702d124b962

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://tablefruit.net/index.php?method=validate&mode=sox&v=029&sox=312d2400 98.139.135.198
hxxp://mightglossary.net/index.php?method=validate&mode=sox&v=029&sox=312d2400 208.91.197.241
hxxp://jinoplasker.com/index.php?method=validate&mode=sox&v=029&sox=312d2400 98.124.253.216
hxxp://tabletalk.net/index.php?method=validate&mode=sox&v=029&sox=312d2400 204.11.56.26
hxxp://leadtalk.net/index.php?method=validate&mode=sox&v=029&sox=312d2400 205.178.189.129
hxxp://wellwash.net/index.php?method=validate&mode=sox&v=029&sox=312d2400 208.91.197.39
hxxp://rememberpaint.net/index.php?method=validate&mode=sox&v=029&sox=312d2400 208.91.197.241
hxxp://gentlefriend.net/index.php?method=validate&mode=sox&v=029&sox=312d2400 208.91.197.241
hxxp://spendmarry.net/index.php?method=validate&mode=sox&v=029&sox=312d2400 208.91.197.241
hxxp://glasshealth.net/index.php?method=validate&mode=sox&v=029&sox=312d2400 208.91.197.241
hxxp://throughcountry.net/index.php?method=validate&mode=sox&v=029&sox=312d2400 208.91.197.241


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /index.php?method=validate&mode=sox&v=029&sox=312d2400 HTTP/1.0
Accept: */*
Connection: close
Host: tabletalk.net


HTTP/1.1 200 OK
Date: Fri, 30 May 2014 12:27:57 GMT
Server: Apache
Set-Cookie: vsid=911vr1489984779328823; expires=Wed, 29-May-2019 12:27:57 GMT; path=/; domain=tabletalk.net; httponly
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<html>..<head><meta name="t
ids" content="a='843' b='3632' c='tabletalk.net' d='auto_category'" /&
gt;<title>Tabletalk.net</title>..<meta http-equiv="Cont
ent-Type" content="text/html; charset=UTF-8">..<meta http-equiv=
"X-UA-Compatible" content="IE=EmulateIE7">..<style type="text/cs
s">../*  y!RESET.2.5.2 */..body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h
5,h6,pre,code,form,fieldset,legend,input,textarea,p,blockquote,th,td{m
argin:0;padding:0;}table{border-collapse:collapse;border-spacing:0;}fi
eldset,img{border:0;}address,caption,cite,code,dfn,th,var{font-style:n
ormal;font-weight:normal;}li{list-style:none;}caption,th{text-align:le
ft;}h1,h2,h3,h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:af
ter{content:'';}abbr,acronym {border:0;font-variant:normal;}sup {verti
cal-align:text-top;}sub {vertical-align:text-bottom;}input,textarea,se
lect{font-family:inherit;font-size:inherit;font-weight:inherit;}input,
textarea,select{*font-size:100%;}legend{color:#000;}../********/..body
 { text-align:center; margin:0; padding:0; font-size:12px; font-family
:Arial; color:#333333; background:#212226; }..a {text-transform:capita
lize;}..#page-wrapper { text-align:left; margin:0 auto; width:970px; b
ackground: url(hXXp://i2.cdn-image.com/__media__/pics/800/bg.gif) #FFF
FFF repeat-x; }..#header { position:relative; height:90px; margin:0 9p
x; }..h1 { font-size:31px; font-weight:bold; line-height:90px; }..
<<< skipped >>>


GET /index.php?method=validate&mode=sox&v=029&sox=312d2400 HTTP/1.0
Accept: */*
Connection: close
Host: glasshealth.net


HTTP/1.1 200 OK
Date: Fri, 30 May 2014 12:27:42 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2591
Keep-Alive: timeout=5, max=128
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://glasshealth.net/?fp=BRGTi9jXbNhTxicps1v
rjA34QGFgV0BMK/Xp9iykvyQeQCoh2d4sLURA45B+Ans7fgUKDuY93ZmmRSOyg3Hu6
w==&prvtof=sqETxJNUwhPxm/X1ysU7/EDJd5SiwPFQ78y7Lb/2NM8=&po
ru=hYcG1oH0QvQbaohBF8Ea7WBmaylpAkZe5qJJ4MlAfirOnm/g7SN5jYA1QltBTFImO
zSsCJyy3nxlOiuo88Tx6I4hRsIoBU+75LBtffm2fB1Nl1o5ck51eP9iCvdO9GjI&cifr
=1&method=validate&mode=sox&v=029&sox=312d2400";.../*..-->..<scr
ipt type="text/javascript">...<!--...dimensionUpdated = 0;...fun
ction applyFrameKiller()...{....if(window.top != self)....{.....cHeigh
t = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//N
on-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;.....
} else if( document.documentElement && ( document.documentElement.clie
ntWidth || document.documentElement.clientHeight )  ) {.....//IE 6  in
 'standards compliant mode'.....cHeight = document.documentElement.cli
entHeight;.....dimensionUpdated = 1;.....} else if( document.body && (
 document.body.clientWidth || document.body.clientHeight ) ) {.....//I
E 4 compatible.....cHeight = document.body.clientHeight;.....dimension
Updated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1)
.....{......window.top.location = "hXXp://glasshealth.net/?fp=BRGTi9jX
bNhTxicps1vrjA34QGFgV0BMK/Xp9iykvyQeQCoh2d4sLURA45B+Ans7fgUKDuY93Z
mmRSOyg3Hu6w==&prvtof=jCzKZKfzdyGiEqEpLxfyQaypt8rD0K19oh8jNgZBuRA%
3D&poru=pijceXQ6Zq6lEuuSH0+cKM6OyuniC9jgbVEolNtIFyTeR8ePa9+Gy0b3c3
VXYM9Tr2cGPG4LEJoJxkQpwR6SHRNvXIkfhj0EakBVzKh+3A1Yp2KfU6wo097mTg
<<< skipped >>>


GET /index.php?method=validate&mode=sox&v=029&sox=312d2400 HTTP/1.0
Accept: */*
Connection: close
Host: tablefruit.net


HTTP/1.0 503 Service Temporarily Unavailable
Date: Fri, 30 May 2014 12:27:40 GMT
Content-Type: text/html; charset=iso-8859-1
Age: 0
Server: YTS/1.20.28
<h1 style='color:#497A97;font-size:12pt;font-weight:bold'>503 - 
Service Unavailable..



GET /index.php?method=validate&mode=sox&v=029&sox=312d2400 HTTP/1.0
Accept: */*
Connection: close
Host: leadtalk.net


HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: /index.php?method=validate&mode=sox&v=029&sox=312d2400?3e3ea140



GET /index.php?method=validate&mode=sox&v=029&sox=312d2400 HTTP/1.0
Accept: */*
Connection: close
Host: gentlefriend.net


HTTP/1.1 200 OK
Date: Fri, 30 May 2014 12:27:42 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2609
Keep-Alive: timeout=5, max=118
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://gentlefriend.net/?fp=6CfSssTllgNSqN5dla
1g7Ttk7Hpc9ImpFoakpgaLmaJVWZV3K0Ooc/n1+8dtfXNkPKYgMydZ5EJmazF0+K
3SPg==&prvtof=P0te3gmI3raX67nnQw4DoqrlWqvcxR4gsWTRKDNOuCU=&poru=
ebRRyssq9xhlEYFhvteCYEqWA3bQYB04JNM0eOq/KXco4+FNElnp9QDLf28Gdtycl3
0s7uD8aIpHdncsVK3FuMPpUfN7DTJ6+jXzdTBqtQegFZX22wmSRgb+uICjc7dX&cif
r=1&method=validate&mode=sox&v=029&sox=312d2400";.../*..-->..<sc
ript type="text/javascript">...<!--...dimensionUpdated = 0;...fu
nction applyFrameKiller()...{....if(window.top != self)....{.....cHeig
ht = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//
Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;....
.} else if( document.documentElement && ( document.documentElement.cli
entWidth || document.documentElement.clientHeight )  ) {.....//IE 6  i
n 'standards compliant mode'.....cHeight = document.documentElement.cl
ientHeight;.....dimensionUpdated = 1;.....} else if( document.body && 
( document.body.clientWidth || document.body.clientHeight ) ) {.....//
IE 4 compatible.....cHeight = document.body.clientHeight;.....dimensio
nUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1
).....{......window.top.location = "hXXp://gentlefriend.net/?fp=6CfSss
TllgNSqN5dla1g7Ttk7Hpc9ImpFoakpgaLmaJVWZV3K0Ooc/n1+8dtfXNkPKYgMydZ
5EJmazF0+K3SPg==&prvtof=tj80c3XlNE4RqnkH68/2R2soSq1DMUmKrIoBqt
eMoWA=&poru=i/YjqrfXTNjNwvgWKw1cQuNV+zkP1BadspfeDwH5SHajfPjUG/
X1Wq2exvaosLPU7dQdued3B5G9Y5S2MB6YwDTAC49b17vkkzHIfrvt0MUrtPTLNJuE
<<< skipped >>>


GET /index.php?method=validate&mode=sox&v=029&sox=312d2400 HTTP/1.0
Accept: */*
Connection: close
Host: wellwash.net


HTTP/1.1 200 OK
Date: Fri, 30 May 2014 12:28:41 GMT
Server: Apache
Set-Cookie: vsid=905vr1489985212109272; expires=Wed, 29-May-2019 12:28:41 GMT; path=/; domain=wellwash.net; httponly
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<html>..<head><meta name="t
ids" content="a='646' b='3137' c='wellwash.net' d='entity_mapped'" /&g
t;<title>Wellwash.net</title>..<meta http-equiv="Conten
t-Type" content="text/html; charset=UTF-8">..<style type="text/c
ss">../* RESET */..body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre
,form,fieldset,input,textarea,p,blockquote,th,td{margin:0;padding:0;}t
able{border-collapse:collapse;border-spacing:0;}fieldset,img{border:0;
}address,caption,cite,code,dfn,th,var{font-style:normal;font-weight:no
rmal;}ol,ul {list-style:none;}caption,th {text-align:left;}h1,h2,h3,h4
,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'';
}abbr,acronym {border:0;}..body { font-size: 12px; font-family: arial,
 serif; color: #666; background:url(hXXp://i1.cdn-image.com/__media__/
pics/646/body-bg.jpg) #d2d2d2 repeat-x; text-align:center; .}..a {colo
r: #888;}..a:hover {color: #888;}...img { margin-bottom:-3px;}...searc
h-bg {padding: 13px 5px 23px 5px; background:#194457; margin:8px 12px;
 border:#2a5a6e 1px solid;  }...search-bg p { color: #ffffff; font-wei
ght:bold; }...input_field { border: 0 none; background: url(hXXp://i3.
cdn-image.com/__media__/pics/646/search-corv-top.jpg) #fff no-repeat l
eft 0px; padding: 3px 0px 3px 1px; }...go-but { margin-bottom:-9px; pa
dding-left:5px;}...wrapper { width:960px; margin: 0 auto; text-align:l
eft;  }..#header { margin: 0px;}..#header .head-pad { margin:18px 
<<< skipped >>>


GET /index.php?method=validate&mode=sox&v=029&sox=312d2400 HTTP/1.0
Accept: */*
Connection: close
Host: throughcountry.net


HTTP/1.1 200 OK
Date: Fri, 30 May 2014 12:27:44 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2595
Keep-Alive: timeout=5, max=114
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://throughcountry.net/?fp=TqmNAjOPxWFVrTXA
erB68K0PFcQX9ZeU8NRUr5ozIRAy6lUQoNFT6VtP9rCrBa2lOZy23WgFUf5gxD88yzM/
Fw==&prvtof=H4FSdLt3ROY3kj4CcaNcH6mOWB5rjKZK1St1H3ADHAg=&poru=%2
FAf+4LhVUrYiwe/Aa0GLqiLBoS22u2f5fWDJsfrY1fo6wU+Gi8bKZBn9Dg3JceAX
V4A+QNKlJD2siZHTn/o3uD/KNC0c99iPMYHLVH9FRW2ePkZsx/cU5A6Us2x3ie
8A&cifr=1&method=validate&mode=sox&v=029&sox=312d2400";.../*..-->..
<script type="text/javascript">...<!--...dimensionUpdated = 0
;...function applyFrameKiller()...{....if(window.top != self)....{....
.cHeight = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.
....//Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 
1;.....} else if( document.documentElement && ( document.documentEleme
nt.clientWidth || document.documentElement.clientHeight )  ) {.....//I
E 6  in 'standards compliant mode'.....cHeight = document.documentElem
ent.clientHeight;.....dimensionUpdated = 1;.....} else if( document.bo
dy && ( document.body.clientWidth || document.body.clientHeight ) ) {.
....//IE 4 compatible.....cHeight = document.body.clientHeight;.....di
mensionUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdate
d == 1).....{......window.top.location = "hXXp://throughcountry.net/?f
p=TqmNAjOPxWFVrTXAerB68K0PFcQX9ZeU8NRUr5ozIRAy6lUQoNFT6VtP9rCrBa2lOZy2
3WgFUf5gxD88yzM/Fw==&prvtof=SDqVvQIVkeiSbc/xAg2iTbMlCT9WQwuc4J
NibjspSz8=&poru=bBeIjvYGO4FKwj1ji6kkiRQVZDQTDTYxNt9loe8/Njyp4XXJu3
VwzXPOYbkfWqXNsQ0tO41/8vVQlvZWgkYciiZpgFJFJRmCffE3Btca15qMEeg1aB
<<< skipped >>>


GET /index.php?method=validate&mode=sox&v=029&sox=312d2400 HTTP/1.0
Accept: */*
Connection: close
Host: spendmarry.net


HTTP/1.1 200 OK
Date: Fri, 30 May 2014 12:27:47 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2619
Keep-Alive: timeout=5, max=126
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://spendmarry.net/?fp=n8WrGIeudsplwmJ+jh
lsaBr/puPtTYEhjThZdTSCd3JKFnxw+02eUfZaClPQEEHwYNjp/UVmYY5QRtIuqy
u37g==&prvtof=3bn22RO7QtVBUOT9+nb9x+x7TTlVbrvAwrmtbiTzmnM=&p
oru=mijRRYgLmHCC6fi2gzVUBFKrEYYUUvQ9O/1JSa8/InFbc0lYMaJovc07Yxnkqq
68VsmJtjfM00TLl1SHzZIpkaiNFJ9qUG/oKxKqoqGgapmapClKncZopztLG1aR/f1g
&cifr=1&method=validate&mode=sox&v=029&sox=312d2400";.../*..-->..&l
t;script type="text/javascript">...<!--...dimensionUpdated = 0;.
..function applyFrameKiller()...{....if(window.top != self)....{.....c
Height = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {...
..//Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;
.....} else if( document.documentElement && ( document.documentElement
.clientWidth || document.documentElement.clientHeight )  ) {.....//IE 
6  in 'standards compliant mode'.....cHeight = document.documentElemen
t.clientHeight;.....dimensionUpdated = 1;.....} else if( document.body
 && ( document.body.clientWidth || document.body.clientHeight ) ) {...
..//IE 4 compatible.....cHeight = document.body.clientHeight;.....dime
nsionUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated 
== 1).....{......window.top.location = "hXXp://spendmarry.net/?fp=n8Wr
GIeudsplwmJ+jhlsaBr/puPtTYEhjThZdTSCd3JKFnxw+02eUfZaClPQEEHwYNjp
/UVmYY5QRtIuqyu37g==&prvtof=8vz96M433GkL+tUloE7Xt2746ORGZstlR1
xE5/lTtLg=&poru=SXXH/JYNBrz5SXokByk+CTsiyCIekyVl/YOBehZXi2sG
FfdHVs0ExpQO5U017MocKFhRdsOJO6gyY+rBJtBhdTXJgPH+BDnLUYTX7tlb1x
<<< skipped >>>


GET /index.php?method=validate&mode=sox&v=029&sox=312d2400 HTTP/1.0
Accept: */*
Connection: close
Host: mightglossary.net


HTTP/1.1 200 OK
Date: Fri, 30 May 2014 12:27:42 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2627
Keep-Alive: timeout=5, max=123
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://mightglossary.net/?fp=JOHtQJaVsNywlLNv7
D8nw7I3JOAU/Z+0vKB//uN/n9AD1mqqg2BNsmPyBJvemK4TgI3gd7VD0mx5Q
TXFhuY8eg==&prvtof=QwV07roUwjbeSKpE076XxNcLQfxPSnY8r5w7tO9tSXw=&
poru=heGq+L3HCnwxdMtTwzefU1PnFcZ1x553hPSrORhCm+9SXBlIS5PaMeuj6xQ7n
HhuEVqY/3RdxXP9iJrgi/pBySin8nEkiMgKOkjGooLqecESXM2hw3/e9zy3VuNLT
Hju&cifr=1&method=validate&mode=sox&v=029&sox=312d2400";.../*..-->.
.<script type="text/javascript">...<!--...dimensionUpdated = 
0;...function applyFrameKiller()...{....if(window.top != self)....{...
..cHeight = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {
.....//Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated =
 1;.....} else if( document.documentElement && ( document.documentElem
ent.clientWidth || document.documentElement.clientHeight )  ) {.....//
IE 6  in 'standards compliant mode'.....cHeight = document.documentEle
ment.clientHeight;.....dimensionUpdated = 1;.....} else if( document.b
ody && ( document.body.clientWidth || document.body.clientHeight ) ) {
.....//IE 4 compatible.....cHeight = document.body.clientHeight;.....d
imensionUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdat
ed == 1).....{......window.top.location = "hXXp://mightglossary.net/?f
p=JOHtQJaVsNywlLNv7D8nw7I3JOAU/Z+0vKB//uN/n9AD1mqqg2BNsmPyBJ
vemK4TgI3gd7VD0mx5QTXFhuY8eg==&prvtof=WsN4nPFxduTwMoJprOfso4fWdMLg
pnXkSpxCKO/2z8A=&poru=f+VnaqFi9bKm4O5wAqXEvTQT/Eh1nPa3F52/nt
VikYD9ZXEDI4/vfkpboaAoePp1U1Efy2RpE5f1Qx8h3yuxLLl01vPFBnfptovM4B
<<< skipped >>>


GET /index.php?method=validate&mode=sox&v=029&sox=312d2400 HTTP/1.0
Accept: */*
Connection: close
Host: rememberpaint.net


HTTP/1.1 200 OK
Date: Fri, 30 May 2014 12:27:43 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2621
Keep-Alive: timeout=5, max=127
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://rememberpaint.net/?fp=Ii68SQyyGjkyIZnUS
7BUcjPUyblv7iymRDGYJy6+VDfA4cBMomWAkYKa/a5+f5AP32D2swuNBscci03UA
69xdg==&prvtof=+AWaee+3T03aGlCjDetqRsqJNTn08mkUwp+euD8ZZRc%3
D&poru=VAqk9uZ1OZxohoIvVGGUfiQxpBOKd98D7cR4iIuI11sfRrbrrEpAaC/60Tsg0
CwntuXFOvrvApcW4eRRzYGI9whw2Z+o+QeeZPGwNRwtyb+5NEzHxlwCsDUyvxV%2
Fva9K&cifr=1&method=validate&mode=sox&v=029&sox=312d2400";.../*..-->
;..<script type="text/javascript">...<!--...dimensionUpdated 
= 0;...function applyFrameKiller()...{....if(window.top != self)....{.
....cHeight = 0;.....if( typeof( window.innerHeight ) != 'undefined' )
 {.....//Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated
 = 1;.....} else if( document.documentElement && ( document.documentEl
ement.clientWidth || document.documentElement.clientHeight )  ) {.....
//IE 6  in 'standards compliant mode'.....cHeight = document.documentE
lement.clientHeight;.....dimensionUpdated = 1;.....} else if( document
.body && ( document.body.clientWidth || document.body.clientHeight ) )
 {.....//IE 4 compatible.....cHeight = document.body.clientHeight;....
.dimensionUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpd
ated == 1).....{......window.top.location = "hXXp://rememberpaint.net/
?fp=Ii68SQyyGjkyIZnUS7BUcjPUyblv7iymRDGYJy6+VDfA4cBMomWAkYKa/a5+
f5AP32D2swuNBscci03UA69xdg==&prvtof=fl2omzNNI09HtBA4LUdjQ4b6KooSAM
HolAa78X5hj4o=&poru=5hXcthzWG6HmYlKYhzdH4raxOnt6m+DFQRDAI52ezEMa9w
NMNGRLgQGrqgVwO2O/0TTGaX0dYQ6SM1Nq+T5D9TkwNXdJgmCc+RPByFTBgg
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







lqbgvgoko.exe_2656:




.text
`.rdata
@.data
\$ SSh
\$$SSSh
SSShP
t"SSSh
SSSh@pF
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
AWS2_32.dll
OLEAUT32.dll
cmd.exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
GDI32.dll
GetProcessHeap
KERNEL32.dll
GetKeyboardType
USER32.dll
GetCPInfo
GetConsoleOutputCP
lqbgvgoko.exe
a2.exe
Port Tracking Encrypting Block Profile Netlogon
yylmxehclwot.exe
my grace. Rich she shall be, that's certain; wise,
Knows not my feeble key of untuned cares?
[Exeunt QUEEN MARGARET and PRINCE EDWARD]
[Exeunt]
it comes to pass oft that a terrible oath, with a
Outlives encertain pomp, is crown'd before:
Art thou against us, Duke of Exeter?
Had he the motive and the cue for passion
On the curl'd clouds, to thy strong bidding task
Then meet and join. Jove's lightnings, the precursors
So the proportions of defence are fill'd;
This is it that makes me bridle passion
[Exeunt CALIBAN, STEPHANO, and TRINCULO]
[Exeunt. Flourish]
Is now transported, gentles, to Southampton;
To give you gentle pass; for, if we may,
My life is run his compass. Sirrah, what news?
Y.iaN
When grief, and blood ill-temper'd, vexeth him?
Is now eclipsed; and it portends alone
Here are the keys, there sits the duke asleep:
[Exeunt Servants]
CALPURNIA, PORTIA, DECIUS BRUTUS, CICERO, BRUTUS,
It is best, certain.
the web and the pin, squints the eye, and makes the
By this discovery lost. Be not uncertain;
My father made in compassing the crown!
The jury, passing on the prisoner's life,
That thieves do pass on thieves? 'Tis very pregnant,
Be executed by nine to-morrow morning:
Playing patient sports in unconstrained gyves?
[Exeunt Shepherd and Clown]
She passes praise; then praise too short doth blot.
an into their estimation and report: but he hath so
Unless our halberds did shut up his passage.
My mind exceeds the compass of her wheel.
Dumbly she passions, franticly she doteth;
Her voice is stopt, her joints forget to bow;
[Exeunt Justices]
[Exeunt BARDOLPH, Recruits, &c]
.Zdo you think, though we would have the
GLOUCESTER, EXETER, and others]
".QdI
Their sons with arts and martial exercises:
[Exeunt WARWICK and the rest]
Is execution done on Cawdor? Are not
With one that saw him die: who did report
That the proportion both of thanks and payment
That were his lackeys: I cried 'hum,' and 'well, go to,'
That is most certain.
O, then unfold the passion of my love,
Is not more smooth and rubious; thy small pipe
Snug, the joiner; you, the lion's part: and, I
joined-stools, and swears with a good grace, and
Hath look'd upon my passes. Then, good prince,
Hath stopp'd the passage where thy words should enter.
if our sport had gone forward, we had all been made
Importune him once more to go, my lord;
For in an act of this importance 'twere
Do call it valiant fury: but, for certain,
Join'd with Aufidius, leads a power 'gainst Rome,
If Marcius should be join'd with Volscians,--
But certain issue strokes must arbitrate:
[Exeunt, marching]
That danger shall seem sport, and I will go.
come again in his affairs, unless it be to report
She loves me, sure; the cunning of her passion
Invites me in this churlish messenger.
She swore, in faith, twas strange, 'twas passing strange,
Where rude misgovern'd hands from windows' tops
You would have thought the very windows spake,
And thus still doing, thus he pass'd along.
Honour, health, and compassion to the senate!
And with such sober and unnoted passion
certainty, put myself into my mortal preparation;
You do not know him, my lord, as we do: certain it
[Exeunt all except SHALLOW, SLENDER, and SIR HUGH EVANS]
Belmont. Avenue to PORTIA'S house.
Whose deadly web ensnareth thee about?
Nor thou within the compass of my curse.
[Exeunt PETRUCHIO and GRUMIO]
[Exeunt BAPTISTA, GREMIO, and attendants]
Her father's liking: which to bring to pass,
Yet they are not join'd: where yond pine
Thus might he pass indeed: yet he revives.
Beyond thought's compass; that former fabulous story,
Report should render him hourly to your ear
And mine, fair lady Bona, joins with yours.
Ay, ay. thou wouldst be gone to join with Richmond:
Bishop of Exeter, his brother there,
[Exeunt ANGELO, MARIANA, FRIAR PETER and Provost]
PORTIA
To see him pass on to the Capitol.
[Exeunt severally]
[Exeunt Musicians]
From the report that goes upon your goodness;
my spiteful execrations. Then there's Achilles, a
cutting the web. After this, the vengeance on the
^P.ment, I hope, we will not fly--
How many times shall Caesar bleed in sport,
Yes, certain, there's a letter for you; I saw't.
[Exeunt Hostess and Boy]
of short-legged hens, a joint of mutton, and any
[Exeunt DULL and JAQUENETTA]
Who having, by their own importunate suit,
[Noise and tumult within. Enter Porter and his Man]
Porter
?TV%D}
ÛhQ
'Tis certain, every man that dies ill, the ill upon
Free, madam! no; I made no such report:
That show of such an exercise may colour
;*%F;
Report be an honest woman of her word.
We the globe can compass soon,
As letting her pass so: had I spoke with her,
He bears him like a portly gentleman;
Some report a sea-maid spawned him; some, that he
certain that when he makes water his urine is
a thousand: he had some feeling of the sport: he
Most certain. Let our catch be, 'Thou knave.'
[Exeunt FLORIZEL, PERDITA, and CAMILLO]
While I, their king, that hither them importune,
I should report this now, would they believe me?
For, certes, these are people of the island--
.QjTV
V.is way and
By history, report, or his own proof,
[Exeunt GRATIANO and LORENZO]
hat's most certain.
How now shall this be compassed?
The noble Brutus, thrusting this report
zcÁ
%System%\yylmxehclwot.exe
|wellshirt.net
WATCHDOGPROC "c:\windows\system32\lqbgvgoko.exe"
%System%\lqbgvgoko.exe
mscoree.dll
KERNEL32.DLL

yylmxehclwot.exe_5444:




.text
`.rdata
@.data
\$ SSh
\$$SSSh
SSShP
t"SSSh
SSSh@pF
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
AWS2_32.dll
OLEAUT32.dll
cmd.exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
GDI32.dll
GetProcessHeap
KERNEL32.dll
GetKeyboardType
USER32.dll
GetCPInfo
GetConsoleOutputCP
lqbgvgoko.exe
a2.exe
Port Tracking Encrypting Block Profile Netlogon
yylmxehclwot.exe
my grace. Rich she shall be, that's certain; wise,
Knows not my feeble key of untuned cares?
[Exeunt QUEEN MARGARET and PRINCE EDWARD]
[Exeunt]
it comes to pass oft that a terrible oath, with a
Outlives encertain pomp, is crown'd before:
Art thou against us, Duke of Exeter?
Had he the motive and the cue for passion
On the curl'd clouds, to thy strong bidding task
Then meet and join. Jove's lightnings, the precursors
So the proportions of defence are fill'd;
This is it that makes me bridle passion
[Exeunt CALIBAN, STEPHANO, and TRINCULO]
[Exeunt. Flourish]
Is now transported, gentles, to Southampton;
To give you gentle pass; for, if we may,
My life is run his compass. Sirrah, what news?
Y.iaN
When grief, and blood ill-temper'd, vexeth him?
Is now eclipsed; and it portends alone
Here are the keys, there sits the duke asleep:
[Exeunt Servants]
CALPURNIA, PORTIA, DECIUS BRUTUS, CICERO, BRUTUS,
It is best, certain.
the web and the pin, squints the eye, and makes the
By this discovery lost. Be not uncertain;
My father made in compassing the crown!
The jury, passing on the prisoner's life,
That thieves do pass on thieves? 'Tis very pregnant,
Be executed by nine to-morrow morning:
Playing patient sports in unconstrained gyves?
[Exeunt Shepherd and Clown]
She passes praise; then praise too short doth blot.
an into their estimation and report: but he hath so
Unless our halberds did shut up his passage.
My mind exceeds the compass of her wheel.
Dumbly she passions, franticly she doteth;
Her voice is stopt, her joints forget to bow;
[Exeunt Justices]
[Exeunt BARDOLPH, Recruits, &c]
.Zdo you think, though we would have the
GLOUCESTER, EXETER, and others]
".QdI
Their sons with arts and martial exercises:
[Exeunt WARWICK and the rest]
Is execution done on Cawdor? Are not
With one that saw him die: who did report
That the proportion both of thanks and payment
That were his lackeys: I cried 'hum,' and 'well, go to,'
That is most certain.
O, then unfold the passion of my love,
Is not more smooth and rubious; thy small pipe
Snug, the joiner; you, the lion's part: and, I
joined-stools, and swears with a good grace, and
Hath look'd upon my passes. Then, good prince,
Hath stopp'd the passage where thy words should enter.
if our sport had gone forward, we had all been made
Importune him once more to go, my lord;
For in an act of this importance 'twere
Do call it valiant fury: but, for certain,
Join'd with Aufidius, leads a power 'gainst Rome,
If Marcius should be join'd with Volscians,--
But certain issue strokes must arbitrate:
[Exeunt, marching]
That danger shall seem sport, and I will go.
come again in his affairs, unless it be to report
She loves me, sure; the cunning of her passion
Invites me in this churlish messenger.
She swore, in faith, twas strange, 'twas passing strange,
Where rude misgovern'd hands from windows' tops
You would have thought the very windows spake,
And thus still doing, thus he pass'd along.
Honour, health, and compassion to the senate!
And with such sober and unnoted passion
certainty, put myself into my mortal preparation;
You do not know him, my lord, as we do: certain it
[Exeunt all except SHALLOW, SLENDER, and SIR HUGH EVANS]
Belmont. Avenue to PORTIA'S house.
Whose deadly web ensnareth thee about?
Nor thou within the compass of my curse.
[Exeunt PETRUCHIO and GRUMIO]
[Exeunt BAPTISTA, GREMIO, and attendants]
Her father's liking: which to bring to pass,
Yet they are not join'd: where yond pine
Thus might he pass indeed: yet he revives.
Beyond thought's compass; that former fabulous story,
Report should render him hourly to your ear
And mine, fair lady Bona, joins with yours.
Ay, ay. thou wouldst be gone to join with Richmond:
Bishop of Exeter, his brother there,
[Exeunt ANGELO, MARIANA, FRIAR PETER and Provost]
PORTIA
To see him pass on to the Capitol.
[Exeunt severally]
[Exeunt Musicians]
From the report that goes upon your goodness;
my spiteful execrations. Then there's Achilles, a
cutting the web. After this, the vengeance on the
^P.ment, I hope, we will not fly--
How many times shall Caesar bleed in sport,
Yes, certain, there's a letter for you; I saw't.
[Exeunt Hostess and Boy]
of short-legged hens, a joint of mutton, and any
[Exeunt DULL and JAQUENETTA]
Who having, by their own importunate suit,
[Noise and tumult within. Enter Porter and his Man]
Porter
?TV%D}
ÛhQ
'Tis certain, every man that dies ill, the ill upon
Free, madam! no; I made no such report:
That show of such an exercise may colour
;*%F;
Report be an honest woman of her word.
We the globe can compass soon,
As letting her pass so: had I spoke with her,
He bears him like a portly gentleman;
Some report a sea-maid spawned him; some, that he
certain that when he makes water his urine is
a thousand: he had some feeling of the sport: he
Most certain. Let our catch be, 'Thou knave.'
[Exeunt FLORIZEL, PERDITA, and CAMILLO]
While I, their king, that hither them importune,
I should report this now, would they believe me?
For, certes, these are people of the island--
.QjTV
V.is way and
By history, report, or his own proof,
[Exeunt GRATIANO and LORENZO]
hat's most certain.
How now shall this be compassed?
The noble Brutus, thrusting this report
zcÁ
%System%\yylmxehclwot.exe
mscoree.dll
KERNEL32.DLL

win32mrocli2.exe_1564:




.text
p`.data
.rdata
`@.bss
.idata
\\\\5\\\\
|$\3|$81
\$\3\$`3
""""%""""1
1|$,1\$,
|$@3\$,3\$0
\$$!|$$!
|$ 1|$41
\$0#\$(1
\$\3\$ 1|$(
\$43\$01
\$ 3\$41
1\$,1|$,
\$ 3\$(3\$8
|$03|$43|$@
|$,3|$83|$ 3|$
|$4#|$(3<$
%UUUU
L$p%UUUU
|$43|$<1
SHA256 block transform for x86, CRYPTOGAMS by 
libgcj-13.dll
accepted: %lu/%lu (%.2f%%), %.2f H/s at diff %g %s
accepted: %lu/%lu (%.2f%%), %s khash/s %s
DEBUG: reject reason: %s
DEBUG: job_id='%s' extranonce2=%s ntime=x
{"method": "getjob", "params": {"id": "%s"}, "id":1}
JSON decode of %s failed
http://
https://
stratum tcp://
http://%s
cpuminer 2.3.3
Starting Stratum on %s
...terminating workio thread
...retry after %d seconds
JSON decode failed(%d): %s
Binding thread %d to cpu %d
thread %d: %lu hashes, %.2f H/s
thread %d: %lu hashes, %.2f khash/s
Total: %s H/s
Total: %s khash/s
work retrieval failed, exiting mining thread %d
JSON key '%s' not found
JSON key '%s' is not a string
Auth id: %s
JSON returned status "%s"
{"method": "login", "params": {"login": "%s", "pass": "%s", "agent": "cpuminer-multi/0.1"}, "id": 1}
DEBUG: authenticated in %d ms
json_rpc2.0 error: %s
CURL initialization failed
%s%s%s
Long-polling activated for %s
{"method": "submit", "params": {"id": "%s", "job_id": "%s", "nonce": "%s", "result": "%s"}, "id":1}
{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}
{"method": "getwork", "params": [ "%s" ], "id":1}
getwork failed, retry after %d seconds
DEBUG: got new work in %d ms
%s: unsupported non-option argument '%s'
JSON option %s invalid
%s: no URL supplied
%s:%s
https:
thread %d create failed
%d miner threads started, using '%s' algorithm.
cert
userpass
[%d-d-d d:d:d] %s
User-Agent: cpuminer/2.3.3
HTTP request failed: %s
JSON-RPC call failed: %s
hex2bin failed on '%s'
DEBUG: %s
Hash: %s
Target: %s
http%s
Stratum connection failed: %s
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.3", "%s"]}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.3"]}
mining.notify
Stratum session id: %s
mining.set_difficulty
client.reconnect
stratum tcp://%s:%d
Ignoring request to reconnect to %s
Server requested reconnection to %s
client.get_version
cpuminer/2.3.3
client.show_message
MESSAGE FROM SERVER: %s
{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}
tXXFr.rh.44Aw-wl-66
r.rh.44Fw-wl-66A
.rh.44Fr-wl-66Aw
O9K\9..eKW
trh.44Fr.wl-66Aw-
K\9..eK9
h.44Fr.rl-66Aw-w
O\9..eK9K=W
.44Fr.rh-66Aw-wl
9..eK9K\W
t44Fr.rh.66Aw-wl-
..eK9K\9
tX4Fr.rh.46Aw-wl-6
.eK9K\9.
:x
:,7.35.0
smtp
tftp
getpeername() failed with errno %d: %s
getsockname() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
sa_addr inet_ntop() failed with errno %d: %s
Trying %s...
Could not set TCP_NODELAY: %s
TCP_NODELAY set
Failed to set SO_KEEPALIVE on fd %d
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d
Couldn't bind to interface '%s'
Local Interface %s is ip %s using address family %i
Name '%s' family %i resolved to '%s' family %i
Local port: %hu
Bind to local port %hu failed, trying next
bind failed with errno %d: %s
Immediate connect fail for %s: %s
Couldn't bind to '%s'
connect to %s port %ld failed: %s
Failed to connect to %s port %ld: %s
[%s %s %s]
Send failure: %s
Recv failure: %s
Write callback asked for PAUSE when not supported!
%s:%d
Hostname was %sfound in DNS cache
timeout on name lookup is not supported
%5[^:]:%d:%5s
Resolve %s found illegal!
Added %s:%d:%s to DNS cache
IDN support not present, can't parse Unicode domains
CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!
Connected to %s (%s) port %ld (#%ld)
User-Agent: %s
[^:]:%[^
:]://%[^
 malformed
SMTP.
Rebuilt URL to: %s
Protocol %s not supported or disabled in libcurl
%s://%s
http_proxy
[%*45[0123456789abcdefABCDEF:.]%c
;type=%c
%s://%s%s%s:%hu%s%s%s
Port number too large: %lu
Couldn't find host %s in the _netrc file; using defaults
[email protected]
Found bundle for host %s: %p
Server doesn't support pipelining
Found connection %ld, with requests in the pipe (%zu)
Re-using existing connection! (#%ld) with host %s
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
Connection #%ld to host %s left intact
Curl_poll(%d ds, %d ms)
Internal error clearing splay node = %d
Internal error removing splay node = %d
Pipe broke: handle 0x%p, url = %s
In state %d with no easy_conn, bail out!
Operation timed out after %ld milliseconds with %I64d out of %I64d bytes received
Operation timed out after %ld milliseconds with %I64d bytes received
#HttpOnly_
23[^;
=]=I99[^;
httponly
skipped cookie with bad tailmatch domain: %s
%s cookie %s="%s" for domain %s, path %s, expire %I64d
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
# Fatal libcurl error
WARNING: failed to save cookies in %s
%d.%d.%d.%d
CURLSHcode unknown
Protocol option is unsupported
Protocol is unsupported
Socket is unsupported
Operation not supported
Address family not supported
Protocol family not supported
Winsock version not supported
Unknown error %d (%#x)
Please call curl_multi_perform() soon
Unsupported protocol
URL using bad/illegal format or missing URL
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
FTP: weird server reply
FTP: The server failed to connect to data port
FTP: unknown PASS reply
FTP: Accepting server connect has timed out
FTP: unknown PASV reply
FTP: unknown 227 response format
FTP: can't figure out the host in the PASV response
FTP: couldn't set file type
FTP: couldn't retrieve (RETR failed) the specified file
HTTP response code said error
FTP: command PORT failed
FTP: command REST failed
Operation was aborted by an application callback
A libcurl function was given a bad argument
An unknown option was passed in to libcurl
SSL peer certificate or SSH remote key was not OK
Problem with the local SSL certificate
Peer certificate cannot be authenticated with given CA certificates
Unrecognized or bad HTTP Content or Transfer-Encoding
Invalid LDAP URL
Login denied
TFTP: File Not Found
TFTP: Access Violation
TFTP: Illegal operation
TFTP: Unknown transfer ID
TFTP: No such user
Caller must register CURLOPT_CONV_ callback options
Problem with the SSL CA cert (path? access rights?)
Error in the SSH layer
Issuer check against peer certificate failed
FTP: The server did not accept the PRET command.
Unable to parse FTP file list
0123456789
%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s
Curl_ipv4_resolve_r failed for %s
%sAuthorization: Basic %s
HTTP/
Avoided giant realloc for header (max is %d)!
The requested URL returned error: %d
%s auth using %s with user '%s'
%s, d %s M d:d:d GMT
If-Modified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
Referer: %s
Accept-Encoding: %s
Host: %s%s%s
Host: %s%s%s:%hu
ftp://
Range: bytes=%s
Content-Range: bytes %s%I64d/%I64d
Content-Range: bytes %s/%I64d
ftp://%s:%s@%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s=%s
Internal HTTP POST error!
Content-Type: application/x-www-form-urlencoded
Failed sending HTTP POST request
Failed sending HTTP request
Chunky upload is not supported by HTTP 1.0
HTTP error before end of send, stop sending
HTTP/%d.%d =
HTTP =
RTSP/%d.%d =
The requested URL returned error: %s
HTTP 1.0, assume close after body
HTTP/1.0 proxy connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.0 connection set to keep alive!
USER %s
PBSZ %d
Failure sending QUIT command: %s
ftp server doesn't support SIZE
RETR %s
Connect data stream passively
APPE %s
STOR %s
SIZE %s
getsockname() failed: %s
failed to resolve the address provided to PORT: %s
bind(port=%hu) on non-local address failed: %s
bind(port=%hu) failed: %s
bind() failed, we ran out of ports!
socket failure: %s
%s |%d|%s|%hu|
Failure sending EPRT command: %s
,%d,%d
%s %s
Failure sending PORT command: %s
Uploading to a URL without a file name!
FTPS not supported!
PASS %s
ACCT %s
Access denied: d
%c%c%c%u%c
Illegal port number in EPSV reply
%d,%d,%d,%d,%d,%d
Skips %d.%d.%d.%d for data connection, uses %s instead
Bad PASV/EPSV response: d
Can't resolve proxy host %s:%hu
Can't resolve new host %s:%hu
Connecting to %s (%s) port %d
TYPE %c
MDTM %s
CWD %s
PRET %s
PRET STOR %s
PRET RETR %s
REST %d
FTP response timeout
FTP response aborted due to select/poll error: %d
Preparing for accepting server on data port
Got a d ftp-server response when 220 was expected
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
AUTH %s
ACCT rejected by server: d
PROT %c
Entry path is '%s'
QUOT command failed with d
MKD %s
Failed to MKD dir: d
dddddd
ddd d:d:d GMT
Last-Modified: %s, d %s M d:d:d GMT
unsupported MDTM reply format
Got a d response code instead of the assumed 200
PRET command not accepted: d
Failed to do PORT
RETR response: d
Failed FTP upload: 

Wildcard - START of "%s"
Wildcard - "%s" skipped by user
ftp_perform ends with SECONDARY: %d
Remembering we are in dir "%s"
Failure sending ABOR command: %s
server did not report OK, got %d
QUOT string not accepted: %s
PORT
%s IAC %s
%s IAC %d
%s %s %s
%s %s %d
%s %d %d
Sending data failed (%d)
%s IAC SB
%s (unsupported)
%d (unknown)
%c%c%c%c%s%c%c
%c%c%c%c
7[^,],7s
%c%s%c%s
USER,%s
7[^= ]%*[ =]%5s
Syntax error in telnet option: %s
Unknown telnet option %s
WSAStartup failed (%d)
insufficient winsock version to support telnet
failed to load WS2_32.DLL (%d)
failed to find WSACreateEvent function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSAEnumNetworkEvents function (%d)
WSACreateEvent failed (%d)
WSAEnumNetworkEvents failed (%d)
WSACloseEvent failed (%d)
FreeLibrary(wsock2) failed (%d)
WS2_32.DLL
CLIENT libcurl 7.35.0
MATCH %s %s %s
DEFINE %s %s
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
LDAP local: %s
LDAP local: Cannot connect to %s:%ld
LDAP local: ldap_simple_bind_s %s
LDAP remote: %s
There are more than %d entries
LDAP local: trying to establish %s connection
Couldn't open file %s
Can't open %s for writing
Can't get the size of %s
Received last DATA packet block %d again.
Received unexpected DATA packet block %d, expecting block %d
Timeout waiting for block %d ACK. Retries = %d
tftp_rx: internal error
set timeouts for state %d; Total %ld, retry %d maxtry %d
Received ACK for block %d, expecting %d
tftp_tx: giving up waiting for block %d ack
tftp_tx: internal error, event: %i
bind() failed; %s
%s%c%s%c
tftp_send_first: internal error
TFTP finished
TFTP response timeout
got option=(%s) value=(%s)
blksize is larger than max supported
%s (%d)
blksize is smaller than min supported
%s (%ld)
%s (%d) %s (%d)
invalid tsize -:%s:- value in OACK packet
TFTP
%cd
LIST "%s" *
FETCH %s BODY[%s]
LOGIN
LOGIN %s %s
AUTHENTICATE %s %s
AUTHENTICATE %s
No known authentication mechanisms supported!
IMAPS not supported!
Access denied: %d
APPEND %s (\Seen) {%I64d}
SELECT %s
LOGINDISABLED
STARTTLS not supported.
STARTTLS denied. %c
Access denied. %c
Authentication failed: %d
AUTH %s %s
POP3S not supported!
APOP %s %s
STLS not supported.
RCPT TO:%s
RCPT TO:<%s>
SMTPS not supported!
Got unexpected smtp-server response: %d
EHLO %s
HELO %s
Remote access denied: %d
Command failed: %d
MAIL failed: %d
RCPT failed: %d
DATA failed: %d
MAIL FROM:%s
MAIL FROM:%s AUTH=%s
MAIL FROM:%s AUTH=%s SIZE=%s
MAIL FROM:%s SIZE=%s
SMTP
Refusing to issue an RTSP request [%s] without a session ID.
Transport:
Transport: %s
Refusing to issue an RTSP SETUP without a Transport: header.
Range: %s
%s %s RTSP/1.0
Session: %s
%s%s%s%s%s%s
Unable to read the CSeq header: [%s]
Got RTSP Session ID Line [%s], but wanted ID [%s]
Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
%%X
xxxx
%s:%s:%s
%s:%.*s
%s:%s:x:%s:%s:%s
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", cnonce="%s", nc=x, qop=%s, response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", response="%s"
%s, opaque="%s"
%s, algorithm="%s"
SOCKS4 communication to %s:%d
SOCKS4 connect to %s (locally resolved)
Failed to resolve "%s" for SOCKS4 connect.
SOCKS4%s request granted.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
User was rejected by the SOCKS5 server (%d %d).
SOCKS5 GSSAPI per-message authentication is not supported.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
Failed to resolve "%s" for SOCKS5 connect.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Can't complete SOCKS5 connection to %s:%d. (%d)
Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)
Establish HTTP proxy tunnel to %s:%hu
%s:%hu
%s%s%s:%hu
Host: %s
CONNECT %s HTTP/%s
%s%s%s%s
HTTP/1.%d %d
TUNNEL_STATE switched to: %d
Received HTTP code %d from proxy after CONNECT
login
password
operation aborted by callback
Read callback asked for PAUSE when not supported!
seek callback returned error %d
the ioctl callback returned %d
ioctl callback returned error %d
Rewinding stream by : %zd bytes on url %s (zero-length body)
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
HTTP server doesn't seem to support byte ranges. Cannot resume.
Simulate a HTTP 304 response!
Problem (%d) in the Chunked-Encoded data
Rewinding stream by : %zu bytes on url %s (size = %I64d, maxdownload = %I64d, bytecount = %I64d, nread = %zd)
Excess found in a non pipelined read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d
No URL set!
[^?&/:]://%c
Issue another request to this URL: '%s'
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
Conn: %ld (%p) Receive pipe weight: (%I64d/%zu), penalized: %s
Site %s:%d is pipeline blacklisted
Server %s is not blacklisted
Server %s is blacklisted
d:d:d
d:d
%c%c==
%c%c%c=
------------------------xx
; filename="%s"
%s; boundary=%s
Content-Type: multipart/mixed, boundary=%s
Content-Type: %s
couldn't open file "%s"
--%s--
.jpeg
.html
0123456789-
%s xxxxxxxxxxxxxxxx
%s/%s
username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s
user=%s
auth=Bearer %s
%s near '%s'
%s near end of file
unable to decode byte 0x%x at position %d
control character 0x%x
invalid Unicode '\uX\uX'
invalid Unicode '\uX'
end == saved_text   lex->saved_text.length
unable to open %s: %s
\ux
\ux\ux
Assertion failed: (%s), file %s, line %d
M%p %d %s
M%p %d V=%0X B=%d t=%d o=%d C=%d R=%d H=%p %s
once %p is %d
T%p %d %s
T%p %d V=%0X H=%p %s
C%p %d %s
C%p %d V=%0X B=%d b=%p w=%ld %s
RWL%p %d %s
RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s
SHA-256 part of OpenSSL 1.0.1e 11 Feb 2013
%s(%d): OpenSSL internal error, assertion failed: %s
x509_pkey
evp_pkey
ssl_cert
ssl_sess_cert
Stack part of OpenSSL 1.0.1e 11 Feb 2013
error:lX:%s:%s:%s
passed a null parameter
x509 certificate routines
DSO support routines
dhKeyAgreement
challengePassword
extendedCertificateAttributes
nsCertExt
Netscape Certificate Extension
nsCertType
Netscape Cert Type
nsBaseUrl
Netscape Base Url
nsRevocationUrl
Netscape Revocation Url
nsCaRevocationUrl
Netscape CA Revocation Url
nsRenewalUrl
Netscape Renewal Url
nsCaPolicyUrl
Netscape CA Policy Url
nsCertSequence
Netscape Certificate Sequence
subjectKeyIdentifier
X509v3 Subject Key Identifier
keyUsage
X509v3 Key Usage
privateKeyUsagePeriod
X509v3 Private Key Usage Period
certificatePolicies
X509v3 Certificate Policies
authorityKeyIdentifier
X509v3 Authority Key Identifier
extendedKeyUsage
X509v3 Extended Key Usage
TLS Web Server Authentication
TLS Web Client Authentication
pbeWithSHA1And3-KeyTripleDES-CBC
pbeWithSHA1And2-KeyTripleDES-CBC
keyBag
pkcs8ShroudedKeyBag
certBag
localKeyID
x509Certificate
sdsiCertificate
id-smime-mod-msg-v3
id-smime-ct-publishCert
id-smime-aa-msgSigDigest
id-smime-aa-encrypKeyPref
id-smime-aa-signingCertificate
id-smime-aa-smimeEncryptCerts
id-smime-aa-ets-otherSigCert
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-certValues
id-smime-aa-ets-certCRLTimestamp
id-mod-qualified-cert-88
id-mod-qualified-cert-93
id-mod-attribute-cert
id-it-caProtEncCert
id-it-signKeyPairTypes
id-it-encKeyPairTypes
id-it-caKeyUpdateInfo
id-it-unsupportedOIDs
id-it-keyPairParamReq
id-it-keyPairParamRep
id-it-revPassphrase
id-regCtrl-oldCertID
id-regCtrl-protocolEncrKey
id-regInfo-certReq
id-cmc-getCert
id-cmc-confirmCertAcceptance
id-ecPublicKey
set-msgExt
set-certExt
certificate extensions
setct-AcqCardCodeMsg
setct-PCertReqData
setct-PCertResTBS
setct-CertReqData
setct-CertReqTBS
setct-CertResData
setct-CertInqReqTBS
setct-AcqCardCodeMsgTBE
setct-CertReqTBE
setct-CertReqTBEX
setct-CertResTBE
setCext-certType
setCext-cCertRequired
setAttr-Cert
set-rootKeyThumb
JOINT-ISO-ITU-T
joint-iso-itu-t
msSmartcardLogin
Microsoft Smartcardlogin
proxyCertInfo
Proxy Certificate Information
certicom-arc
certificateIssuer
X509v3 Certificate Issuer
id-PasswordBasedMAC
password based MAC
id-Gost28147-89-CryptoPro-KeyMeshing
id-Gost28147-89-None-KeyMeshing
LocalKeySet
Microsoft Local Key set
supportedApplicationContext
userPassword
userCertificate
cACertificate
certificateRevocationList
crossCertificatePair
supportedAlgorithms
anyExtendedKeyUsage
Any Extended Key Usage
lhash part of OpenSSL 1.0.1e 11 Feb 2013
[d:d:d]
%5lu file=%s, line=%d,
number=%d, address=lX
thread=%lu, file=%s, line=%d, info="
%ld bytes leaked in %d chunks
Big Number part of OpenSSL 1.0.1e 11 Feb 2013
bn(%d,%d)
ASN.1 part of OpenSSL 1.0.1e 11 Feb 2013
OPENSSL_Uplink(%p,X):
_matherr(): %s in %s(%g, %g) (retval=%g)
VirtualQuery failed for %d bytes at address %p
VirtualProtect failed with code 0x%x
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
unknown option -- %s
unknown option -- %c
option requires an argument -- %s
option requires an argument -- %c
GCC: (GNU) 4.8.2 20131016 (Fedora MinGW 4.8.2-1.fc20)
757188342395238
ReportEventA
PeekNamedPipe
_acmdln
_amsg_exit
GetProcessWindowStation
ldap_msgfree
ADVAPI32.dll
KERNEL32.dll
msvcrt.dll
USER32.dll
wldap32.dll
WS2_32.dll
"@"@"@"@
File: %ws, Line %u

eztxlgimbya2.exe_644:




.text
`.data
.rdata
@.bss
.idata
Connection Type : %s
Status : %s, uptime=%us, LastConnectionError : %s
Time started : %s
MaxBitRateDown : %u bps
(%u.%u Mbps)
(%u Kbps)
MaxBitRateUp %u bps
GetExternalIPAddress() returned %d
ExternalIPAddress = %s
AddPortMapping(%s, %s, %s) failed with code %d (%s)
GetSpecificPortMappingEntry() failed with code %d (%s)
InternalIP:Port = %s:%s
external %s:%s %s is redirected to internal %s:%s (duration=%s)
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
option '%s' invalid
%s [options] -a ip port external_port protocol [duration]
Add port redirection
%s [options] -d external_port protocol [port2 protocol2] [...]
Delete port redirection
%s [options] -s
%s [options] -l
%s [options] -L
List redirections (using GetListOfPortMappings, IGD v2)
%s [options] -r port1 protocol1 [port2 protocol2] [...]
%s [options] -A remote_ip remote_port internal_ip internal_port protocol lease_time
%s [options] -U uniqueID new_lease_time
%s [options] -C uniqueID
%s [options] -K uniqueID
%s [options] -D uniqueID
%s [options] -S
%s [options] -G remote_ip remote_port internal_ip internal_port protocol
%s [options] -P
Get Presentation url
protocol is UDP or TCP
-u url : bypass discovery process by providing the XML root description url.
desc: %s
st: %s
upnpDiscover() error code=%d
Found valid IGD : %s
Found a (not connected?) IGD : %s
UPnP device found. Is it an IGD ? : %s
Found device (igd ?) : %s
Local LAN ip address : %s
- %s %5s->%s:%-5s '%s' '%s' %s
GetGenericPortMappingEntry() returned %d (%s)
- %s %5hu->%s:%-5hu '%s' '%s' %u
GetListOfPortMappings() returned %d (%s)
UPNP_DeletePortMapping() returned : %d
Bytes: Sent: %8u
Recv: %8u
Packets: Sent: %8u
AddPinhole([%s]:%s -> [%s]:%s) failed with code %d (%s)
AddPinhole: ([%s]:%s -> [%s]:%s) / Pinhole ID = %s
CheckPinholeWorking: Pinhole ID = %s / IsWorking = %s
CheckPinholeWorking() failed with code %d (%s)
UpdatePinhole: Pinhole ID = %s with Lease Time: %s
UpdatePinhole: ID (%s) failed with code %d (%s)
GetPinholePackets() failed with code %d (%s)
GetPinholePackets: Pinhole ID = %s / PinholePackets = %d
UPNP_DeletePinhole() returned : %d
FirewallEnabled: %d & Inbound Pinhole Allowed: %d
Firewall Enabled: %s
Inbound Pinhole Allowed: %s
GetOutboundPinholeTimeout([%s]:%s -> [%s]:%s) failed with code %d (%s)
GetOutboundPinholeTimeout: ([%s]:%s -> [%s]:%s) / Timeout = %d
Presentation URL found:
Unknown switch -%c
%s#%s
M-SEARCH * HTTP/1.1
HOST: %s:1900
ST: %s
MX: %u
223.255.255.255
Socket error: %s, %d
239.255.255.250
getaddrinfo() failed: %d
NewExternalPort
NewInternalPort
NewPortMappingDescription
AddPortMapping
DeletePortMapping
NewPortMappingIndex
GetGenericPortMappingEntry
GetPortMappingNumberOfEntries
NewPortMappingNumberOfEntries
GetSpecificPortMappingEntry
NewStartPort
NewEndPort
NewNumberOfPorts
GetListOfPortMappings
RemotePort
InternalPort
PortMappingEntry
ProtocolNotSupported
InternalPortWildcardingNotAllowed
SamePortValuesRequired
WildCardNotPermittedInExtPort
RemoteHostOnlySupportsWildcard
ExternalPortOnlySupportsWildcard
OnlyPermanentLeasesSupported
getnameinfo() failed : %d
GET %s HTTP/%s
Host: %s:%d
User-Agent: MSWindows/5.1.2600, UPnP/1.0, MiniUPnPc/1.6
POST %s HTTP/%s
Host: %s%s
Content-Length: %d
SOAPAction: "%s"
getaddrinfo() error : %d
URLBase
presentationURL
controlURL
eventSubURL
SCPDURL
urlbase = '%s'
serviceType = '%s'
controlURL = '%s'
eventSubURL = '%s'
SCPDURL = '%s'
servicetype = '%s'
NewPortListing
../../gcc-3.4.5/gcc/config/i386/w32-shared-ptr.c
IPHLPAPI.DLL
KERNEL32.dll
msvcrt.dll
WS2_32.DLL






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    eztxlgh3eya2.exe:5788
    %original file name%.exe:208
    eztxlgimbya2.exe:5336
    eztxlgh173a2hngphm.exe:2804
    yylmxehclwot.exe:2160
    lqbgvgoko.exe:2656
    lqbgvgoko.exe:4688
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %System%\ynpyflreisd\tst (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eztxlgh173a2hngphm.exe (7386 bytes)
    %System%\lqbgvgoko.exe (7547 bytes)
    %System%\ynpyflreisd\etc (10 bytes)
    %System%\drivers\etc\hosts (22 bytes)
    %WinDir%\Temp\eztxlgimbya2.exe (35 bytes)
    %System%\ynpyflreisd\aol\exefile (14580 bytes)
    %System%\win64mrocli2.exe (76437 bytes)
    %System%\yylmxehclwot.exe (7547 bytes)
    %System%\ynpyflreisd\cfg (479 bytes)
    %System%\ynpyflreisd\aol\zip.exe (10500 bytes)
    %WinDir%\Temp\eztxlgh3eya2.exe (35 bytes)
    %System%\ynpyflreisd\ihst (224 bytes)
    %System%\ynpyflreisd\run (10 bytes)
    %System%\ynpyflreisd\rng (12 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Port Tracking Encrypting Block Profile Netlogon" = "%System%\lqbgvgoko.exe"
    

    5. 

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    6. 

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    7. 

  7. Reboot the computer.
    8. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now