MD5: 66939c0d5ca443a28ee2ec7b6e800c62
SHA1: 112f6f1a8f44987c23b58a05605c72aba394ce2e
SHA256: 5bd17a353089b208e885860f306717618c4785049cac7ed05aa3d57635afc518
SSDeep: 3072:tFPsuwGaoguQpvXcQStumCx7uqrruqout x:cSzPLCxyqriqoS x
Size: 107016 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2012-12-29 08:41:34
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

RUpdate.exe:380
RUpdate.exe:928
Zona.exe:1688
Zona.exe:1716

The Trojan injects its code into the following process(es):

%original file name%.exe:312
%original file name%.exe:1888

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Zona\init.xml (335 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\zona.ru\zona.sol (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appdata.7z (1326784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zon1.tmp (47 bytes)
%Documents and Settings%\%current user%\Desktop\Zona.lnk (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Zona.7z (435264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rambler_r33.7z (27336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\YRI_X[1].jpg (2432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Zona.lnk (712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZonaInstall.log (12853 bytes)

The process %original file name%.exe:1888 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Zona\utils.jar (29 bytes)
%Program Files%\Zona\License_uk.rtf (21 bytes)
%Program Files%\Zona\License_en.rtf (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZonaInstall.log (8096 bytes)
%Program Files%\Zona\License_ru.rtf (23 bytes)

The process RUpdate.exe:380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Rambler\Holdem\holdem_scheduler.log (565 bytes)

The process RUpdate.exe:928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Rambler\Holdem\assistcookie.tmp (10 bytes)
%Documents and Settings%\%current user%\Application Data\Rambler\Holdem\holdem_scheduler.log (4019 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\del_cookie_assist[1].xml (10 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[1].txt (169 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Rambler\Holdem\assistcookie.tmp (0 bytes)

The process Zona.exe:1688 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Zona\launch.log (7639 bytes)

The process Zona.exe:1716 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Zona\launch.log (19063 bytes)

Registry activity

The process %original file name%.exe:312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\.zona]
"(Default)" = "Zona"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Zona]
"InstallDate" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.torrent\OpenWithProgids]
"Zona" = ""

[HKCU\Software\Zona]
"PID" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Zona]
"Guid" = "FCE438B1-1301-46D8-BD5A-2BAE7656386D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\Zona\DefaultIcon]
"(Default)" = "%Program Files%\Zona\torrent.ico"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\.zona]
"(Default)" = "Zona"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Classes\.torrent]
"(Default)" = "Zona"

[HKCU\Software\Zona]
"DownloadsDir" = "%Documents and Settings%\%current user%\My Documents\Zona Download"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:]
"%original file name%.exe" = "66939c0d5ca443a28ee2ec7b6e800c62"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Classes\Zona\shell\open\command]
"(Default)" = "%Program Files%\Zona\Zona.exe %1"

[HKCU\Software\Zona]
"InstallLang" = "1033"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Classes\Zona]
"URL Protocol" = ""

[HKCR\Applications\Zona.exe\shell\open\command]
"(Default)" = "%Program Files%\Zona\Zona.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA CC BC EB 63 0A 84 10 00 44 16 7E EC EA 21 9E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Zona]
"Zona.exe" = "Zona"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\.torrent]
"(Default)" = "Zona"

[HKCU\Software\Zona]
"exec" = "%Program Files%\Zona\Zona.exe"

[HKCU\Software\Classes\Zona\shell]
"(Default)" = "open"

[HKCU\Software\Zona]
"pinstall" = "rambler"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Zona" = "%Program Files%\Zona\Zona.exe /MINIMIZED"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Zona]
"Zona.exe" = "%Program Files%\Zona\Zona.exe:*:Enabled:Zona"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 AB CD FA 70 1E 57 26 A3 6C 12 51 C9 3F 96 21"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zona]
"NoRepair" = "1"

[HKLM\SOFTWARE\Zona]
"Path" = "%Program Files%\Zona"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zona]
"UninstallString" = "%Program Files%\Zona\uninstall.exe"
"Publisher" = "Zona Team"
"DisplayName" = "Zona"
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zona)]
"DisplayName" = "Zona"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zona]
"DisplayIcon" = "%Program Files%\Zona\Zona.exe"
"EstimatedSize" = "30720"

The process RUpdate.exe:380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 FC 7B 70 29 0C E8 02 FB A5 A8 40 C1 98 5E 36"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process RUpdate.exe:928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{00000000-4EB2-4FC3-BD68-7067448F7A06}]
"URL" = "http://nova.rambler.ru/search?query={searchTerms}&utm_source=r33&utm_medium=distribution&utm_content=e09&utm_campaign=c01"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{00000000-4EB2-4FC3-BD68-7067448F7A06}]
"SuggestionsURL_JSON" = "http://nova.rambler.ru/suggest?v=3&query={searchTerms}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{00000000-4EB2-4FC3-BD68-7067448F7A06}]
"ShowSearchSuggestions" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{00000000-4EB2-4FC3-BD68-7067448F7A06}]
"OSDFileURL" = "http://www.rambler.ru/i/osd.xml"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.rambler.ru/?utm_source=r33&utm_medium=distribution&utm_content=e08&utm_campaign=c01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{00000000-4EB2-4FC3-BD68-7067448F7A06}"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{00000000-4EB2-4FC3-BD68-7067448F7A06}]
"FaviconURL" = "http://i.rl0.ru/favicon.ico"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{00000000-4EB2-4FC3-BD68-7067448F7A06}]
"SortIndex" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 18 F3 20 41 1D 64 77 DE 49 9F 75 E9 36 52 E1"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.rambler.ru/?utm_source=r33&utm_medium=distribution&utm_content=e08&utm_campaign=c01"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{00000000-4EB2-4FC3-BD68-7067448F7A06}]
"DisplayName" = "Rambler"
"Codepage" = "65001"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Rambler Update Assistant"

The process Zona.exe:1688 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB D9 DD D1 00 49 9D 1D AB 59 A1 AB 46 7E CB B1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process Zona.exe:1716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 4D EB 79 30 BB EB 1E A2 7E AD 0A AC 10 66 D0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
558bbff4f7f9b63cbe27c4275f8eebf2
cff3edc476166ec9ab0268d464cbc186

URLs

URL	IP
hxxp://i2.x8.net/T/YRI_X.jpeg	178.218.223.40
hxxp://zona.ru/installer.html?param=3cc1db9ac07bfd57b7d2fc0e66ad626bd84bb0771072883f0179c9d4683561f302de4def1fecf76166a942fed4c86d4077e435c9ae5a52a5726be07d0018fc5dcf7327d2eae652c14ba5ec21ba6ffcf95025bf3f7af4918877890c4eec77f79f6bcc329c020d0e81407b9eb274bd743105bdb5b9c9c7138bc5fc0490181c2934d13e7a1ec8c93b9133401a19ab3a6bb3b0ed3ad67ea9123b019ff975e20974bd1e56472afec3d8230e7df9bfbdf01d2051745bae0d0001a84a54e626301aa2d11d2d67e61bdc8f8653057304eb6cce131013a554b82f8fc6c5efd03d5ded5ff49defeb4ea2d89d409320814ffb04cabafca99b3a130cf5b1c51a7057e17802273b5a7830c889cc25f17e23fd4664621e52455c58c836c6ec	5.35.172.6
hxxp://stat.miniload.org/installer.html?param=3cc1db9ac07bfd57b7d2fc0e66ad626bd84bb0771072883f0179c9d4683561f302de4def1fecf76166a942fed4c86d4077e435c9ae5a52a5726be07d0018fc5dcf7327d2eae652c14ba5ec21ba6ffcf95025bf3f7af4918877890c4eec77f79f6bcc329c020d0e81407b9eb274bd743105bdb5b9c9c7138bc5fc0490181c2934d13e7a1ec8c93b9133401a19ab3a6bb3b0ed3ad67ea9123b019ff975e20974bd1e56472afec3d8230e7df9bfbdf01d2051745bae0d0001a84a54e626301aa2d11d2d67e61bdc8f8653057304eb6cce131013a554b82f8fc6c5efd03d5ded5ff49defeb4ea2d89d409320814ffb04cabafca99b3a130cf5b1c51a7057e17802273b5a7830c889cc25f17e23fd4664621e52455c58c836c6ec	46.254.17.199
hxxp://dl.zona.ru/Zona.7z	46.254.16.107
hxxp://dl.zona.ru/appdata.7z	46.254.16.107

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA STREAM ESTABLISHED packet out of window
SURICATA STREAM Packet with invalid ack
SURICATA STREAM ESTABLISHED invalid ack

Traffic

GET /installer.html?param=3cc1db9ac07bfd57b7d2fc0e66ad626bd84bb0771072883f0179c9d4683561f302de4def1fecf76166a942fed4c86d4077e435c9ae5a52a5726be07d0018fc5dcf7327d2eae652c14ba5ec21ba6ffcf95025bf3f7af4918877890c4eec77f79f6bcc329c020d0e81407b9eb274bd743105bdb5b9c9c7138bc5fc0490181c2934d13e7a1ec8c93b9133401a19ab3a6bb3b0ed3ad67ea9123b019ff975e20974bd1e56472afec3d8230e7df9bfbdf01d2051745bae0d0001a84a54e626301aa2d11d2d67e61bdc8f8653057304eb6cce131013a554b82f8fc6c5efd03d5ded5ff49defeb4ea2d89d409320814ffb04cabafca99b3a130cf5b1c51a7057e17802273b5a7830c889cc25f17e23fd4664621e52455c58c836c6ec HTTP/1.1

User-Agent: ZONA_httpget

Host: stat.miniload.org

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 20 Mar 2016 04:21:19 GMT

Content-Type: text/html;charset=UTF8

Content-Length: 47

Connection: keep-alive
<response time="1458447679071" idState="free"/>HTTP/1.1 200 OK..
Server: nginx..Date: Sun, 20 Mar 2016 04:21:19 GMT..Content-Type: text
/html;charset=UTF8..Content-Length: 47..Connection: keep-alive..<re
sponse time="1458447679071" idState="free"/>..

GET /installer.html?param=3cc1db9ac07bfd57b7d2fc0e66ad626bd84bb0771072883f0179c9d4683561f302de4def1fecf76166a942fed4c86d4077e435c9ae5a52a5726be07d0018fc5dcf7327d2eae652c14ba5ec21ba6ffcf95025bf3f7af4918877890c4eec77f79f6bcc329c020d0e81407b9eb274bd743105bdb5b9c9c7138bc5fc0490181c2934d13e7a1ec8c93b9133401a19ab3a6bb3b0ed3ad67ea9123b019ff975e20974bd1e56472afec3d8230e7df9bfbdf01d2051745bae0d0001a84a54e626301aa2d11d2d67e61bdc8f8653057304eb6cce131013a554b82f8fc6c5efd03d5ded5ff49defeb4ea2d89d409320814ffb04cabafca99b3a130cf5b1c51a7057e17802273b5a7830c889cc25f17e23fd4664621e52455c58c836c6ec HTTP/1.1

User-Agent: ZONA_httpget

Host: zona.ru

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Server: nginx

Date: Sun, 20 Mar 2016 04:21:18 GMT

Content-Type: text/html

Content-Length: 178

Connection: keep-alive

Location: hXXp://stat.miniload.org/installer.html?param=3cc1db9ac07bfd57b7d2fc0e66ad626bd84bb0771072883f0179c9d4683561f302de4def1fecf76166a942fed4c86d4077e435c9ae5a52a5726be07d0018fc5dcf7327d2eae652c14ba5ec21ba6ffcf95025bf3f7af4918877890c4eec77f79f6bcc329c020d0e81407b9eb274bd743105bdb5b9c9c7138bc5fc0490181c2934d13e7a1ec8c93b9133401a19ab3a6bb3b0ed3ad67ea9123b019ff975e20974bd1e56472afec3d8230e7df9bfbdf01d2051745bae0d0001a84a54e626301aa2d11d2d67e61bdc8f8653057304eb6cce131013a554b82f8fc6c5efd03d5ded5ff49defeb4ea2d89d409320814ffb04cabafca99b3a130cf5b1c51a7057e17802273b5a7830c889cc25f17e23fd4664621e52455c58c836c6ec
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx</center>..</body>..</html>..HTTP/1.1 301
 Moved Permanently..Server: nginx..Date: Sun, 20 Mar 2016 04:21:18 GMT
..Content-Type: text/html..Content-Length: 178..Connection: keep-alive
..Location: hXXp://stat.miniload.org/installer.html?param=3cc1db9ac07b
fd57b7d2fc0e66ad626bd84bb0771072883f0179c9d4683561f302de4def1fecf76166
a942fed4c86d4077e435c9ae5a52a5726be07d0018fc5dcf7327d2eae652c14ba5ec21
ba6ffcf95025bf3f7af4918877890c4eec77f79f6bcc329c020d0e81407b9eb274bd74
3105bdb5b9c9c7138bc5fc0490181c2934d13e7a1ec8c93b9133401a19ab3a6bb3b0ed
3ad67ea9123b019ff975e20974bd1e56472afec3d8230e7df9bfbdf01d2051745bae0d
0001a84a54e626301aa2d11d2d67e61bdc8f8653057304eb6cce131013a554b82f8fc6
c5efd03d5ded5ff49defeb4ea2d89d409320814ffb04cabafca99b3a130cf5b1c51a70
57e17802273b5a7830c889cc25f17e23fd4664621e52455c58c836c6ec..<html&g
t;..<head><title>301 Moved Permanently</title></h
ead>..<body bgcolor="white">..<center><h1>301 Mov
ed Permanently</h1></center>..<hr><center>ngin
x</center>..</body>..</html>....
<<< skipped >>>

GET /T/YRI_X.jpeg HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: i2.x8.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Sun, 20 Mar 2016 04:21:21 GMT

Content-Type: image/jpeg

Content-Length: 12722

Connection: keep-alive

Accept-Ranges: bytes

Expires: Thu, 31 Dec 2037 23:55:55 GMT

Cache-Control: max-age=315360000

Cache-Control: public
......JFIF.....H.H.....C................................... $.' ",#..(
7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222
222222222222222222222...........".....................................
...Q..........................!1...AQ"aq....25RSr.....#s....$3BTc....4
7b.nU.&CD.................................9.........................
!1AQa.."2q.......BR.#...$3.Sbc............?.,X......m.n$..............
hY...... 5.~.k.'..G..l.r..gR|...3..g.&!0...m~....t.....}.A..K..(.A.[H.
..><[email protected].?....G..*sd.5a.(.........V.3...'J}!9.h...2=....
.D...>.<w9.>.4..Dj....;C.a.F....g.4.....t..m.Hy..,p|........%
R.gd.{...8.|...'|...3....Y...i|.g.>.......(o.-....c.5.t...pm,9g....
.....#f.5iFo...g.4.....t.Z..6.F!........z..V...V....^_.H.....Q.. ?..M/
...g.4.=)...F..n....i..go.I.Jay.2=....................K{z......5..0..@
.,-.#<W..B8..g......%.....!.k.. .kN?..V...HRF$M*...;..L{...a=..P...
?.v.D=`...r.5..1.#c...}".. ......\=......Lb.>.n.,y{s....?x.S....>
;...}....o.l...%. .t.A...CG...4.s..V.e.?.h.... |.......~f...!.Z..|.B..
n.R7.n.F<dq.{*.h.k.....J.Z....mm.yt..j...... .o............dU@@...&
lt;|.....d.QT..f...W..z...m.q.. J...&....R(.L..G..gvN..C...c..Y.e.....
H.l..C.FC.O..~Q..H#....xe....5.l..-e.q..K..........-...*.i....N.I<K
..>I.qM.......Yi..,.....as............-gGGp[.{.7........Q.K.J.....V
.h4.kE.....r.7g..X....../.Oo......sIl3".,aA.s.i..Yi4......P.}..c .=...
.5.bu8dw.G.P&.......b8.d...i,-...5-;V.xo.e&..u.;`..^8.|qS.....f..~.9 d
T.;. [email protected][email protected]=.w5.....h.$...x!........Z....R[)..m.
<<< skipped >>>

GET /Zona.7z HTTP/1.1

User-Agent: ZONA_httpget

Host: dl.zona.ru

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 20 Mar 2016 04:21:22 GMT

Content-Type: application/x-7z-compressed

Content-Length: 6841699

Last-Modified: Thu, 24 Dec 2015 06:09:23 GMT

Connection: keep-alive

Content-MD5: 1000528de212b75d1e98e1b79f725681

ETag: "567b8c13-686563"

Accept-Ranges: bytes
].............(..`(...;.ac..ML.].....W.....nED..*.$. .\#...F...Z....?.
...)......;;M..Q.b$..g.cj2.....T.........j.&..J}hZ.`Z...........P0...:
.W..4.......p..-....sK.I...........E..5..M[..i!.4.............0..t.Y.J
.,......%....6....*..*F2s=..y......<....X.s....:$...e..r.%...'tfN.y
.ai....eo.*..H. N{K.>A.k;.QpJ....>'..Q.&....3..ej.\!Ou....Q%_...
....No..7....)J..^.........oy.....<>.C4....7..\.gC.....l...../..
.2.%..3r7}B=..#...*Qa....Jy...4.e^..7.^.Ry...f.0f.|j.e....x...)..5>
...A|`..L....^.../'..........c......jB../.w..._w..?........|2..D~....F
....o..8....J'F...u..e3...r.....]...........U3...}..IT........y..5Y..i
G.f%.............d.....H..J9....?.9;.Ldm......$o..B.c...GH.b.....N*-.u
....'.&_.....C..V....:#..A..G.............I...O.w...z.....1...C..cV...
}W....2..d..,.np.....?.....gZJ3.o..]>...N.m..>..4.C........... .
......s..D.......:s..\h.Y.7l;FSsi....Y.....&.L{.Z...|.J..g.Q..m....Tm&
.5.._...i [&~.yw..M...E.oD....$........~..I..:j:].....h.y7.dI.."..7u.&
.....E...f..PA../.6.b..O<.<[email protected]<..j........k...]
.....GO......g.7.....t....6.....5.n4.I"3x.....w.G........n*...j......u
`[email protected].#qK..d...5....x.W3I...Dn2Wx...N..i......y#........ ...t...E..
..>..........nD......^$X....<.'a............W...6.D.s...Qf`.%...
0@%;... 6......._tu.O#...w.V.....8&/.....w.7..c....H.&.h.(.~..X."=....
`.`.gy..<t......!...*.7Cs5........&...n."lj.'.Z...........R..Xn....
...n..F;y.X.{..@^{S!..F]-HF....h.....18...j..L..U$........s.c..z.,.T=T
.W.....W...a:.....dK.....Hs..qj.HZ<.uT........N............R...
<<< skipped >>>

GET /appdata.7z HTTP/1.1

User-Agent: ZONA_httpget

Host: dl.zona.ru

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 20 Mar 2016 04:21:22 GMT

Content-Type: application/x-7z-compressed

Content-Length: 20696765

Last-Modified: Thu, 24 Dec 2015 05:58:18 GMT

Connection: keep-alive

Content-MD5: caa8ecbd2704a23b18d8430bbc9e6b11

ETag: "567b897a-13bcebd"

Accept-Ranges: bytes
].............(..`(...;.Z)..ML.x....;.[...$&..7..^.....4.L.Y\|..=.....
....q7...P1E..d.. $.qEW.;..t...&...3{..?.....#.K.@<.^......sj.Pk.c.
e..Oc..........w.!...V7.......u~.{.o..H.S.e(.&.:{.A.W...bf.\..4.K0$.Y.
... z.v.J...g.V\LT.*Z9.C.AV.}K...={:"..n.....s&...K]9....v.....Y......
...n/...t.Im..].Q...4~..V..'%}).....].#|?.ed..6..1..o.E....H....s@>
......O....0L...(.:[email protected]....!PQ....}.\ ..b.]N.v.K..?.....
y...}.X.HS.../yuXdt......U.!.I6SgLZ.3~..i.H.:........7&.f&.G...;......
.1..B{zI.l..."H)'..8...kn..%...s*G.._..g..........h,uj_De..n(.R:..,._.
...<..pd.{.Y.\[email protected][email protected]. .|.h.N./..
....q.P..U<.X:m.........M..../...C[.`.....D1.._-.G...4..~.Yh;?.."..
g..;.....Va..i.&n.;....zx.C......E.%..p.q5.9C.GT.....iMg.7.'}6..S..S..
..Bp.c.EQ._.}.H..... {..._f..}A..O....J,&.. [email protected].]s...U9R<...>
;...)O....%....E.}'b...h!..-.B.....e.m......f./..T.i..*...s2bY.%....`.
Ed...u.w.uN..D....8Yt.g..|.J..Q.]\.#..Y9......:......P|vB3.j.....~..t#
^y.....9.....c....jQ....>@F.....?,[email protected]|...u..3ovqT.}.[..
..M...9.r.....J.Y~.;.....:[email protected]@.....u.[..*k}...*c...
!.T...'0\..L....K.v=..........J..:w..........r.&...a....xNPP*v..I..mSN
....f..k..'...d....0u...^.U.w$.z.*..1..I..x.z.M=.<.....=.B7H..anD..
n|..Em..Q..~X%.d....z.......L.g.wo\H...4f.AI.Q..3.p..]S...x/....TE.C.y
....n..d]x..,..4k._..i s.......^v.\o..[.....y(K/.[qk...5W.[...M..1.u..
F=...v...r.~...&.....8..2./T....8......Jy.....>.foy|H..)F.G.,A....o
&.pE..t..~'...h.M.Id.=...X.... ....\.N....8..Qs....,......m"!.....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

`.rsrc

SSSSh

u.hx9A

user32.dll

zcÁ

LAUNCH_ON_WINDOWS_STARTUP=

.torrent

Mail.Ru

@Mail.Ru

[email protected]

FireFox

MAILRU_INSTALL_CHROME_EXTENSIONS=

Chrome

1.0.1.6

LAUNCH_ON_WINDOWS_STARTUP=Start Zona when Windows starts

OPEN_TORRENT_VIA_ZONA=Open .torrent files in Zona

MAILRU_HOME_PAGE=Set Mail.Ru homepage

MAILRU_SEARCH=Set [email protected] search by default

MAILRU_INSTALL_GUARD=Install [email protected]

@Mail.Ru for FireFox

MAILRU_INSTALL_CHROME_EXTENSIONS=Install Chrome extensions

VERSION_LESS_THAN_1016=This link works in Zona version 1.0.1.6 and above. Please wait for updates and follow the link again.

ru/megamakc/core/JavaVer.class

ru/megamakc/zip/IZipCreator.classMOKj

ru/megamakc/zip/ZipHelper$1.class}QMo

ru/megamakc/zip/ZipHelper$ZipDeflatedStream.class

ru/megamakc/zip/ZipHelper.class

org/sevenzip/decoder/LzmaAloneDecoder$CommandLine.class

org/sevenzip/decoder/LzmaAloneDecoder.class

U.sjb

org/sevenzip/decoder/LzmaException.class

org/sevenzip/decoder/CRC.classuSMO

org/sevenzip/decoder/compression/lz/OutWindow.class

org/sevenzip/decoder/compression/lzma/Decoder$LenDecoder.class

org/sevenzip/decoder/compression/lzma/Decoder$LiteralDecoder$Decoder2.class

org/sevenzip/decoder/compression/lzma/Decoder$LiteralDecoder.class

org/sevenzip/decoder/compression/lzma/Decoder.class

/"%7Xd{

org/sevenzip/decoder/compression/lzma/Base.class

org/sevenzip/decoder/compression/rangecoder/BitTreeDecoder.class

org/sevenzip/decoder/compression/rangecoder/Decoder.class

ru/megamakc/core/hash/ProgressListener.class;

ru/megamakc/core/tools/FileHelperBase.class

ru/megamakc/core/tools/ReflectionHelper.class

ru/megamakc/core/path/IPathConverter.classm

org/sevenzip/decoder/SevenZipFolderDecoder.class

org/sevenzip/decoder/SevenZipFolderDecoder$Log.class

ru/megamakc/core/JavaVer.classPK

ru/megamakc/zip/IZipCreator.classPK

ru/megamakc/zip/ZipHelper$1.classPK

ru/megamakc/zip/ZipHelper$ZipDeflatedStream.classPK

ru/megamakc/zip/ZipHelper.classPK

org/sevenzip/decoder/LzmaAloneDecoder$CommandLine.classPK

org/sevenzip/decoder/LzmaAloneDecoder.classPK

org/sevenzip/decoder/LzmaException.classPK

org/sevenzip/decoder/CRC.classPK

org/sevenzip/decoder/compression/lz/OutWindow.classPK

org/sevenzip/decoder/compression/lzma/Decoder$LenDecoder.classPK

org/sevenzip/decoder/compression/lzma/Decoder$LiteralDecoder$Decoder2.classPK

org/sevenzip/decoder/compression/lzma/Decoder$LiteralDecoder.classPK

org/sevenzip/decoder/compression/lzma/Decoder.classPK

org/sevenzip/decoder/compression/lzma/Base.classPK

org/sevenzip/decoder/compression/rangecoder/BitTreeDecoder.classPK

org/sevenzip/decoder/compression/rangecoder/Decoder.classPK

ru/megamakc/core/hash/ProgressListener.classPK

ru/megamakc/core/tools/FileHelperBase.classPK

ru/megamakc/core/tools/ReflectionHelper.classPK

ru/megamakc/core/path/IPathConverter.classPK

org/sevenzip/decoder/SevenZipFolderDecoder.classPK

org/sevenzip/decoder/SevenZipFolderDecoder$Log.classPK

{\*\generator Msftedit 5.41.15.1515;}\viewkind4\uc1\pard\qc\lang1049\kerning1\b\f0\fs16\'cb\'c8\'d6\'c5\'cd\'c7\'c8\'ce\'cd\'cd\'ce\'c5 \'d1\'ce\'c3\'cb\'c0\'d8\'c5\'cd\'c8\'c5 \'d1 \'ca\'ce\'cd\'c5\'d7\'cd\'db\'cc \'cf\'ce\'cb\'dc\'c7\'ce\'c2\'c0\'d2\'c5\'cb\'c5\'cc \'cf\'ce \'c8\'d1\'cf\'ce\'cb\'dc\'c7\'ce\'c2\'c0\'cd\'c8\'de \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'db \'c4\'cb\'df \'dd\'c2\'cc \lang1033\f1\'abZONA\'bb.\par

{\*\generator Msftedit 5.41.15.1515;}\viewkind4\uc1\pard\hyphpar0\qc\lang1049\kerning1\b\f0\fs16 END USER LICENSE AGREEMENT FOR THE ZONA SOFTWARE \par

\tab It is clarified for the User and the User understands that according to the legal position of the Russian Federation Supreme Arbitration Court expressed in the Presidium decree dated 23.12.2008 No 10962/08, the provider is not responsible for the information transmitted, unless the provider initiates its transmission, selects the information recipient or affects the information integrity. \par

{\*\generator Msftedit 5.41.15.1515;}\viewkind4\uc1\pard\qc\kerning1\b\f0\fs16 \'cb\'b2\'d6\'c5\'cd\'c7\'b2\'c9\'cd\'c0 \'d3\'c3\'ce\'c4\'c0 \'c7 \'ca\'b2\'cd\'d6\'c5\'c2\'c8\'cc \'ca\'ce\'d0\'c8\'d1\'d2\'d3\'c2\'c0\'d7\'c5\'cc \'cf\'ce \'c2\'c8\'ca\'ce\'d0\'c8\'d1\'d2\'c0\'cd\'cd\'de \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'c8 \'c4\'cb\'df \'c5\'ce\'cc \'abZONA\'bb.\par

\tab\'ca\'ee\'f0\'e8\'f1\'f2\'f3\'e2\'e0\'f7\'f3 \'f0\'ee\'e7'\'ff\'f1\'ed\'e5\'ed\'ee \'f2\'e0 \'e7\'f0\'ee\'e7\'f3\'ec\'b3\'eb\'ee, \'f9\'ee \'c7\'e3\'b3\'e4\'ed\'ee \'e7 \'ef\'f0\'e0\'e2\'ee\'e2\'ee\'fe \'ef\'ee\'e7\'e8\'f6\'b3\'ba\'fe \'c2\'e8\'f9\'ee\'e3\'ee \'c0\'f0\'e1\'b3\'f2\'f0\'e0\'e6\'ed\'ee\'e3\'ee \'d1\'f3\'e4\'f3 \'d0\'ee\'f1\'b3\'e9\'f1\'fc\'ea\'ee\'bf \'d4\'e5\'e4\'e5\'f0\'e0\'f6\'b3\'bf, \'e2\'e8\'f0\'e0\'e6\'e5\'ed\'ee\'bf \'e2 \'ef\'ee\'f1\'f2\'e0\'ed\'ee\'e2\'b3 \'cf\'f0\'e5\'e7\'e8\'e4\'b3\'bf \'e2\'b3\'e4 23.12.2008 N 10962/08, \'ef\'f0\'ee\'e2\'e0\'e9\'e4\'e5\'f0 \'ed\'e5 \'ed\'e5\'f1\'e5 \'e2\'b3\'e4\'ef\'ee\'e2\'b3\'e4\'e0\'eb\'fc\'ed\'ee\'f1\'f2\'b3 \'e7\'e0 \'ef\'e5\'f0\'e5\'e4\'e0\'ed\'f3 \'b3\'ed\'f4\'ee\'f0\'ec\'e0\'f6\'b3\'fe, \'ff\'ea\'f9\'ee \'ed\'e5 \'e2\'b3\'ed \'b3\'ed\'b3\'f6\'b3\'fe\'ba \'bf\'bf \'ef\'e5\'f0\'e5\'e4\'e0\'f7\'f3, \'e2\'e8\'e1\'e8\'f0\'e0\'ba \'ee\'e4\'e5\'f0\'e6\'f3\'e2\'e0\'f7\'e0 \'b3\'ed\'f4\'ee\'f0\'ec\'e0\'f6\'b3\'bf, \'e2\'ef\'eb\'e8\'e2\'e0\'ba \'ed\'e0 \'f6\'b3\'eb\'b3\'f1\'ed\'b3\'f1\'f2\'fc \'ef\'e5\'f0\'e5\'e4\'e0\'ed\'ee\'bf \'b3\'ed\'f4\'ee\'f0\'ec\'e0\'f6\'b3\'bf.\b\par

GetCPInfo

CreateNamedPipeW

ConnectNamedPipe

RegCreateKeyExW

RegDeleteKeyW

RegOpenKeyW

RegCloseKey

ShellExecuteExW

ShellExecuteW

URLOpenBlockingStreamW

InternetCrackUrlW

HttpOpenRequestW

HttpSendRequestW

HttpQueryInfoW

.text

`.rdata

@.data

.rsrc

D.cd$

G$C.sr

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

<v3:requestedExecutionLevel level="asInvoker"></v3:requestedExecutionLevel>

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

GDI32.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

SHLWAPI.dll

urlmon.dll

USER32.dll

WININET.dll

\\.\pipe\zona_cmd_pipe

Failed to make connection on named pipe.

hXXp://zona.ru/?ref=installer_%s

hXXp://zona.ru/img/no-cover.jpg

LAUNCH_ON_WINDOWS_STARTUP

%s_%d

%s\%s

unpack_%s_%d

hXXp://dl.zona.ru/pinstall/

%s&%s

pparams=%{%"result%"%:%"%d%"%,%"start%"%:%"%s%"%,%"search%"%:%"%s%"%}

%s /standalone%s%s %s

RUpdate.exe

rambler_%s.7z

pparams=%{%"result%"%:%"%d%"%,%"start%"%:%"%s%"%,%"search%"%:%"%s%"%,%"guard%"%:%"%s%"%}

%s /silent%s%s%s %s

MailRuSputnik.exe

riched20.dll

hXXp://dl.zona.ru/jre_latest.exe

%sjavaSetup.exe

hXXp://dl.zona.ru/jre_packed.exe

%sjre_packed.exe

hXXp://dl.zona.ru/appdata.7z

%sappdata.7z

hXXp://dl.zona.ru/Zona.7z

%sZona.7z

extractPlugin_%d

extractCore_%d

createInitXml_%d

%s\init.xml

Execute process NO WAIT, cmd:

Exit code is %d

Execute process, WAIT cmd:

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

shell32.dll

Zona.exe

bin\javaw.exe

%s\jre

"%s" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0

"%s" %s

%s\%s -classpath "%s\utils.jar" ru.megamakc.core.JavaVer

%s\utils.jar

utils.jar is found

utils.jar is not found, extract him

%s\License_en.rtf

%s\License_uk.rtf

%s\License_ru.rtf

"%s\bin\javaw.exe" -classpath "%s" org.sevenzip.decoder.SevenZipFolderDecoder "%s" "%s"

zona_web_setup_mutex

%s\%s /copydll

"%s\bin\java" -classpath "%s\Zona.jar" org.gudy.azureus2.core3.util.Constants

%s&errors=%s

guid=%s&mode=%s&version=%s&os=%s&installId=%s&pid=%s&torrentHash=%s&pinstall=%s&md5=%s&serial=%s

%sparam=%s

hXXp://zona.ru/installer.html?

%s&java_install=%s

%s&mode_ext=%s

Software\Microsoft\Windows\CurrentVersion\Run

%s\Zona.exe /MINIMIZED

Software\Classes\.zona

.zona

Software\Classes\.torrent

.torrent

Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.torrent\OpenWithProgids

"%s\torrent.ico"

URL Protocol

Applications\Zona.exe\shell\open\command

"%s" "%%1"

%s\torrent.ico

%s\Programs\Zona.lnk

%s\Zona.lnk

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zona

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zona)

%s\uninstall.exe

Error: %d

%d.%d.%d

12:41:29

%sx

\init.xml

%s\zona.ru\zona.sol

%s\zona.ru

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\%s

\Macromedia\Flash Player\#SharedObjects\%s

%s, ErrorText: %s

id:%s, url: Error #%d

wininet.dll

ZONA_httpget

httpget start synch loading

httpget start asynch loading

HNetCfg.FwAuthorizedApplication

HNetCfg.FwMgr

ZonaInstall.log

[%d_%d_%d %d:%d:%d:%d] %s : [%s] : %s

hXXp://i2.x8.net/T/YRI_X.jpeg

%Program Files%\Zona

%Documents and Settings%\%current user%\My Documents\Zona Download

%Program Files%\Java\jre6

%Documents and Settings%\%current user%\Application Data\Zona

FCE438B1-1301-46D8-BD5A-2BAE7656386D

AA45732E-0228-4A12-BD0A-435FA47D3CF3

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ZonaInstall.log

c:\%original file name%.exe

%original file name%.exe_312_rwx_00401000_00037000:

SSSSh

u.hx9A

user32.dll

zcÁ

LAUNCH_ON_WINDOWS_STARTUP=

.torrent

Mail.Ru

@Mail.Ru

[email protected]

FireFox

MAILRU_INSTALL_CHROME_EXTENSIONS=

Chrome

1.0.1.6

LAUNCH_ON_WINDOWS_STARTUP=Start Zona when Windows starts

OPEN_TORRENT_VIA_ZONA=Open .torrent files in Zona

MAILRU_HOME_PAGE=Set Mail.Ru homepage

MAILRU_SEARCH=Set [email protected] search by default

MAILRU_INSTALL_GUARD=Install [email protected]

@Mail.Ru for FireFox

MAILRU_INSTALL_CHROME_EXTENSIONS=Install Chrome extensions

VERSION_LESS_THAN_1016=This link works in Zona version 1.0.1.6 and above. Please wait for updates and follow the link again.

ru/megamakc/core/JavaVer.class

ru/megamakc/zip/IZipCreator.classMOKj

ru/megamakc/zip/ZipHelper$1.class}QMo

ru/megamakc/zip/ZipHelper$ZipDeflatedStream.class

ru/megamakc/zip/ZipHelper.class

org/sevenzip/decoder/LzmaAloneDecoder$CommandLine.class

org/sevenzip/decoder/LzmaAloneDecoder.class

U.sjb

org/sevenzip/decoder/LzmaException.class

org/sevenzip/decoder/CRC.classuSMO

org/sevenzip/decoder/compression/lz/OutWindow.class

org/sevenzip/decoder/compression/lzma/Decoder$LenDecoder.class

org/sevenzip/decoder/compression/lzma/Decoder$LiteralDecoder$Decoder2.class

org/sevenzip/decoder/compression/lzma/Decoder$LiteralDecoder.class

org/sevenzip/decoder/compression/lzma/Decoder.class

/"%7Xd{

org/sevenzip/decoder/compression/lzma/Base.class

org/sevenzip/decoder/compression/rangecoder/BitTreeDecoder.class

org/sevenzip/decoder/compression/rangecoder/Decoder.class

ru/megamakc/core/hash/ProgressListener.class;

ru/megamakc/core/tools/FileHelperBase.class

ru/megamakc/core/tools/ReflectionHelper.class

ru/megamakc/core/path/IPathConverter.classm

org/sevenzip/decoder/SevenZipFolderDecoder.class

org/sevenzip/decoder/SevenZipFolderDecoder$Log.class

ru/megamakc/core/JavaVer.classPK

ru/megamakc/zip/IZipCreator.classPK

ru/megamakc/zip/ZipHelper$1.classPK

ru/megamakc/zip/ZipHelper$ZipDeflatedStream.classPK

ru/megamakc/zip/ZipHelper.classPK

org/sevenzip/decoder/LzmaAloneDecoder$CommandLine.classPK

org/sevenzip/decoder/LzmaAloneDecoder.classPK

org/sevenzip/decoder/LzmaException.classPK

org/sevenzip/decoder/CRC.classPK

org/sevenzip/decoder/compression/lz/OutWindow.classPK

org/sevenzip/decoder/compression/lzma/Decoder$LenDecoder.classPK

org/sevenzip/decoder/compression/lzma/Decoder$LiteralDecoder$Decoder2.classPK

org/sevenzip/decoder/compression/lzma/Decoder$LiteralDecoder.classPK

org/sevenzip/decoder/compression/lzma/Decoder.classPK

org/sevenzip/decoder/compression/lzma/Base.classPK

org/sevenzip/decoder/compression/rangecoder/BitTreeDecoder.classPK

org/sevenzip/decoder/compression/rangecoder/Decoder.classPK

ru/megamakc/core/hash/ProgressListener.classPK

ru/megamakc/core/tools/FileHelperBase.classPK

ru/megamakc/core/tools/ReflectionHelper.classPK

ru/megamakc/core/path/IPathConverter.classPK

org/sevenzip/decoder/SevenZipFolderDecoder.classPK

org/sevenzip/decoder/SevenZipFolderDecoder$Log.classPK

{\*\generator Msftedit 5.41.15.1515;}\viewkind4\uc1\pard\qc\lang1049\kerning1\b\f0\fs16\'cb\'c8\'d6\'c5\'cd\'c7\'c8\'ce\'cd\'cd\'ce\'c5 \'d1\'ce\'c3\'cb\'c0\'d8\'c5\'cd\'c8\'c5 \'d1 \'ca\'ce\'cd\'c5\'d7\'cd\'db\'cc \'cf\'ce\'cb\'dc\'c7\'ce\'c2\'c0\'d2\'c5\'cb\'c5\'cc \'cf\'ce \'c8\'d1\'cf\'ce\'cb\'dc\'c7\'ce\'c2\'c0\'cd\'c8\'de \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'db \'c4\'cb\'df \'dd\'c2\'cc \lang1033\f1\'abZONA\'bb.\par

{\*\generator Msftedit 5.41.15.1515;}\viewkind4\uc1\pard\hyphpar0\qc\lang1049\kerning1\b\f0\fs16 END USER LICENSE AGREEMENT FOR THE ZONA SOFTWARE \par

\tab It is clarified for the User and the User understands that according to the legal position of the Russian Federation Supreme Arbitration Court expressed in the Presidium decree dated 23.12.2008 No 10962/08, the provider is not responsible for the information transmitted, unless the provider initiates its transmission, selects the information recipient or affects the information integrity. \par

{\*\generator Msftedit 5.41.15.1515;}\viewkind4\uc1\pard\qc\kerning1\b\f0\fs16 \'cb\'b2\'d6\'c5\'cd\'c7\'b2\'c9\'cd\'c0 \'d3\'c3\'ce\'c4\'c0 \'c7 \'ca\'b2\'cd\'d6\'c5\'c2\'c8\'cc \'ca\'ce\'d0\'c8\'d1\'d2\'d3\'c2\'c0\'d7\'c5\'cc \'cf\'ce \'c2\'c8\'ca\'ce\'d0\'c8\'d1\'d2\'c0\'cd\'cd\'de \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'c8 \'c4\'cb\'df \'c5\'ce\'cc \'abZONA\'bb.\par

\tab\'ca\'ee\'f0\'e8\'f1\'f2\'f3\'e2\'e0\'f7\'f3 \'f0\'ee\'e7'\'ff\'f1\'ed\'e5\'ed\'ee \'f2\'e0 \'e7\'f0\'ee\'e7\'f3\'ec\'b3\'eb\'ee, \'f9\'ee \'c7\'e3\'b3\'e4\'ed\'ee \'e7 \'ef\'f0\'e0\'e2\'ee\'e2\'ee\'fe \'ef\'ee\'e7\'e8\'f6\'b3\'ba\'fe \'c2\'e8\'f9\'ee\'e3\'ee \'c0\'f0\'e1\'b3\'f2\'f0\'e0\'e6\'ed\'ee\'e3\'ee \'d1\'f3\'e4\'f3 \'d0\'ee\'f1\'b3\'e9\'f1\'fc\'ea\'ee\'bf \'d4\'e5\'e4\'e5\'f0\'e0\'f6\'b3\'bf, \'e2\'e8\'f0\'e0\'e6\'e5\'ed\'ee\'bf \'e2 \'ef\'ee\'f1\'f2\'e0\'ed\'ee\'e2\'b3 \'cf\'f0\'e5\'e7\'e8\'e4\'b3\'bf \'e2\'b3\'e4 23.12.2008 N 10962/08, \'ef\'f0\'ee\'e2\'e0\'e9\'e4\'e5\'f0 \'ed\'e5 \'ed\'e5\'f1\'e5 \'e2\'b3\'e4\'ef\'ee\'e2\'b3\'e4\'e0\'eb\'fc\'ed\'ee\'f1\'f2\'b3 \'e7\'e0 \'ef\'e5\'f0\'e5\'e4\'e0\'ed\'f3 \'b3\'ed\'f4\'ee\'f0\'ec\'e0\'f6\'b3\'fe, \'ff\'ea\'f9\'ee \'ed\'e5 \'e2\'b3\'ed \'b3\'ed\'b3\'f6\'b3\'fe\'ba \'bf\'bf \'ef\'e5\'f0\'e5\'e4\'e0\'f7\'f3, \'e2\'e8\'e1\'e8\'f0\'e0\'ba \'ee\'e4\'e5\'f0\'e6\'f3\'e2\'e0\'f7\'e0 \'b3\'ed\'f4\'ee\'f0\'ec\'e0\'f6\'b3\'bf, \'e2\'ef\'eb\'e8\'e2\'e0\'ba \'ed\'e0 \'f6\'b3\'eb\'b3\'f1\'ed\'b3\'f1\'f2\'fc \'ef\'e5\'f0\'e5\'e4\'e0\'ed\'ee\'bf \'b3\'ed\'f4\'ee\'f0\'ec\'e0\'f6\'b3\'bf.\b\par

GetCPInfo

CreateNamedPipeW

ConnectNamedPipe

RegCreateKeyExW

RegDeleteKeyW

RegOpenKeyW

RegCloseKey

ShellExecuteExW

ShellExecuteW

URLOpenBlockingStreamW

InternetCrackUrlW

HttpOpenRequestW

HttpSendRequestW

HttpQueryInfoW

.text

`.rdata

@.data

.rsrc

\\.\pipe\zona_cmd_pipe

Failed to make connection on named pipe.

hXXp://zona.ru/?ref=installer_%s

hXXp://zona.ru/img/no-cover.jpg

LAUNCH_ON_WINDOWS_STARTUP

%s_%d

%s\%s

unpack_%s_%d

hXXp://dl.zona.ru/pinstall/

%s&%s

pparams=%{%"result%"%:%"%d%"%,%"start%"%:%"%s%"%,%"search%"%:%"%s%"%}

%s /standalone%s%s %s

RUpdate.exe

rambler_%s.7z

pparams=%{%"result%"%:%"%d%"%,%"start%"%:%"%s%"%,%"search%"%:%"%s%"%,%"guard%"%:%"%s%"%}

%s /silent%s%s%s %s

MailRuSputnik.exe

riched20.dll

hXXp://dl.zona.ru/jre_latest.exe

%sjavaSetup.exe

hXXp://dl.zona.ru/jre_packed.exe

%sjre_packed.exe

hXXp://dl.zona.ru/appdata.7z

%sappdata.7z

hXXp://dl.zona.ru/Zona.7z

%sZona.7z

extractPlugin_%d

extractCore_%d

createInitXml_%d

%s\init.xml

Execute process NO WAIT, cmd:

Exit code is %d

Execute process, WAIT cmd:

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

shell32.dll

Zona.exe

bin\javaw.exe

%s\jre

"%s" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0

"%s" %s

%s\%s -classpath "%s\utils.jar" ru.megamakc.core.JavaVer

%s\utils.jar

utils.jar is found

utils.jar is not found, extract him

%s\License_en.rtf

%s\License_uk.rtf

%s\License_ru.rtf

"%s\bin\javaw.exe" -classpath "%s" org.sevenzip.decoder.SevenZipFolderDecoder "%s" "%s"

zona_web_setup_mutex

%s\%s /copydll

"%s\bin\java" -classpath "%s\Zona.jar" org.gudy.azureus2.core3.util.Constants

%s&errors=%s

guid=%s&mode=%s&version=%s&os=%s&installId=%s&pid=%s&torrentHash=%s&pinstall=%s&md5=%s&serial=%s

%sparam=%s

hXXp://zona.ru/installer.html?

%s&java_install=%s

%s&mode_ext=%s

Software\Microsoft\Windows\CurrentVersion\Run

%s\Zona.exe /MINIMIZED

Software\Classes\.zona

.zona

Software\Classes\.torrent

.torrent

Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.torrent\OpenWithProgids

"%s\torrent.ico"

URL Protocol

Applications\Zona.exe\shell\open\command

"%s" "%%1"

%s\torrent.ico

%s\Programs\Zona.lnk

%s\Zona.lnk

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zona

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zona)

%s\uninstall.exe

Error: %d

%d.%d.%d

12:41:29

%sx

\init.xml

%s\zona.ru\zona.sol

%s\zona.ru

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\%s

\Macromedia\Flash Player\#SharedObjects\%s

%s, ErrorText: %s

id:%s, url: Error #%d

wininet.dll

ZONA_httpget

httpget start synch loading

httpget start asynch loading

HNetCfg.FwAuthorizedApplication

HNetCfg.FwMgr

ZonaInstall.log

[%d_%d_%d %d:%d:%d:%d] %s : [%s] : %s

hXXp://i2.x8.net/T/YRI_X.jpeg

%Program Files%\Zona

%Documents and Settings%\%current user%\My Documents\Zona Download

%Program Files%\Java\jre6

%Documents and Settings%\%current user%\Application Data\Zona

FCE438B1-1301-46D8-BD5A-2BAE7656386D

AA45732E-0228-4A12-BD0A-435FA47D3CF3

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ZonaInstall.log

c:\%original file name%.exe

%original file name%.exe_1888:

`.rsrc

SSSSh

u.hx9A

user32.dll

zcÁ

LAUNCH_ON_WINDOWS_STARTUP=

.torrent

Mail.Ru

@Mail.Ru

[email protected]

FireFox

MAILRU_INSTALL_CHROME_EXTENSIONS=

Chrome

1.0.1.6

LAUNCH_ON_WINDOWS_STARTUP=Start Zona when Windows starts

OPEN_TORRENT_VIA_ZONA=Open .torrent files in Zona

MAILRU_HOME_PAGE=Set Mail.Ru homepage

MAILRU_SEARCH=Set [email protected] search by default

MAILRU_INSTALL_GUARD=Install [email protected]

@Mail.Ru for FireFox

MAILRU_INSTALL_CHROME_EXTENSIONS=Install Chrome extensions

VERSION_LESS_THAN_1016=This link works in Zona version 1.0.1.6 and above. Please wait for updates and follow the link again.

ru/megamakc/core/JavaVer.class

ru/megamakc/zip/IZipCreator.classMOKj

ru/megamakc/zip/ZipHelper$1.class}QMo

ru/megamakc/zip/ZipHelper$ZipDeflatedStream.class

ru/megamakc/zip/ZipHelper.class

org/sevenzip/decoder/LzmaAloneDecoder$CommandLine.class

org/sevenzip/decoder/LzmaAloneDecoder.class

U.sjb

org/sevenzip/decoder/LzmaException.class

org/sevenzip/decoder/CRC.classuSMO

org/sevenzip/decoder/compression/lz/OutWindow.class

org/sevenzip/decoder/compression/lzma/Decoder$LenDecoder.class

org/sevenzip/decoder/compression/lzma/Decoder$LiteralDecoder$Decoder2.class

org/sevenzip/decoder/compression/lzma/Decoder$LiteralDecoder.class

org/sevenzip/decoder/compression/lzma/Decoder.class

/"%7Xd{

org/sevenzip/decoder/compression/lzma/Base.class

org/sevenzip/decoder/compression/rangecoder/BitTreeDecoder.class

org/sevenzip/decoder/compression/rangecoder/Decoder.class

ru/megamakc/core/hash/ProgressListener.class;

ru/megamakc/core/tools/FileHelperBase.class

ru/megamakc/core/tools/ReflectionHelper.class

ru/megamakc/core/path/IPathConverter.classm

org/sevenzip/decoder/SevenZipFolderDecoder.class

org/sevenzip/decoder/SevenZipFolderDecoder$Log.class

ru/megamakc/core/JavaVer.classPK

ru/megamakc/zip/IZipCreator.classPK

ru/megamakc/zip/ZipHelper$1.classPK

ru/megamakc/zip/ZipHelper$ZipDeflatedStream.classPK

ru/megamakc/zip/ZipHelper.classPK

org/sevenzip/decoder/LzmaAloneDecoder$CommandLine.classPK

org/sevenzip/decoder/LzmaAloneDecoder.classPK

org/sevenzip/decoder/LzmaException.classPK

org/sevenzip/decoder/CRC.classPK

org/sevenzip/decoder/compression/lz/OutWindow.classPK

org/sevenzip/decoder/compression/lzma/Decoder$LenDecoder.classPK

org/sevenzip/decoder/compression/lzma/Decoder$LiteralDecoder$Decoder2.classPK

org/sevenzip/decoder/compression/lzma/Decoder$LiteralDecoder.classPK

org/sevenzip/decoder/compression/lzma/Decoder.classPK

org/sevenzip/decoder/compression/lzma/Base.classPK

org/sevenzip/decoder/compression/rangecoder/BitTreeDecoder.classPK

org/sevenzip/decoder/compression/rangecoder/Decoder.classPK

ru/megamakc/core/hash/ProgressListener.classPK

ru/megamakc/core/tools/FileHelperBase.classPK

ru/megamakc/core/tools/ReflectionHelper.classPK

ru/megamakc/core/path/IPathConverter.classPK

org/sevenzip/decoder/SevenZipFolderDecoder.classPK

org/sevenzip/decoder/SevenZipFolderDecoder$Log.classPK

{\*\generator Msftedit 5.41.15.1515;}\viewkind4\uc1\pard\qc\lang1049\kerning1\b\f0\fs16\'cb\'c8\'d6\'c5\'cd\'c7\'c8\'ce\'cd\'cd\'ce\'c5 \'d1\'ce\'c3\'cb\'c0\'d8\'c5\'cd\'c8\'c5 \'d1 \'ca\'ce\'cd\'c5\'d7\'cd\'db\'cc \'cf\'ce\'cb\'dc\'c7\'ce\'c2\'c0\'d2\'c5\'cb\'c5\'cc \'cf\'ce \'c8\'d1\'cf\'ce\'cb\'dc\'c7\'ce\'c2\'c0\'cd\'c8\'de \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'db \'c4\'cb\'df \'dd\'c2\'cc \lang1033\f1\'abZONA\'bb.\par

{\*\generator Msftedit 5.41.15.1515;}\viewkind4\uc1\pard\hyphpar0\qc\lang1049\kerning1\b\f0\fs16 END USER LICENSE AGREEMENT FOR THE ZONA SOFTWARE \par

\tab It is clarified for the User and the User understands that according to the legal position of the Russian Federation Supreme Arbitration Court expressed in the Presidium decree dated 23.12.2008 No 10962/08, the provider is not responsible for the information transmitted, unless the provider initiates its transmission, selects the information recipient or affects the information integrity. \par

{\*\generator Msftedit 5.41.15.1515;}\viewkind4\uc1\pard\qc\kerning1\b\f0\fs16 \'cb\'b2\'d6\'c5\'cd\'c7\'b2\'c9\'cd\'c0 \'d3\'c3\'ce\'c4\'c0 \'c7 \'ca\'b2\'cd\'d6\'c5\'c2\'c8\'cc \'ca\'ce\'d0\'c8\'d1\'d2\'d3\'c2\'c0\'d7\'c5\'cc \'cf\'ce \'c2\'c8\'ca\'ce\'d0\'c8\'d1\'d2\'c0\'cd\'cd\'de \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'c8 \'c4\'cb\'df \'c5\'ce\'cc \'abZONA\'bb.\par

\tab\'ca\'ee\'f0\'e8\'f1\'f2\'f3\'e2\'e0\'f7\'f3 \'f0\'ee\'e7'\'ff\'f1\'ed\'e5\'ed\'ee \'f2\'e0 \'e7\'f0\'ee\'e7\'f3\'ec\'b3\'eb\'ee, \'f9\'ee \'c7\'e3\'b3\'e4\'ed\'ee \'e7 \'ef\'f0\'e0\'e2\'ee\'e2\'ee\'fe \'ef\'ee\'e7\'e8\'f6\'b3\'ba\'fe \'c2\'e8\'f9\'ee\'e3\'ee \'c0\'f0\'e1\'b3\'f2\'f0\'e0\'e6\'ed\'ee\'e3\'ee \'d1\'f3\'e4\'f3 \'d0\'ee\'f1\'b3\'e9\'f1\'fc\'ea\'ee\'bf \'d4\'e5\'e4\'e5\'f0\'e0\'f6\'b3\'bf, \'e2\'e8\'f0\'e0\'e6\'e5\'ed\'ee\'bf \'e2 \'ef\'ee\'f1\'f2\'e0\'ed\'ee\'e2\'b3 \'cf\'f0\'e5\'e7\'e8\'e4\'b3\'bf \'e2\'b3\'e4 23.12.2008 N 10962/08, \'ef\'f0\'ee\'e2\'e0\'e9\'e4\'e5\'f0 \'ed\'e5 \'ed\'e5\'f1\'e5 \'e2\'b3\'e4\'ef\'ee\'e2\'b3\'e4\'e0\'eb\'fc\'ed\'ee\'f1\'f2\'b3 \'e7\'e0 \'ef\'e5\'f0\'e5\'e4\'e0\'ed\'f3 \'b3\'ed\'f4\'ee\'f0\'ec\'e0\'f6\'b3\'fe, \'ff\'ea\'f9\'ee \'ed\'e5 \'e2\'b3\'ed \'b3\'ed\'b3\'f6\'b3\'fe\'ba \'bf\'bf \'ef\'e5\'f0\'e5\'e4\'e0\'f7\'f3, \'e2\'e8\'e1\'e8\'f0\'e0\'ba \'ee\'e4\'e5\'f0\'e6\'f3\'e2\'e0\'f7\'e0 \'b3\'ed\'f4\'ee\'f0\'ec\'e0\'f6\'b3\'bf, \'e2\'ef\'eb\'e8\'e2\'e0\'ba \'ed\'e0 \'f6\'b3\'eb\'b3\'f1\'ed\'b3\'f1\'f2\'fc \'ef\'e5\'f0\'e5\'e4\'e0\'ed\'ee\'bf \'b3\'ed\'f4\'ee\'f0\'ec\'e0\'f6\'b3\'bf.\b\par

GetCPInfo

CreateNamedPipeW

ConnectNamedPipe

RegCreateKeyExW

RegDeleteKeyW

RegOpenKeyW

RegCloseKey

ShellExecuteExW

ShellExecuteW

URLOpenBlockingStreamW

InternetCrackUrlW

HttpOpenRequestW

HttpSendRequestW

HttpQueryInfoW

.text

`.rdata

@.data

.rsrc

D.cd$

G$C.sr

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

<v3:requestedExecutionLevel level="asInvoker"></v3:requestedExecutionLevel>

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

GDI32.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

SHLWAPI.dll

urlmon.dll

USER32.dll

WININET.dll

\\.\pipe\zona_cmd_pipe

Failed to make connection on named pipe.

hXXp://zona.ru/?ref=installer_%s

hXXp://zona.ru/img/no-cover.jpg

LAUNCH_ON_WINDOWS_STARTUP

%s_%d

%s\%s

unpack_%s_%d

hXXp://dl.zona.ru/pinstall/

%s&%s

pparams=%{%"result%"%:%"%d%"%,%"start%"%:%"%s%"%,%"search%"%:%"%s%"%}

%s /standalone%s%s %s

RUpdate.exe

rambler_%s.7z

pparams=%{%"result%"%:%"%d%"%,%"start%"%:%"%s%"%,%"search%"%:%"%s%"%,%"guard%"%:%"%s%"%}

%s /silent%s%s%s %s

MailRuSputnik.exe

riched20.dll

hXXp://dl.zona.ru/jre_latest.exe

%sjavaSetup.exe

hXXp://dl.zona.ru/jre_packed.exe

%sjre_packed.exe

hXXp://dl.zona.ru/appdata.7z

%sappdata.7z

hXXp://dl.zona.ru/Zona.7z

%sZona.7z

extractPlugin_%d

extractCore_%d

createInitXml_%d

%s\init.xml

Execute process NO WAIT, cmd:

Exit code is %d

Execute process, WAIT cmd:

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

shell32.dll

Zona.exe

bin\javaw.exe

%s\jre

"%s" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0

"%s" %s

%s\%s -classpath "%s\utils.jar" ru.megamakc.core.JavaVer

%s\utils.jar

utils.jar is found

utils.jar is not found, extract him

%s\License_en.rtf

%s\License_uk.rtf

%s\License_ru.rtf

"%s\bin\javaw.exe" -classpath "%s" org.sevenzip.decoder.SevenZipFolderDecoder "%s" "%s"

zona_web_setup_mutex

%s\%s /copydll

"%s\bin\java" -classpath "%s\Zona.jar" org.gudy.azureus2.core3.util.Constants

%s&errors=%s

guid=%s&mode=%s&version=%s&os=%s&installId=%s&pid=%s&torrentHash=%s&pinstall=%s&md5=%s&serial=%s

%sparam=%s

hXXp://zona.ru/installer.html?

%s&java_install=%s

%s&mode_ext=%s

Software\Microsoft\Windows\CurrentVersion\Run

%s\Zona.exe /MINIMIZED

Software\Classes\.zona

.zona

Software\Classes\.torrent

.torrent

Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.torrent\OpenWithProgids

"%s\torrent.ico"

URL Protocol

Applications\Zona.exe\shell\open\command

"%s" "%%1"

%s\torrent.ico

%s\Programs\Zona.lnk

%s\Zona.lnk

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zona

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zona)

%s\uninstall.exe

Error: %d

%d.%d.%d

12:41:29

%sx

\init.xml

%s\zona.ru\zona.sol

%s\zona.ru

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\%s

\Macromedia\Flash Player\#SharedObjects\%s

%s, ErrorText: %s

id:%s, url: Error #%d

wininet.dll

ZONA_httpget

httpget start synch loading

httpget start asynch loading

HNetCfg.FwAuthorizedApplication

HNetCfg.FwMgr

ZonaInstall.log

[%d_%d_%d %d:%d:%d:%d] %s : [%s] : %s

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ZonaInstall.log

c:\%original file name%.exe

Zona.exe_1716:

.text

`.rdata

@.data

.rsrc

@.reloc

PSSSSSSh

&hx%D

xSSSh

FTPjKS

FtPj;S

C.PjRV

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

GetProcessWindowStation

operator

inflate 1.1.3 Copyright 1995-1998 Mark Adler

123456789

u/megamakc/core/JavaVer.class

ru/megamakc/core/JavaArch.class

D:\workspace_mars\Installer\Installer\Release\ZonaRunner.pdb

GdiplusShutdown

gdiplus.dll

InternetCrackUrlW

HttpSendRequestW

HttpAddRequestHeadersW

HttpQueryInfoW

HttpOpenRequestW

WININET.dll

GetWindowsDirectoryW

KERNEL32.dll

EnumWindows

USER32.dll

GDI32.dll

RegCreateKeyExW

RegOpenKeyW

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

ADVAPI32.dll

ShellExecuteExW

ShellExecuteW

SHFileOperationW

SHELL32.dll

SHLWAPI.dll

VERSION.dll

GetCPInfo

zcÁ

.?AVUrlLinkLabel@@

.?AVExecuteProcessCommand@@

.?AVKeyState@@

.?AVWindowsRegistry@@

8|u%SS3

04|#04|.04|?04|

.tgPV

FTPjK

FtPj;

C.PjRVj

9|u.VV3

!7|&"7|~"7|

msvcr71.pdb

kernel32.dll

6y4|__MSVCRT_HEAP_SELECT

MSVCR71.dll

_CRT_RTC_INIT

__crtCompareStringA

__crtCompareStringW

__crtGetLocaleInfoW

__crtGetStringTypeW

__crtLCMapStringA

__crtLCMapStringW

__p__acmdln

__p__wcmdln

_acmdln

_amsg_exit

_execl

_execle

_execlp

_execlpe

_execv

_execve

_execvp

_execvpe

_pipe

_wcmdln

_wexecl

_wexecle

_wexeclp

_wexeclpe

_wexecv

_wexecve

_wexecvp

_wexecvpe

setnewh.cpp

mscoree.dll

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

4|GetProcessWindowStation

user32.dll

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

n5|.com

cmd.exe

command.com

%S#[k

?#%X.y

GetConsoleOutputCP

PeekNamedPipe

CreatePipe

Assertion failed: %s, file %s, line %d

"%7|"%7|

;$;*;/;7;

7$858=8{8

8!8%8*898

5]5Q5\5i5

11m1

;'; ;7;;;

9 9$94989

`.data

MSVCR100.dll

??0invalid_operation@Concurrency@@QAE@PBD@Z

??0invalid_operation@Concurrency@@QAE@XZ

??0invalid_oversubscribe_operation@Concurrency@@QAE@PBD@Z

??0invalid_oversubscribe_operation@Concurrency@@QAE@XZ

??0invalid_scheduler_policy_key@Concurrency@@QAE@PBD@Z

??0invalid_scheduler_policy_key@Concurrency@@QAE@XZ

??0operation_timed_out@Concurrency@@QAE@PBD@Z

??0operation_timed_out@Concurrency@@QAE@XZ

??0unsupported_os@Concurrency@@QAE@PBD@Z

??0unsupported_os@Concurrency@@QAE@XZ

?GetExecutionContextId@Concurrency@@YAIXZ

?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z

?SetPolicyValue@SchedulerPolicy@Concurrency@@QAEIW4PolicyElementKey@2@I@Z

?_ConcRT_Assert@details@Concurrency@@YAXPBD0H@Z

?_ConcRT_CoreAssert@details@Concurrency@@YAXPBD0H@Z

?_ConcRT_DumpMessage@details@Concurrency@@YAXPB_WZZ

?_ConcRT_Trace@details@Concurrency@@YAXHPB_WZZ

?_Trace_ppl_function@Concurrency@@YAXABU_GUID@@EW4ConcRT_EventType@1@@Z

?_ValidateExecute@@YAHP6GHXZ@Z

_CRT_RTC_INITW

__report_gsfailure

_calloc_crt

_crt_debugger_hook

_malloc_crt

_realloc_crt

_recalloc_crt

_set_malloc_crt_max_wait

wcrtomb

wcrtomb_s

xMaxPolicyElementKey

pExecutionResource

s.SVW

*Yp3.CP 

GetProcessHeap

msvcr100.i386.pdb

.?AUIExecutionContext@Concurrency@@

.?AVinvalid_oversubscribe_operation@Concurrency@@

.?AVoperation_timed_out@Concurrency@@

.?AVinvalid_operation@Concurrency@@

.?AVinvalid_scheduler_policy_key@Concurrency@@

.?AVunsupported_os@Concurrency@@

.?AUIExecutionResource@Concurrency@@

.?AVExecutionResource@details@Concurrency@@

.PAVscheduler_resource_allocation_error@Concurrency@@

.PAVexception@std@@

0$0(0,0004080<0@0

1(1/14181<1]1

1&2,2024282

4C4U4V5Z6

2!272?2{2

3&3,3:3@3

=$=(?2?=?

7 8%9-9J9Z9};

2#2)23292?2

7 7$7)7/7

1!2=2}2

8 949\9|9

= =$=(=,=

3hXXp://crl.microsoft.com/pki/crl/products/CSPCA.crl0H

,hXXp://VVV.microsoft.com/pki/certs/CSPCA.crt0

3hXXp://crl.microsoft.com/pki/crl/products/tspca.crl0H

,hXXp://VVV.microsoft.com/pki/certs/tspca.crt0

hXXp://microsoft.com0

LAUNCH_ON_WINDOWS_STARTUP=

.torrent

Mail.Ru

@Mail.Ru

[email protected]

FireFox

MAILRU_INSTALL_CHROME_EXTENSIONS=

Chrome

1.0.1.6

[email protected],

SECOND_INSTANCE_TEXT1=Found running Zona, waiting %d second(s).

NOT_ENOUGH_SPACE_TO_INSTALL=Not enough disk space, you need to %s MB of free space

ZONA_COMPONENT_NOT_FOUND=Important components of the program are not found. Please reinstall Zona.

DOWNLOADING=Downloading %s

UNPACKING=Unpacking %s

INSTALLING=Installing %s

INSTALL_SOFT_FOR_HELP=Establishing the proposed software you help %s remain free

LAUNCH_ON_WINDOWS_STARTUP=Start Zona when Windows starts

OPEN_TORRENT_VIA_ZONA=Open .torrent files in Zona

PARTNER_TITLE=Together with %s You can install additional software

MAILRU_HOME_PAGE=Set Mail.Ru homepage

MAILRU_SEARCH=Set [email protected] search by default

MAILRU_INSTALL_GUARD=Install [email protected]

@Mail.Ru for FireFox

MAILRU_INSTALL_CHROME_EXTENSIONS=Install Chrome extensions

VERSION_LESS_THAN_1016=This link works in Zona version 1.0.1.6 and above. Please wait for updates and follow the link again.

UNINSTALLER_CLOSING_ZONA=Shutdown running zona...PAD

X.Igy

j-K.PX

k.aIi

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><v3:trustInfo xmlns:v3="urn:schemas-microsoft-com:asm.v3" xmlns="urn:schemas-microsoft-com:asm.v3"><v3:security><v3:requestedPrivileges><v3:requestedExecutionLevel level="asInvoker" uiAccess="false"></v3:requestedExecutionLevel></v3:requestedPrivileges></v3:security></v3:trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

2$2,232=2`2

4 4$4(4,4044484<4

8!9'969}9

3"383@3|3

6&6.646:6

2 2$2(2,2024282

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

KERNEL32.DLL

WUSER32.DLL

%s\%s

Error: %d

dll d %s

ZonaUpdater.exe

Updater ver [%d.%d.%d.%d]

%s\Zona\updates\inst_*

%s\License_ru.rtf

%s\License_uk.rtf

%s\License_en.rtf

shell32.dll

%s\zona.ru

%s\zona.ru\zona.sol

\Macromedia\Flash Player\#SharedObjects\%s

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\%s

%s\Zona\launch.log

\jre_packed.exe

/moveXUL /appDataPath "%s" /appPath "%s" /jvmPath "%s"

ttp://dl.zonainst.com/jre_packed.exe

ttp://dl.zonainst.com/jre_latest.exe

msvcr71.dll

msvcr100.dll

%s %s -classpath Zona.jar;swt.jar -Dlog4j.configuratorClass=org.gudy.azureus2.core3.util.LogConfigurator ru.zona.Main %s

%sjavaw.exe

Exception in Janel.main()

%s\utils.jar

Exception in Janel.getProperties()

Exception in Janel.launchJavaMainMethod()

ttp://zona.ru

ttp://zona.ru/?ref=%s

\Zona.jar

\zreg.dll

\swt.jar

@ExecuteProcessCommand

xecute process, WAIT cmd:

xit code is %d

13:45:09

oftware\%s

[%d_%d_%d %d:%d:%d:%d] %s : [%s] : %s

%s%s%s

httpget start asynch loading

wininet.dll

id:%s url:%s ErrorCode:%d

%s ErrorText:%s

httpget

InternetCrackUrl

%sx

HttpOpenRequest

Range: bytes=%d-

HttpSendRequest

HttpQueryInfo

%s_%s

Error copy file, err: %d

Error delete file, err: %d

avaVer.class found

%s\bin\javaw.exe" -classpath "%s" ru.megamakc.core.JavaVer

avaVer.class NOT FOUND

%s\bin\javaw.exe" -classpath "%s" org.gudy.azureus2.core3.util.Constants

s\Zona.jar

s\plugins\zxulrunner\plugin.properties

s\plugins\zxulrunner10\plugin.properties

s\plugins\zxulrunner*|%s\plugins

s.

Exception in JVMInfo.getComparableVersionUsingRegularVersion()

Exception in JVMInfo.adjustComparableVersionForJavaBundle()

Exception in JVMInfo.adjustComparableVersionForBinJvmDir()

Exception in JVMInfo.clone()

Exception in JVMInfo.getJrePath()

Exception in JVMInfo.existsJvmDLL()

Error while testing if JVM.DLL exists.

\jvm.dll

Exception in JVMInfo.getJvmDLLPath()

Error while getting the jvm.dll path.

javaw.exe

\bin\splashscreen.dll

Loading splashscreen.dll from

Failed to load splashscreen.dll

command line arg[%u]=%s

Exception in JVMLauncher.launch()

-Djava.class.path=

-Djava.library.path=

Exception in JVMLauncher.setupJavaVMInitArgs()

Exception in Properties.loadProperties()

-Xmx%dm

-XX:ErrorFile="%s\Zona\errors\hs_err_pid%%p.log"

-Dlog4j.configuratorClass=org.gudy.azureus2.core3.util.LogConfigurator

-Djava.class.path=Zona.jar;swt.jar

ru.zona.Main

m_fullPathAndNameOfExe=

Exception in Properties.isVersionLessThanEqualMax()

Exception in Properties.isVersionGreaterThanEqualMin()

-Dprocess.id=%u

-Djava.class.path

-Djava.library.path

Error adding directories to java.library.path.

,m_javaSystemProperties[%u]=%s

,m_commandLineArguments[%u]=%s

Exception in LocalUtilites.trim()

Exception in LocalUtilites.fileExists()

AException in PropertiesFile.loadPropertiesFromFile()

Ajanel.main.class

janel.bin.jvm.dir

janel.java.bundle

janel.min.java.version

janel.max.java.version

janel.jvm.path

janel.java.home.path

janel.trap.console.ctrl

janel.classpath.jars.dir

janel.classpath.jars.dir.recursive

janel.debug.file

janel.library.path.dir

janel.library.path.dir.recursive

janel.working.dir

janel.main.argument

janel.sysprop.process.id

janel.splash

janel.memory.check.limits

janel.memory.max.available.percent

janel.memory.max.total.percent

janel.memory.max.upper.limit

janel.memory.max.lower.limit

janel.memory.init.available.percent

janel.memory.init.total.percent

janel.memory.init.upper.limit

janel.memory.init.lower.limit

janel.error.default.text

janel.error.show.detail

FOUND_EXE_FOLDER

sJavaArch.class found

"%s\bin\javaw.exe" -classpath "%s" ru.megamakc.core.JavaArch

JavaArch.class NOT FOUND

Exception in JVMChooser.getBestJVM()

%s\jre

%s\bin\client\jvm.dll

Exception in JVMChooser.getAllJVMs()

Exception in JVMChooser.breakoutBinJvmDirs()

JVMChooser.determineVersions version is bad:

Exception in JVMChooser.determineVersions()

Exception in JVMChooser.removeUnacceptableJVMs()

Exception in JVMChooser.getJvmFromCustomJvmPath():

Exception in JVMChooser.getJvmFromCustomJvmPath()

Exception in JVMChooser.getJvmFromCustomJavaHomePath():

Exception in JVMChooser.getJvmFromCustomJavaHomePath()

Exception in JVMChooser.getJvm()

fullKeyPath=

Exception in WindowsRegistry.addAllSdkJvms()

Exception in WindowsRegistry.addAllJreJvms()

Registry key

Briched20.dll

%Program Files%\Zona\Zona.exe

7.10.3052.4

MSVCR71.DLL

Visual Studio .NET

wUSER32.DLL

advapi32.dll

[%d:%d:%d:%d(%d)] %S: !!!!!!!Assert Failed(%S: %d)

[%d] %S: !!!!!!!Assert Failed(%S: %d)

[%d:%d:%d:%d(%d)]

ADVAPI32.DLL

10.00.30319.415

msvcr100_clr0400.dll

msvcr100.dl

1.0.6.5

%original file name%.exe_1888_rwx_00401000_00037000:

SSSSh

u.hx9A

user32.dll

zcÁ

LAUNCH_ON_WINDOWS_STARTUP=

.torrent

Mail.Ru

@Mail.Ru

[email protected]

FireFox

MAILRU_INSTALL_CHROME_EXTENSIONS=

Chrome

1.0.1.6

LAUNCH_ON_WINDOWS_STARTUP=Start Zona when Windows starts

OPEN_TORRENT_VIA_ZONA=Open .torrent files in Zona

MAILRU_HOME_PAGE=Set Mail.Ru homepage

MAILRU_SEARCH=Set [email protected] search by default

MAILRU_INSTALL_GUARD=Install [email protected]

@Mail.Ru for FireFox

MAILRU_INSTALL_CHROME_EXTENSIONS=Install Chrome extensions

VERSION_LESS_THAN_1016=This link works in Zona version 1.0.1.6 and above. Please wait for updates and follow the link again.

ru/megamakc/core/JavaVer.class

ru/megamakc/zip/IZipCreator.classMOKj

ru/megamakc/zip/ZipHelper$1.class}QMo

ru/megamakc/zip/ZipHelper$ZipDeflatedStream.class

ru/megamakc/zip/ZipHelper.class

org/sevenzip/decoder/LzmaAloneDecoder$CommandLine.class

org/sevenzip/decoder/LzmaAloneDecoder.class

U.sjb

org/sevenzip/decoder/LzmaException.class

org/sevenzip/decoder/CRC.classuSMO

org/sevenzip/decoder/compression/lz/OutWindow.class

org/sevenzip/decoder/compression/lzma/Decoder$LenDecoder.class

org/sevenzip/decoder/compression/lzma/Decoder$LiteralDecoder$Decoder2.class

org/sevenzip/decoder/compression/lzma/Decoder$LiteralDecoder.class

org/sevenzip/decoder/compression/lzma/Decoder.class

/"%7Xd{

org/sevenzip/decoder/compression/lzma/Base.class

org/sevenzip/decoder/compression/rangecoder/BitTreeDecoder.class

org/sevenzip/decoder/compression/rangecoder/Decoder.class

ru/megamakc/core/hash/ProgressListener.class;

ru/megamakc/core/tools/FileHelperBase.class

ru/megamakc/core/tools/ReflectionHelper.class

ru/megamakc/core/path/IPathConverter.classm

org/sevenzip/decoder/SevenZipFolderDecoder.class

org/sevenzip/decoder/SevenZipFolderDecoder$Log.class

ru/megamakc/core/JavaVer.classPK

ru/megamakc/zip/IZipCreator.classPK

ru/megamakc/zip/ZipHelper$1.classPK

ru/megamakc/zip/ZipHelper$ZipDeflatedStream.classPK

ru/megamakc/zip/ZipHelper.classPK

org/sevenzip/decoder/LzmaAloneDecoder$CommandLine.classPK

org/sevenzip/decoder/LzmaAloneDecoder.classPK

org/sevenzip/decoder/LzmaException.classPK

org/sevenzip/decoder/CRC.classPK

org/sevenzip/decoder/compression/lz/OutWindow.classPK

org/sevenzip/decoder/compression/lzma/Decoder$LenDecoder.classPK

org/sevenzip/decoder/compression/lzma/Decoder$LiteralDecoder$Decoder2.classPK

org/sevenzip/decoder/compression/lzma/Decoder$LiteralDecoder.classPK

org/sevenzip/decoder/compression/lzma/Decoder.classPK

org/sevenzip/decoder/compression/lzma/Base.classPK

org/sevenzip/decoder/compression/rangecoder/BitTreeDecoder.classPK

org/sevenzip/decoder/compression/rangecoder/Decoder.classPK

ru/megamakc/core/hash/ProgressListener.classPK

ru/megamakc/core/tools/FileHelperBase.classPK

ru/megamakc/core/tools/ReflectionHelper.classPK

ru/megamakc/core/path/IPathConverter.classPK

org/sevenzip/decoder/SevenZipFolderDecoder.classPK

org/sevenzip/decoder/SevenZipFolderDecoder$Log.classPK

{\*\generator Msftedit 5.41.15.1515;}\viewkind4\uc1\pard\qc\lang1049\kerning1\b\f0\fs16\'cb\'c8\'d6\'c5\'cd\'c7\'c8\'ce\'cd\'cd\'ce\'c5 \'d1\'ce\'c3\'cb\'c0\'d8\'c5\'cd\'c8\'c5 \'d1 \'ca\'ce\'cd\'c5\'d7\'cd\'db\'cc \'cf\'ce\'cb\'dc\'c7\'ce\'c2\'c0\'d2\'c5\'cb\'c5\'cc \'cf\'ce \'c8\'d1\'cf\'ce\'cb\'dc\'c7\'ce\'c2\'c0\'cd\'c8\'de \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'db \'c4\'cb\'df \'dd\'c2\'cc \lang1033\f1\'abZONA\'bb.\par

{\*\generator Msftedit 5.41.15.1515;}\viewkind4\uc1\pard\hyphpar0\qc\lang1049\kerning1\b\f0\fs16 END USER LICENSE AGREEMENT FOR THE ZONA SOFTWARE \par

\tab It is clarified for the User and the User understands that according to the legal position of the Russian Federation Supreme Arbitration Court expressed in the Presidium decree dated 23.12.2008 No 10962/08, the provider is not responsible for the information transmitted, unless the provider initiates its transmission, selects the information recipient or affects the information integrity. \par

{\*\generator Msftedit 5.41.15.1515;}\viewkind4\uc1\pard\qc\kerning1\b\f0\fs16 \'cb\'b2\'d6\'c5\'cd\'c7\'b2\'c9\'cd\'c0 \'d3\'c3\'ce\'c4\'c0 \'c7 \'ca\'b2\'cd\'d6\'c5\'c2\'c8\'cc \'ca\'ce\'d0\'c8\'d1\'d2\'d3\'c2\'c0\'d7\'c5\'cc \'cf\'ce \'c2\'c8\'ca\'ce\'d0\'c8\'d1\'d2\'c0\'cd\'cd\'de \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'c8 \'c4\'cb\'df \'c5\'ce\'cc \'abZONA\'bb.\par

\tab\'ca\'ee\'f0\'e8\'f1\'f2\'f3\'e2\'e0\'f7\'f3 \'f0\'ee\'e7'\'ff\'f1\'ed\'e5\'ed\'ee \'f2\'e0 \'e7\'f0\'ee\'e7\'f3\'ec\'b3\'eb\'ee, \'f9\'ee \'c7\'e3\'b3\'e4\'ed\'ee \'e7 \'ef\'f0\'e0\'e2\'ee\'e2\'ee\'fe \'ef\'ee\'e7\'e8\'f6\'b3\'ba\'fe \'c2\'e8\'f9\'ee\'e3\'ee \'c0\'f0\'e1\'b3\'f2\'f0\'e0\'e6\'ed\'ee\'e3\'ee \'d1\'f3\'e4\'f3 \'d0\'ee\'f1\'b3\'e9\'f1\'fc\'ea\'ee\'bf \'d4\'e5\'e4\'e5\'f0\'e0\'f6\'b3\'bf, \'e2\'e8\'f0\'e0\'e6\'e5\'ed\'ee\'bf \'e2 \'ef\'ee\'f1\'f2\'e0\'ed\'ee\'e2\'b3 \'cf\'f0\'e5\'e7\'e8\'e4\'b3\'bf \'e2\'b3\'e4 23.12.2008 N 10962/08, \'ef\'f0\'ee\'e2\'e0\'e9\'e4\'e5\'f0 \'ed\'e5 \'ed\'e5\'f1\'e5 \'e2\'b3\'e4\'ef\'ee\'e2\'b3\'e4\'e0\'eb\'fc\'ed\'ee\'f1\'f2\'b3 \'e7\'e0 \'ef\'e5\'f0\'e5\'e4\'e0\'ed\'f3 \'b3\'ed\'f4\'ee\'f0\'ec\'e0\'f6\'b3\'fe, \'ff\'ea\'f9\'ee \'ed\'e5 \'e2\'b3\'ed \'b3\'ed\'b3\'f6\'b3\'fe\'ba \'bf\'bf \'ef\'e5\'f0\'e5\'e4\'e0\'f7\'f3, \'e2\'e8\'e1\'e8\'f0\'e0\'ba \'ee\'e4\'e5\'f0\'e6\'f3\'e2\'e0\'f7\'e0 \'b3\'ed\'f4\'ee\'f0\'ec\'e0\'f6\'b3\'bf, \'e2\'ef\'eb\'e8\'e2\'e0\'ba \'ed\'e0 \'f6\'b3\'eb\'b3\'f1\'ed\'b3\'f1\'f2\'fc \'ef\'e5\'f0\'e5\'e4\'e0\'ed\'ee\'bf \'b3\'ed\'f4\'ee\'f0\'ec\'e0\'f6\'b3\'bf.\b\par

GetCPInfo

CreateNamedPipeW

ConnectNamedPipe

RegCreateKeyExW

RegDeleteKeyW

RegOpenKeyW

RegCloseKey

ShellExecuteExW

ShellExecuteW

URLOpenBlockingStreamW

InternetCrackUrlW

HttpOpenRequestW

HttpSendRequestW

HttpQueryInfoW

.text

`.rdata

@.data

.rsrc

\\.\pipe\zona_cmd_pipe

Failed to make connection on named pipe.

hXXp://zona.ru/?ref=installer_%s

hXXp://zona.ru/img/no-cover.jpg

LAUNCH_ON_WINDOWS_STARTUP

%s_%d

%s\%s

unpack_%s_%d

hXXp://dl.zona.ru/pinstall/

%s&%s

pparams=%{%"result%"%:%"%d%"%,%"start%"%:%"%s%"%,%"search%"%:%"%s%"%}

%s /standalone%s%s %s

RUpdate.exe

rambler_%s.7z

pparams=%{%"result%"%:%"%d%"%,%"start%"%:%"%s%"%,%"search%"%:%"%s%"%,%"guard%"%:%"%s%"%}

%s /silent%s%s%s %s

MailRuSputnik.exe

riched20.dll

hXXp://dl.zona.ru/jre_latest.exe

%sjavaSetup.exe

hXXp://dl.zona.ru/jre_packed.exe

%sjre_packed.exe

hXXp://dl.zona.ru/appdata.7z

%sappdata.7z

hXXp://dl.zona.ru/Zona.7z

%sZona.7z

extractPlugin_%d

extractCore_%d

createInitXml_%d

%s\init.xml

Execute process NO WAIT, cmd:

Exit code is %d

Execute process, WAIT cmd:

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

shell32.dll

Zona.exe

bin\javaw.exe

%s\jre

"%s" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0

"%s" %s

%s\%s -classpath "%s\utils.jar" ru.megamakc.core.JavaVer

%s\utils.jar

utils.jar is found

utils.jar is not found, extract him

%s\License_en.rtf

%s\License_uk.rtf

%s\License_ru.rtf

"%s\bin\javaw.exe" -classpath "%s" org.sevenzip.decoder.SevenZipFolderDecoder "%s" "%s"

zona_web_setup_mutex

%s\%s /copydll

"%s\bin\java" -classpath "%s\Zona.jar" org.gudy.azureus2.core3.util.Constants

%s&errors=%s

guid=%s&mode=%s&version=%s&os=%s&installId=%s&pid=%s&torrentHash=%s&pinstall=%s&md5=%s&serial=%s

%sparam=%s

hXXp://zona.ru/installer.html?

%s&java_install=%s

%s&mode_ext=%s

Software\Microsoft\Windows\CurrentVersion\Run

%s\Zona.exe /MINIMIZED

Software\Classes\.zona

.zona

Software\Classes\.torrent

.torrent

Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.torrent\OpenWithProgids

"%s\torrent.ico"

URL Protocol

Applications\Zona.exe\shell\open\command

"%s" "%%1"

%s\torrent.ico

%s\Programs\Zona.lnk

%s\Zona.lnk

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zona

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zona)

%s\uninstall.exe

Error: %d

%d.%d.%d

12:41:29

%sx

\init.xml

%s\zona.ru\zona.sol

%s\zona.ru

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\%s

\Macromedia\Flash Player\#SharedObjects\%s

%s, ErrorText: %s

id:%s, url: Error #%d

wininet.dll

ZONA_httpget

httpget start synch loading

httpget start asynch loading

HNetCfg.FwAuthorizedApplication

HNetCfg.FwMgr

ZonaInstall.log

[%d_%d_%d %d:%d:%d:%d] %s : [%s] : %s

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ZonaInstall.log

c:\%original file name%.exe

RUpdate.exe_380:

.text

`.rdata

@.data

P.rsrc

PSSSSSSh

F><.tN<[tJ<\tF<*tB<|t><^t:<$t6

8%u]P

RSSh,BL

.FGy"

u u

8sqli

SSh8&M

SSh@&M

 1 23 456

t.hp=M

xSSSh

FTPjKS

FtPj;S

C.PjRV

operator

GetProcessWindowStation

portuguese-brazilian

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

AdminSpace.cpp

assistant.cpp

contacts.cpp

Fixes.cpp

Fork.cpp

IE.cpp

hXXp://nova.rambler.ru/suggest?v=3&query={searchTerms}

SuggestionsURL_JSON

hXXp://VVV.rambler.ru/i/osd.xml

OSDFileURL

hXXp://i.rl0.ru/favicon.ico

FaviconURL

{00000000-4EB2-4FC3-BD68-7067448F7A06}

IE8Plus.cpp

nichrome.cpp

nsis_rambler.cpp

hXXp://VVV.rambler.ru/?utm_source=

ping.cpp

Product.cpp

ProductManager.cpp

ProductUpdate.cpp

3.7.10

SQLite format 3

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY`

()$^.* ?[]|\-{},:=!

RChromeUtil.cpp

INSERT INTO keywords(short_name,keyword,favicon_url,url,show_in_default_list,safe_for_autoreplace,originating_url,date_created,usage_count,input_encodings,suggest_url,prepopulate_id,created_by_policy,instant_url,last_modified,sync_guid)VALUES('Rambler','rambler.ru','hXXp://i.rl0.ru/favicon.ico','hXXp://nova.rambler.ru/search?query={searchTerms}&utm_source=%s&utm_medium=distribution&utm_content=e09&utm_campaign=%s',1,1,'',0,0,'windows-1251','',16,0,'',0,'3718A840-5EFD-4CC4-8581-3B3D978D638B')

UPDATE meta SET value = '%I64i' WHERE key = 'Default Search Provider ID'

"urls_to_restore_on_startup": [ "

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /Checking reports...

reports.cpp

Processing report file

Content-Disposition: form-data; name="report_file"; filename="report.xml"

http post ok

http post fail:

HTTP request failed

report file too big!

RMozillaUtil.cpp

(user_pref\("keyword.URL",[^)]*\);)

(user_pref\("browser.search.selectedEngine",[^)]*\);)

user_pref("keyword.URL","hXXp://nova.rambler.ru/search?utm_source=

user_pref("browser.search.selectedEngine","Rambler");

user_pref("keyword.URL"

user_pref("browser.search.selectedEngine"

(user_pref\("browser.startup.homepage",[^\)]*\);)

(user_pref\("browser.startup.page",[^\)]*\);)

user_pref("browser.startup.homepage", "

user_pref("browser.startup.page", 1);

user_pref("browser.startup.homepage"

user_pref("browser.startup.page

URL=hXXp://nova.rambler.ru/search?query=%s

Key=r

ROperaUtil.cpp

Home URL

RResUtil.cpp

CreateMutexExW

Scheduler.cpp

RSysinfo2.cpp

SingleActions.cpp

ShutDownManager.cpp

main.cpp

RegDeleteKeyExW

RegDeleteKeyW

DeElevate.cpp

TaskDownload.cpp

TaskMSIInstall.cpp

UserSpace.cpp

RPathHelper.cpp

registry.cpp

large file support is disabled

unknown operation

SQL logic error or missing database

foreign_keys

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_log

sqlite_source_id

sqlite_version

sqlite_attach

sqlite_detach

sqlite_stat1

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_table

RowKey

SQLITE_

d-d-d d:d:d

d:d:d

d-d-d

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

922337203685477580

API call with %s database connection pointer

OsError 0x%x (%u)

os_win.c:%d: (%d) %s(%s) - %s

delayed %dms for lock/sharing conflict

%s-shm

%s\etilqs_

Recovered %d frames from WAL file %s

cannot limit WAL size: %s

invalid page number %d

2nd reference to page %d

Failed to read ptrmap key=%d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

%d of %d pages missing from overflow list starting at %d

failed to get page %d

freelist leaf count too big on page %d

Page %d:

unable to get the page. error code=%d

btreeInitPage() returns error code %d

On tree page %d cell %d:

On page %d at right child:

Corruption detected in cell %d on page %d

Multiple uses for byte %d of page %d

Fragmentation of %d bytes reported as %d on page %d

Page %d is never used

Pointer map page %d is referenced

Outstanding page count goes from %d to %d during this analysis

unknown database %s

keyinfo(%d

%s(%d)

%s-mjXXXXXX9XXz

MJ delete: %s

MJ collide: %s

-mjX9X

foreign key constraint failed

unable to use function %s in the requested context

bind on a busy prepared statement: [%s]

zeroblob(%d)

abort at %d in [%s]: %s

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

no such savepoint: %s

cannot %s savepoint - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_temp_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot change %s wal mode from within a transaction

database table is locked: %s

statement aborts at %d: [%s] %s

cannot open value of type %s

cannot open virtual table: %s

cannot open view: %s

no such column: "%s"

foreign key

indexed

cannot open %s column for writing

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s

%s: %s

not authorized to use function: %s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

too many SQL variables

too many columns in %s

EXECUTE %s%s SUBQUERY %d

misuse of aggregate: %s()

%.*s"%w"%s

%s%.*s"%w"

%s OR name=%Q

type='trigger' AND (%s)

sqlite_

table %s may not be altered

there is already another table or index with this name: %s

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

sqlite_sequence

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE %s=%Q

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

invalid name: "%s"

too many attached databases - max %d

database %s is already in use

unable to open database: %s

no such database: %s

cannot detach database %s

database %s is locked

%s %T cannot reference objects in database %s

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

there is already an index named %s

too many columns on %s

duplicate column name: %s

default value of column [%s] is not constant

table "%s" has more than one primary key

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

no such collation sequence: %s

CREATE %s %.*s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE TABLE %Q.sqlite_sequence(name,seq)

view %s is circularly defined

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

sqlite_stat%d

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

sqlite_stat

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

indexed columns are not unique

table %s may not be indexed

views may not be indexed

virtual tables may not be indexed

there is already a table named %s

index %s already exists

sqlite_autoindex_%s_%d

table %s has no column named %s

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

a JOIN clause is required before %s

unable to identify the object to be reindexed

table %s may not be modified

cannot modify %s because it is a view

foreign key mismatch

table %S has %d columns but %d values were supplied

%d values for %d columns

table %S has no column named %s

%s.%s may not be NULL

PRIMARY KEY must be unique

sqlite3_extension_init

unable to open shared library [%s]

no entry point [%s] in shared library [%s]

error during initialization: %s

automatic extension loading failed: %s

foreign_key_list

*** in database %s ***

unsupported encoding: %s

malformed database schema (%s)

%s - %s

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

database schema is locked: %s

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

USE TEMP B-TREE FOR %s

COMPOUND SUBQUERIES %d AND %d %s(%s)

%s.%s

%s:%d

ORDER BY clause should come after %s not before

LIMIT clause should come after %s not before

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

sqlite_subquery_%p_

no such table: %s

SCAN TABLE %s %s%s(~%d rows)

sqlite3_get_table() called with two or more incompatible queries

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

-- TRIGGER %s

no such column: %s

cannot VACUUM - SQL statements in progress

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor failed: %s

vtable constructor did not declare schema: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

%s SUBQUERY %d

%s TABLE %s

%s AS %s

%s USING %s%sINDEX%s%s%s

%s USING INTEGER PRIMARY KEY

%s (rowid=?)

%s (rowid>? AND rowid<?)

%s (rowid>?)

%s (rowid<?)

%s VIRTUAL TABLE INDEX %d:%s

%s (~%lld rows)

at most %d tables in a join

cannot use index: %s

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

unable to close due to unfinished backup operation

unknown database: %s

no such %s mode: %s

%s mode not allowed: %s

no such vfs: %s

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

C:\rambler\holdem_client\output\Release\RUpdate.pdb

URLDownloadToFileW

urlmon.dll

SHLWAPI.dll

USERENV.dll

COMCTL32.dll

DeleteUrlCacheEntryW

WININET.dll

WinHttpOpen

WinHttpConnect

WinHttpCloseHandle

WinHttpOpenRequest

WinHttpSendRequest

WINHTTP.dll

PSAPI.DLL

UxTheme.dll

GetProcessShutdownParameters

SetProcessShutdownParameters

GetProcessHeap

GetCPInfo

KERNEL32.dll

USER32.dll

RegOpenKeyExW

RegCreateKeyW

RegCloseKey

RegCreateKeyExW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ShellExecuteExW

SHFileOperationW

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHDeleteKeyW

zcÁ

.?AVRMozillaUtil@@

333333333

<OpenSearchDescription xmlns="hXXp://a9.com/-/spec/opensearch/1.1/">

<Image width="16" height="16" type="image/x-icon">hXXp://i.rl0.ru/favicon.ico</Image>

<Url type="text/html" template="hXXp://nova.rambler.ru/search?query={searchTerms}&utm_source=PARTNERCODE&utm_medium=distribution&utm_content=e09&utm_campaign=CAMPAIGNCODE"/>

<Url type="application/x-suggestions json" template="hXXp://nova.rambler.ru/suggest?v=3&query={searchTerms}" />

<SearchPlugin xmlns="hXXp://VVV.mozilla.org/2006/browser/search/" xmlns:os="hXXp://a9.com/-/spec/opensearch/1.1/">

<os:Url type="text/html" method="GET" template="hXXp://nova.rambler.ru/search?query={searchTerms}&utm_source=PARTNERCODE&utm_medium=distribution&utm_content=e09&utm_campaign=CAMPAIGNCODE">

</os:Url><os:Url type="application/x-suggestions json" method="GET" template="hXXp://nova.rambler.ru/suggest?v=3&query={searchTerms}">

</os:Url>

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

{C28A107F-656E-4E01-904E-B2D1BD7BB9F6}

Regsvr32.exe

Failed to Regsvr32.exe:

RamblerBar.dll

Failed to register RamblerBar.dll

RBardPS.dll

Failed to register RBardPS.dll

RamblerBarSyncPS.dll

Failed to register RamblerBarSyncPS.dll

RamblerBarSync.exe

Failed to register RamblerBarSync.exe

{468CD8A9-7C25-45FA-969E-3D925C689DC4}

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1C8A72F-3027-48f7-A333-A5D01EBD4B7E}

Can't create BHO SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

assistcookie.tmp

hXXp://informers.rambler.ru/del_cookie_assist

Software\Rambler\Update\{C28A107F-656E-4e01-904E-B2D1BD7BB9F6}

6.0.187.0

Software\Rambler.ru\Toolbar\Settings

Software\Rambler.ru\Toolbar

Software\Rambler.ru

Rambler.ru

5.9.7.0

Software\Rambler\Update\{C28A107F-656E-4E01-904E-B2D1BD7BB9F6}

Rambler.ru Toolbar

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows\CurrentVersion\Run

/price.htm

/search.htm

/dic.htm

Error during deleting assistant Rambler.ru HKLM

Error during deleting assistant Rambler.ru HKCU

*.log

%d.%d build %d

ramblercontacts.exe

Windows %s %s %s %s bit

{9732304B-B640-4C54-B2CD-3C2297D649A1}

</version><locale><name>TODO</name></locale></application><report><description>Checkinstall failed!</description><type>ERROR</type></report><system><os-version>

<report version="1.0"><application><guid>

_crash.xml

Software\Rambler\Update\{9732304B-B640-4C54-B2CD-3C2297D649A1}

Failed to create {9732304B-B640-4C54-B2CD-3C2297D649A1}

Failed set value to 'Version' key

Software\Rambler\Holdem\{9732304B-B640-4C54-B2CD-3C2297D64900}

Software\Rambler\Stat\{9732304B-B640-4C54-B2CD-3C2297D64900}

{9732304B-B640-4C54-B2CD-3C2297D649A}

Failed to fix 1_5_1: {9732304B-B640-4C54-B2CD-3C2297D649A}

Failed to NichromeFixes

Software\Microsoft\Internet Explorer\SearchScopes\{00000000-4EB2-4FC3-BD68-7067448F7A06}

hXXp://nova.rambler.ru/search?query={searchTerms}&utm_source=

Failed to get list of all children with name 'Url' of the first node of the upper layer

Failed to get the first child with name 'Url' of the first node of the upper layer

xml.tmp

Software\Rambler\Update\{09D77C1F-EB64-4F2A-A34D-6A732EF8CD89}

6.0.475.1

debug.txt

Software\Microsoft\Windows\CurrentVersion\Uninstall\Nichrome

Nichrome

Software\Microsoft\Windows\CurrentVersion\Uninstall

Failed to delete nichrome6 uninstall key

ping.tmp

&appid=rupdate1.9.19.0

hXXp://VVV.rambler.ru/r/p?event=

{09D77C1F-EB64-4F2A-A34D-6A732EF8CD89}

&appid=nichrome_win

{D9527E5B-427D-450F-9FDF-351C08163520}

&appid=rupdate_1.9.19.0

msierror.tmp

1.9.19.0

hXXp://rupdate.rambler.ru/msi?error=

homeerror.tmp

hXXp://rupdate.rambler.ru/sethome/?browser=

searcherror.tmp

hXXp://rupdate.rambler.ru/setsearch/?browser=

0.0.0.1

can't obtain update registry key

ping url is empty

product.tmp

hXXp://update.rambler.ru/holdem/?protocol_version=1.1&guid=

777705555443332

5555443332

5555443332

Software\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}

Set default search for Chrome

p\Google\Chrome\User Data\Default\Web Data

Failed to open sqlite DB

SELECT id FROM keywords WHERE short_name like '%ambler'

chrome

Failed to prepare chrome query

Failed to execute insert query:

Failed to execute insert query

Failed to prepare update sql

Failed to exec update sql

Failed to exec update sql:

\Google\Chrome\User Data\Default\Preferences

Failed to open chrome preferences

Failed to write in chrome preferences

Rambler Updater System 1.9.19.0

rupdate.rambler.ru

Failed to connect to rupdate.rambler.ru

rambler.xml

Failed to load rambler.xml

//SearchPlugin/os:Url

Failed to check rambler.xml file

firefox

prefs.js

Failed to load prefs.js

Failed to write default valuesin prefs.js

Failed to open prefs.js file

Failed to write prefs.js file

Failed to write in prefs.js

Failed to write default values in prefs.js

Do search mozilla profile

Firefox

Mozilla

*.default

1234567890

Failed to create file 'search.ini'

Failed to write in 'search.ini' file

hXXp://nova.rambler.ru/search?query=%s

Suggest URL

Failed to get Opera settings path

Setup default search for Opera

search.ini

Failed to EditSearchIni Opera\operaprefs.ini file

opera

Failed to EditSearchIni Opera\search.ini file

operaprefs.ini

Opera\Opera

%s\operaprefs.ini

ntdll.dll

kernel32.dll

Failed to send reports logs

0:0:0:0:0:0:0:0:0

Failed to load 'kernel32.dll'

%d:%d:%d:

Failed to load kernel32.dll

L{9BE75982-243A-4f30-918F-D3DC61A44F4C}

pHKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

holdem_scheduler.log

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

Wadvapi32.dll

ShellExecute failed to elevate

Failed to TaskMSIInstall::exec

msiexec.exe

install.log

rupdate.exe

Failed to setup value 'Rambler Update' to RunOnce register key

Failed to delete 'Rambler Update' from 'Run' register key

{643B953E-6E60-4CE2-98D9-B46E7AAA9C3E}

Software\Rambler\Update\{D9527E5B-427D-450F-9FDF-351C08163520}

/C /Q ping 1.1.1.1 -n 1 -w 3000 > Nul & Del

cmd.exe

Failed to remove rupdate.exe

debug.log

DebugMessage.exe

Shell32.dll

reports

Can't create registry key:

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RUpdate.exe

%Documents and Settings%\%current user%\Application Data\Rambler\Holdem\holdem_scheduler.log

1,9,19,0

RUpdater.exe

RUpdate.exe_928:

.text

`.rdata

@.data

P.rsrc

PSSSSSSh

F><.tN<[tJ<\tF<*tB<|t><^t:<$t6

8%u]P

RSSh,BL

.FGy"

u u

8sqli

SSh8&M

SSh@&M

 1 23 456

t.hp=M

xSSSh

FTPjKS

FtPj;S

C.PjRV

operator

GetProcessWindowStation

portuguese-brazilian

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

AdminSpace.cpp

assistant.cpp

contacts.cpp

Fixes.cpp

Fork.cpp

IE.cpp

hXXp://nova.rambler.ru/suggest?v=3&query={searchTerms}

SuggestionsURL_JSON

hXXp://VVV.rambler.ru/i/osd.xml

OSDFileURL

hXXp://i.rl0.ru/favicon.ico

FaviconURL

{00000000-4EB2-4FC3-BD68-7067448F7A06}

IE8Plus.cpp

nichrome.cpp

nsis_rambler.cpp

hXXp://VVV.rambler.ru/?utm_source=

ping.cpp

Product.cpp

ProductManager.cpp

ProductUpdate.cpp

3.7.10

SQLite format 3

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY`

()$^.* ?[]|\-{},:=!

RChromeUtil.cpp

INSERT INTO keywords(short_name,keyword,favicon_url,url,show_in_default_list,safe_for_autoreplace,originating_url,date_created,usage_count,input_encodings,suggest_url,prepopulate_id,created_by_policy,instant_url,last_modified,sync_guid)VALUES('Rambler','rambler.ru','hXXp://i.rl0.ru/favicon.ico','hXXp://nova.rambler.ru/search?query={searchTerms}&utm_source=%s&utm_medium=distribution&utm_content=e09&utm_campaign=%s',1,1,'',0,0,'windows-1251','',16,0,'',0,'3718A840-5EFD-4CC4-8581-3B3D978D638B')

UPDATE meta SET value = '%I64i' WHERE key = 'Default Search Provider ID'

"urls_to_restore_on_startup": [ "

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /Checking reports...

reports.cpp

Processing report file

Content-Disposition: form-data; name="report_file"; filename="report.xml"

http post ok

http post fail:

HTTP request failed

report file too big!

RMozillaUtil.cpp

(user_pref\("keyword.URL",[^)]*\);)

(user_pref\("browser.search.selectedEngine",[^)]*\);)

user_pref("keyword.URL","hXXp://nova.rambler.ru/search?utm_source=

user_pref("browser.search.selectedEngine","Rambler");

user_pref("keyword.URL"

user_pref("browser.search.selectedEngine"

(user_pref\("browser.startup.homepage",[^\)]*\);)

(user_pref\("browser.startup.page",[^\)]*\);)

user_pref("browser.startup.homepage", "

user_pref("browser.startup.page", 1);

user_pref("browser.startup.homepage"

user_pref("browser.startup.page

URL=hXXp://nova.rambler.ru/search?query=%s

Key=r

ROperaUtil.cpp

Home URL

RResUtil.cpp

CreateMutexExW

Scheduler.cpp

RSysinfo2.cpp

SingleActions.cpp

ShutDownManager.cpp

main.cpp

RegDeleteKeyExW

RegDeleteKeyW

DeElevate.cpp

TaskDownload.cpp

TaskMSIInstall.cpp

UserSpace.cpp

RPathHelper.cpp

registry.cpp

large file support is disabled

unknown operation

SQL logic error or missing database

foreign_keys

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_log

sqlite_source_id

sqlite_version

sqlite_attach

sqlite_detach

sqlite_stat1

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_table

RowKey

SQLITE_

d-d-d d:d:d

d:d:d

d-d-d

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

922337203685477580

API call with %s database connection pointer

OsError 0x%x (%u)

os_win.c:%d: (%d) %s(%s) - %s

delayed %dms for lock/sharing conflict

%s-shm

%s\etilqs_

Recovered %d frames from WAL file %s

cannot limit WAL size: %s

invalid page number %d

2nd reference to page %d

Failed to read ptrmap key=%d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

%d of %d pages missing from overflow list starting at %d

failed to get page %d

freelist leaf count too big on page %d

Page %d:

unable to get the page. error code=%d

btreeInitPage() returns error code %d

On tree page %d cell %d:

On page %d at right child:

Corruption detected in cell %d on page %d

Multiple uses for byte %d of page %d

Fragmentation of %d bytes reported as %d on page %d

Page %d is never used

Pointer map page %d is referenced

Outstanding page count goes from %d to %d during this analysis

unknown database %s

keyinfo(%d

%s(%d)

%s-mjXXXXXX9XXz

MJ delete: %s

MJ collide: %s

-mjX9X

foreign key constraint failed

unable to use function %s in the requested context

bind on a busy prepared statement: [%s]

zeroblob(%d)

abort at %d in [%s]: %s

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

no such savepoint: %s

cannot %s savepoint - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_temp_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot change %s wal mode from within a transaction

database table is locked: %s

statement aborts at %d: [%s] %s

cannot open value of type %s

cannot open virtual table: %s

cannot open view: %s

no such column: "%s"

foreign key

indexed

cannot open %s column for writing

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s

%s: %s

not authorized to use function: %s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

too many SQL variables

too many columns in %s

EXECUTE %s%s SUBQUERY %d

misuse of aggregate: %s()

%.*s"%w"%s

%s%.*s"%w"

%s OR name=%Q

type='trigger' AND (%s)

sqlite_

table %s may not be altered

there is already another table or index with this name: %s

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

sqlite_sequence

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE %s=%Q

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

invalid name: "%s"

too many attached databases - max %d

database %s is already in use

unable to open database: %s

no such database: %s

cannot detach database %s

database %s is locked

%s %T cannot reference objects in database %s

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

there is already an index named %s

too many columns on %s

duplicate column name: %s

default value of column [%s] is not constant

table "%s" has more than one primary key

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

no such collation sequence: %s

CREATE %s %.*s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE TABLE %Q.sqlite_sequence(name,seq)

view %s is circularly defined

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

sqlite_stat%d

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

sqlite_stat

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

indexed columns are not unique

table %s may not be indexed

views may not be indexed

virtual tables may not be indexed

there is already a table named %s

index %s already exists

sqlite_autoindex_%s_%d

table %s has no column named %s

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

a JOIN clause is required before %s

unable to identify the object to be reindexed

table %s may not be modified

cannot modify %s because it is a view

foreign key mismatch

table %S has %d columns but %d values were supplied

%d values for %d columns

table %S has no column named %s

%s.%s may not be NULL

PRIMARY KEY must be unique

sqlite3_extension_init

unable to open shared library [%s]

no entry point [%s] in shared library [%s]

error during initialization: %s

automatic extension loading failed: %s

foreign_key_list

*** in database %s ***

unsupported encoding: %s

malformed database schema (%s)

%s - %s

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

database schema is locked: %s

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

USE TEMP B-TREE FOR %s

COMPOUND SUBQUERIES %d AND %d %s(%s)

%s.%s

%s:%d

ORDER BY clause should come after %s not before

LIMIT clause should come after %s not before

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

sqlite_subquery_%p_

no such table: %s

SCAN TABLE %s %s%s(~%d rows)

sqlite3_get_table() called with two or more incompatible queries

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

-- TRIGGER %s

no such column: %s

cannot VACUUM - SQL statements in progress

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor failed: %s

vtable constructor did not declare schema: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

%s SUBQUERY %d

%s TABLE %s

%s AS %s

%s USING %s%sINDEX%s%s%s

%s USING INTEGER PRIMARY KEY

%s (rowid=?)

%s (rowid>? AND rowid<?)

%s (rowid>?)

%s (rowid<?)

%s VIRTUAL TABLE INDEX %d:%s

%s (~%lld rows)

at most %d tables in a join

cannot use index: %s

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

unable to close due to unfinished backup operation

unknown database: %s

no such %s mode: %s

%s mode not allowed: %s

no such vfs: %s

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

C:\rambler\holdem_client\output\Release\RUpdate.pdb

URLDownloadToFileW

urlmon.dll

SHLWAPI.dll

USERENV.dll

COMCTL32.dll

DeleteUrlCacheEntryW

WININET.dll

WinHttpOpen

WinHttpConnect

WinHttpCloseHandle

WinHttpOpenRequest

WinHttpSendRequest

WINHTTP.dll

PSAPI.DLL

UxTheme.dll

GetProcessShutdownParameters

SetProcessShutdownParameters

GetProcessHeap

GetCPInfo

KERNEL32.dll

USER32.dll

RegOpenKeyExW

RegCreateKeyW

RegCloseKey

RegCreateKeyExW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ShellExecuteExW

SHFileOperationW

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHDeleteKeyW

zcÁ

.?AVRMozillaUtil@@

333333333

<OpenSearchDescription xmlns="hXXp://a9.com/-/spec/opensearch/1.1/">

<Image width="16" height="16" type="image/x-icon">hXXp://i.rl0.ru/favicon.ico</Image>

<Url type="text/html" template="hXXp://nova.rambler.ru/search?query={searchTerms}&utm_source=PARTNERCODE&utm_medium=distribution&utm_content=e09&utm_campaign=CAMPAIGNCODE"/>

<Url type="application/x-suggestions json" template="hXXp://nova.rambler.ru/suggest?v=3&query={searchTerms}" />

<SearchPlugin xmlns="hXXp://VVV.mozilla.org/2006/browser/search/" xmlns:os="hXXp://a9.com/-/spec/opensearch/1.1/">

<os:Url type="text/html" method="GET" template="hXXp://nova.rambler.ru/search?query={searchTerms}&utm_source=PARTNERCODE&utm_medium=distribution&utm_content=e09&utm_campaign=CAMPAIGNCODE">

</os:Url><os:Url type="application/x-suggestions json" method="GET" template="hXXp://nova.rambler.ru/suggest?v=3&query={searchTerms}">

</os:Url>

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

{C28A107F-656E-4E01-904E-B2D1BD7BB9F6}

Regsvr32.exe

Failed to Regsvr32.exe:

RamblerBar.dll

Failed to register RamblerBar.dll

RBardPS.dll

Failed to register RBardPS.dll

RamblerBarSyncPS.dll

Failed to register RamblerBarSyncPS.dll

RamblerBarSync.exe

Failed to register RamblerBarSync.exe

{468CD8A9-7C25-45FA-969E-3D925C689DC4}

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1C8A72F-3027-48f7-A333-A5D01EBD4B7E}

Can't create BHO SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

assistcookie.tmp

hXXp://informers.rambler.ru/del_cookie_assist

Software\Rambler\Update\{C28A107F-656E-4e01-904E-B2D1BD7BB9F6}

6.0.187.0

Software\Rambler.ru\Toolbar\Settings

Software\Rambler.ru\Toolbar

Software\Rambler.ru

Rambler.ru

5.9.7.0

Software\Rambler\Update\{C28A107F-656E-4E01-904E-B2D1BD7BB9F6}

Rambler.ru Toolbar

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows\CurrentVersion\Run

/price.htm

/search.htm

/dic.htm

Error during deleting assistant Rambler.ru HKLM

Error during deleting assistant Rambler.ru HKCU

*.log

%d.%d build %d

ramblercontacts.exe

Windows %s %s %s %s bit

{9732304B-B640-4C54-B2CD-3C2297D649A1}

</version><locale><name>TODO</name></locale></application><report><description>Checkinstall failed!</description><type>ERROR</type></report><system><os-version>

<report version="1.0"><application><guid>

_crash.xml

Software\Rambler\Update\{9732304B-B640-4C54-B2CD-3C2297D649A1}

Failed to create {9732304B-B640-4C54-B2CD-3C2297D649A1}

Failed set value to 'Version' key

Software\Rambler\Holdem\{9732304B-B640-4C54-B2CD-3C2297D64900}

Software\Rambler\Stat\{9732304B-B640-4C54-B2CD-3C2297D64900}

{9732304B-B640-4C54-B2CD-3C2297D649A}

Failed to fix 1_5_1: {9732304B-B640-4C54-B2CD-3C2297D649A}

Failed to NichromeFixes

Software\Microsoft\Internet Explorer\SearchScopes\{00000000-4EB2-4FC3-BD68-7067448F7A06}

hXXp://nova.rambler.ru/search?query={searchTerms}&utm_source=

Failed to get list of all children with name 'Url' of the first node of the upper layer

Failed to get the first child with name 'Url' of the first node of the upper layer

xml.tmp

Software\Rambler\Update\{09D77C1F-EB64-4F2A-A34D-6A732EF8CD89}

6.0.475.1

debug.txt

Software\Microsoft\Windows\CurrentVersion\Uninstall\Nichrome

Nichrome

Software\Microsoft\Windows\CurrentVersion\Uninstall

Failed to delete nichrome6 uninstall key

ping.tmp

&appid=rupdate1.9.19.0

hXXp://VVV.rambler.ru/r/p?event=

{09D77C1F-EB64-4F2A-A34D-6A732EF8CD89}

&appid=nichrome_win

{D9527E5B-427D-450F-9FDF-351C08163520}

&appid=rupdate_1.9.19.0

msierror.tmp

1.9.19.0

hXXp://rupdate.rambler.ru/msi?error=

homeerror.tmp

hXXp://rupdate.rambler.ru/sethome/?browser=

searcherror.tmp

hXXp://rupdate.rambler.ru/setsearch/?browser=

0.0.0.1

can't obtain update registry key

ping url is empty

product.tmp

hXXp://update.rambler.ru/holdem/?protocol_version=1.1&guid=

777705555443332

5555443332

5555443332

Software\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}

Set default search for Chrome

p\Google\Chrome\User Data\Default\Web Data

Failed to open sqlite DB

SELECT id FROM keywords WHERE short_name like '%ambler'

chrome

Failed to prepare chrome query

Failed to execute insert query:

Failed to execute insert query

Failed to prepare update sql

Failed to exec update sql

Failed to exec update sql:

\Google\Chrome\User Data\Default\Preferences

Failed to open chrome preferences

Failed to write in chrome preferences

Rambler Updater System 1.9.19.0

rupdate.rambler.ru

Failed to connect to rupdate.rambler.ru

rambler.xml

Failed to load rambler.xml

//SearchPlugin/os:Url

Failed to check rambler.xml file

firefox

prefs.js

Failed to load prefs.js

Failed to write default valuesin prefs.js

Failed to open prefs.js file

Failed to write prefs.js file

Failed to write in prefs.js

Failed to write default values in prefs.js

Do search mozilla profile

Firefox

Mozilla

*.default

1234567890

Failed to create file 'search.ini'

Failed to write in 'search.ini' file

hXXp://nova.rambler.ru/search?query=%s

Suggest URL

Failed to get Opera settings path

Setup default search for Opera

search.ini

Failed to EditSearchIni Opera\operaprefs.ini file

opera

Failed to EditSearchIni Opera\search.ini file

operaprefs.ini

Opera\Opera

%s\operaprefs.ini

ntdll.dll

kernel32.dll

Failed to send reports logs

0:0:0:0:0:0:0:0:0

Failed to load 'kernel32.dll'

%d:%d:%d:

Failed to load kernel32.dll

L{9BE75982-243A-4f30-918F-D3DC61A44F4C}

pHKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

holdem_scheduler.log

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

Wadvapi32.dll

ShellExecute failed to elevate

Failed to TaskMSIInstall::exec

msiexec.exe

install.log

rupdate.exe

Failed to setup value 'Rambler Update' to RunOnce register key

Failed to delete 'Rambler Update' from 'Run' register key

{643B953E-6E60-4CE2-98D9-B46E7AAA9C3E}

Software\Rambler\Update\{D9527E5B-427D-450F-9FDF-351C08163520}

/C /Q ping 1.1.1.1 -n 1 -w 3000 > Nul & Del

cmd.exe

Failed to remove rupdate.exe

debug.log

DebugMessage.exe

Shell32.dll

reports

Can't create registry key:

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RUpdate.exe

%Documents and Settings%\%current user%\Application Data\Rambler\Holdem\holdem_scheduler.log

1,9,19,0

RUpdater.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   RUpdate.exe:380
   RUpdate.exe:928
   Zona.exe:1688
   Zona.exe:1716

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Application Data\Zona\init.xml (335 bytes)
   %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\zona.ru\zona.sol (47 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\appdata.7z (1326784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\zon1.tmp (47 bytes)
   %Documents and Settings%\%current user%\Desktop\Zona.lnk (706 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Zona.7z (435264 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\rambler_r33.7z (27336 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\YRI_X[1].jpg (2432 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\Zona.lnk (712 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ZonaInstall.log (12853 bytes)
   %Program Files%\Zona\utils.jar (29 bytes)
   %Program Files%\Zona\License_uk.rtf (21 bytes)
   %Program Files%\Zona\License_en.rtf (5 bytes)
   %Program Files%\Zona\License_ru.rtf (23 bytes)
   %Documents and Settings%\%current user%\Application Data\Rambler\Holdem\holdem_scheduler.log (565 bytes)
   %Documents and Settings%\%current user%\Application Data\Rambler\Holdem\assistcookie.tmp (10 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\del_cookie_assist[1].xml (10 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@rambler[1].txt (169 bytes)
   %Documents and Settings%\%current user%\Application Data\Zona\launch.log (7639 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Zona" = "%Program Files%\Zona\Zona.exe /MINIMIZED"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.