Virus.Win32.Sality_662fc7fa7b
BetterInstaller (fs) (VIPRE), mzpefinder_pcap_file.YR, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Worm, Virus, Installer, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 662fc7fa7bc066d5f38bfcf19998b39a
SHA1: 13462ddb0c3ec74ff0231de718f681621600a361
SHA256: 07830f7b3cd9d8a5fb01080bbf230820d70adc6f78da6b6bc60029be878fdd03
SSDeep: 6144:bA0m3T0AOrb4qYz3c c7c5FNIBJzAUUPmwjlXR:bA0iT0AOrbkz3cv7c5FNI7pYD1R
Size: 246232 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-12-17 11:14:12
Analyzed on: WindowsXP SP3 32-bit
Summary:
Virus. A program that recursively replicates a possibly evolved copy of itself.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Virus creates the following process(es):
wmic.exe:2284
biclient.exe:1708
biclient.exe:1340
UpdateCheckerSetup.exe:1328
%original file name%.exe:3336
The Virus injects its code into the following process(es):
update_checker.exe:2232
biclient.exe:1248
ctfmon.exe:252
4.tmp:4080
File activity
The process wmic.exe:2284 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\FilesFrog Update Checker\TempWmicBatchFile.bat (0 bytes)
The process update_checker.exe:2232 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\ntuser.dat.LOG (29280 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (26996 bytes)
The process biclient.exe:1708 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\cd0f26e15f03dd4c8cfe826143cf376a[1].txt (26899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\storage[2].swf (773 bytes)
The process biclient.exe:1248 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.7 (9760 bytes)
%Documents and Settings%\%current user%\Cookies\L8JU4RSI.txt (547 bytes)
%Documents and Settings%\%current user%\Cookies\EX9WZQ4Y.txt (547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\ga[1].js (22940 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tokyo_sprite_full[1].png (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (71020 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\ajax[1].txt (773 bytes)
%Documents and Settings%\%current user%\Cookies\XHEQ03NB.txt (115 bytes)
%Documents and Settings%\%current user%\Cookies\TNYVAA1F.txt (547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\0e11044f561def4bac902d3d5a6c4169[1].txt (31595 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\tokyoWhiteSparkMiddleBG[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Cookies\QX6HVGMC.txt (285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\storage[1].swf (773 bytes)
%Documents and Settings%\%current user%\Cookies\U6PVXK8I.txt (547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.1 (9760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.0 (9760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.3 (9760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.2 (9760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.5 (9760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.4 (9760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.6 (9760 bytes)
%Documents and Settings%\%current user%\Cookies\F330J03M.txt (547 bytes)
%Documents and Settings%\%current user%\Cookies\HQNSO3HB.txt (547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\4CVJKYRT.txt (547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\HQNSO3HB.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\L8JU4RSI.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.6 (0 bytes)
%Documents and Settings%\%current user%\Cookies\QX6HVGMC.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\U6PVXK8I.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\EX9WZQ4Y.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.3 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.4 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\ajax[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\XHEQ03NB.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\F330J03M.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\TNYVAA1F.txt (0 bytes)
The process biclient.exe:1340 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\tokyo_sprite_full[1].png (893 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\storage[1].swf (773 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.6 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.4 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.5 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\ajax-bidl[1].txt (762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.7 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.0 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.1 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.2 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.3 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe (12251 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\8c1a1a3c329da9488dc4f5116e78fda0[1].txt (24432 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.4 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.6 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.3 (0 bytes)
The process UpdateCheckerSetup.exe:1328 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\FilesFrog Update Checker\Check for Updates.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\FilesFrog Update Checker\Uninstall.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslA.tmp (10215 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FilesFrog Update Checker\update_checker.exe (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FilesFrog Update Checker\uninstall.exe (1328 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB.tmp (0 bytes)
The process 4.tmp:4080 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\ajs[1].php (3313 bytes)
%Documents and Settings%\All Users\Desktop\FLV Video Player.lnk (721 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\modern-header.bmp (3072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\offer[1].js (5223 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014032120140322\index.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6\license.txt (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Cookies\QKFDH3FS.txt (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\init_container[1] (752 bytes)
%Documents and Settings%\%current user%\Cookies\3053U27W.txt (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\UAC.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6\Helper.dll (36965 bytes)
%Program Files%\FLV Video Player\log.log (7453 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\offer[1].css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6\soffer.dll (2243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\init_offer[1].htm (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\init_offer[2].htm (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\banner[1].jpg (4364 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\init_container[1] (752 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\init_container[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\QKFDH3FS.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp (0 bytes)
The process %original file name%.exe:3336 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\config.ini (102 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\biclient.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000685DC_rar\%original file name%.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp (6436 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\biclient.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\config.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp (0 bytes)
%WinDir%\67dae (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1.tmp (0 bytes)
Registry activity
The process wmic.exe:2284 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 6B 9F D1 FE A9 39 89 61 93 EB C1 A9 03 08 EF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process update_checker.exe:2232 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 7C 42 66 A1 C0 09 D3 81 73 DD CC 03 8F 53 99"
[HKCU\Software\Somoto\SDP]
"affid" = "network_smb_filesflash"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Somoto\SDP]
"flags" = "32"
"nc" = "Type: REG_QWORD, Length: 8"
"muid" = "cda9ea544c42f5c076ed65a6b085ab29"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\sdp]
"(Default)" = "URL:SDP Protocol"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Somoto\SDP]
"uid" = "be617591a98f744b93219419373f5f71"
[HKCU\Software\Microsoft\Internet Explorer\ProtocolExecute\sdp]
"WarnOnOpen" = "0"
[HKCR\sdp]
"URL Protocol" = ""
[HKCR\sdp\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FilesFrog Update Checker\update_checker.exe /protocol %1"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SDP" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FilesFrog Update Checker\update_checker.exe /auto"
The process biclient.exe:1708 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 69 23 DF 80 27 3F E4 05 0F B1 45 92 39 0B 57"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
The Virus modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process biclient.exe:1248 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC E3 6A B1 E1 E7 BC 6D C8 0F 69 8E 98 55 53 E0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
The Virus modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process biclient.exe:1340 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 01 E8 87 17 B1 10 B4 29 EB DA FA 55 17 14 9C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
The Virus modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"network_smb_filesflash" = ""
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process ctfmon.exe:252 makes changes in the system registry.
The Virus deletes the following value(s) in system registry:
The Virus disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
The process UpdateCheckerSetup.exe:1328 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FilesFrog Update Checker]
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FilesFrog Update Checker\uninstall.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FilesFrog Update Checker]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FilesFrog Update Checker\uninstall.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FilesFrog Update Checker]
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FilesFrog Update Checker]
"NoRepair" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FilesFrog Update Checker]
"DisplayName" = "FilesFrog Update Checker"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 47 F8 95 BA 71 45 9D DC 65 9C 86 E8 85 97 5A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
The process 4.tmp:4080 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014032120140322]
"CacheRepair" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014032120140322]
"CacheOptions" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014032120140322]
"CacheLimit" = "8192"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Internet Explorer\Main\WindowsSearch]
"Version" = "WS not installed"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E FA 0D BF 79 89 DA B3 39 EA 90 71 5E CC 38 40"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\Applications\4.tmp]
"IsHostApp" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014032120140322]
"CachePrefix" = ":2014032120140322:"
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014032120140322"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Virus modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Virus deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041520130416]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013040820130415]
The Virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:3336 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKCU\Software\Jmicbaaosmd]
"21_314" = "198369541"
"21_315" = "2565714409"
"21_316" = "1704520899"
"21_317" = "2177953948"
"21_310" = "3255381987"
"21_311" = "1430002919"
"21_312" = "2692787077"
"21_313" = "4149981459"
"21_318" = "3799050826"
"21_319" = "2590368752"
"21_228" = "2790688997"
"21_229" = "3451992211"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Jmicbaaosmd]
"21_220" = "830915321"
"21_221" = "4072426429"
"21_222" = "1341551914"
"21_223" = "1964966719"
"21_224" = "2992116602"
"21_225" = "1617881508"
"21_226" = "490556312"
"21_227" = "1576810620"
"21_119" = "1854942964"
"24_113" = "3991821586"
"24_112" = "3082298848"
"24_111" = "2172776110"
"24_110" = "1263253372"
"24_117" = "3334945242"
"24_116" = "2425422504"
"24_115" = "1515899766"
"24_114" = "606377028"
"24_119" = "859023422"
"24_118" = "4244467980"
"22_381" = "2930785504"
"21_138" = "2930296892"
"21_139" = "2829924066"
"21_134" = "1448195425"
"21_135" = "1934624001"
"21_136" = "2145901388"
"21_137" = "207122105"
"21_130" = "2817874604"
"21_131" = "2934220461"
"21_132" = "2165212274"
"21_258" = "3969002965"
"23_381" = "2947764035"
"23_380" = "2038072337"
"23_383" = "438303207"
"23_382" = "3857004213"
"23_385" = "2257217563"
"23_384" = "1347526953"
"21_253" = "3633827845"
"21_78" = "2931130341"
"21_79" = "2631068127"
"21_76" = "2645557355"
"21_77" = "1258952635"
"21_74" = "2573025028"
"21_252" = "882479750"
"21_72" = "2544558182"
"21_73" = "3484554299"
"21_70" = "3295275765"
"21_71" = "3791887716"
"22_403" = "1465446662"
"22_402" = "555925452"
"22_401" = "3941361462"
"22_400" = "3031833638"
"22_59" = "2122230974"
"22_58" = "1212718138"
"22_55" = "2779104516"
"22_54" = "1869592298"
"22_57" = "303191572"
"22_56" = "3688631370"
"22_51" = "3435979856"
"22_50" = "2526470670"
"22_53" = "960065934"
"22_52" = "50537916"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Jmicbaaosmd]
"23_172" = "1835958193"
"23_173" = "2745181923"
"23_170" = "17026333"
"23_171" = "926266447"
"23_176" = "1145477193"
"23_177" = "2055160763"
"23_174" = "3655002581"
"23_175" = "235720967"
"23_178" = "2964392685"
"23_179" = "3874225631"
"22_388" = "707506378"
"24_278" = "3739217996"
"24_279" = "353773438"
"24_272" = "2577048864"
"24_273" = "3486571602"
"24_270" = "758003388"
"24_271" = "1667526126"
"24_276" = "1920172520"
"24_277" = "2829695258"
"24_274" = "101127044"
"24_275" = "1010649782"
"22_348" = "2981303007"
"22_349" = "3890815294"
"22_344" = "3638180457"
"22_345" = "252739340"
"22_346" = "1162248355"
"22_347" = "2071774562"
"22_340" = "87724"
"22_341" = "909614253"
"22_342" = "1819126251"
"22_343" = "2728652100"
"23_301" = "3166539747"
"23_300" = "2257306801"
"23_303" = "724057607"
"23_302" = "4076238549"
"23_305" = "2543102139"
"23_304" = "1633870153"
"23_307" = "34036447"
"23_306" = "3452867565"
"23_309" = "1853093235"
"23_308" = "943260161"
"21_307" = "760501197"
"21_306" = "83344398"
"21_305" = "1003352364"
"21_304" = "3471340815"
"21_303" = "2902959707"
"21_302" = "2170639426"
"21_301" = "2846745779"
"21_300" = "1689156325"
"22_387" = "4092945788"
"21_309" = "3484271840"
"21_308" = "507908762"
"24_290" = "1768588964"
"24_291" = "2678111702"
"24_292" = "3587634440"
"21_238" = "3020392969"
"24_294" = "1111712620"
"24_295" = "2021235358"
"24_296" = "2930758096"
"24_297" = "3840280834"
"21_233" = "1809629761"
"21_232" = "4114837773"
"21_231" = "104786848"
"21_230" = "3058023349"
"21_237" = "64539235"
"21_236" = "590333094"
"21_235" = "454229434"
"21_234" = "491748347"
"24_39" = "1111648414"
"24_38" = "202125676"
"24_31" = "2425401102"
"24_30" = "1515878364"
"24_33" = "4244446578"
"24_32" = "3334923840"
"24_35" = "1768524758"
"24_34" = "859002020"
"24_37" = "3587570234"
"24_36" = "2678047496"
"24_126" = "2930715292"
"24_127" = "3840238030"
"24_124" = "1111669816"
"24_125" = "2021192554"
"24_122" = "3587591636"
"24_123" = "202147078"
"23_18" = "3469511597"
"23_19" = "117797535"
"23_16" = "1650465033"
"23_17" = "2560278651"
"23_14" = "4159991445"
"23_15" = "741233095"
"23_12" = "2341076081"
"23_13" = "3250825123"
"24_128" = "454793472"
"24_129" = "1364316210"
"21_129" = "3322028795"
"21_128" = "2963229215"
"21_127" = "1316874688"
"21_126" = "2306504373"
"21_125" = "160173829"
"21_124" = "139595281"
"21_123" = "387847485"
"21_122" = "4277817295"
"21_121" = "216511180"
"21_120" = "4230906552"
"23_399" = "2139319495"
"21_133" = "2738069579"
"22_48" = "707415245"
"22_49" = "1616938022"
"22_42" = "3840219070"
"22_43" = "454777865"
"22_40" = "2021165495"
"22_41" = "2930689458"
"22_46" = "3183341727"
"22_47" = "4092869780"
"22_44" = "1364288404"
"22_45" = "2273814067"
"23_338" = "2459404845"
"23_339" = "3368582431"
"24_389" = "1617026810"
"21_362" = "3708386575"
"23_330" = "3772795997"
"24_228" = "1212754056"
"23_165" = "4059232531"
"23_164" = "3149411873"
"23_167" = "1549626295"
"23_166" = "639934533"
"23_161" = "421256283"
"23_160" = "3772847465"
"23_163" = "2240171775"
"23_162" = "1330481037"
"23_169" = "3368622635"
"23_168" = "2459390713"
"24_269" = "4143447946"
"24_268" = "3233925208"
"24_265" = "505356994"
"24_264" = "3890801552"
"24_267" = "2324402470"
"24_266" = "1414879732"
"24_261" = "1162233338"
"24_260" = "252710600"
"24_263" = "2981278814"
"24_262" = "2071756076"
"22_359" = "101152786"
"22_358" = "3486595716"
"22_357" = "2577064043"
"22_356" = "1667552289"
"22_355" = "758028961"
"22_354" = "4143465442"
"22_353" = "3233943526"
"22_352" = "2324430244"
"22_351" = "1414903458"
"22_350" = "505373563"
"21_75" = "1584276764"
"23_374" = "842516773"
"23_375" = "1751756823"
"23_376" = "2661448537"
"23_377" = "3570672267"
"23_370" = "1532537965"
"23_371" = "2442303327"
"23_372" = "3351993985"
"23_373" = "4261216755"
"23_378" = "219026941"
"23_379" = "1128324399"
"23_208" = "219132553"
"23_209" = "1128293883"
"23_200" = "1532523833"
"23_201" = "2442280043"
"23_202" = "3351570269"
"23_203" = "4261326479"
"23_204" = "842043889"
"23_205" = "1751734563"
"23_206" = "2661482517"
"23_207" = "3570780999"
"21_363" = "1613828443"
"21_338" = "4286308153"
"21_339" = "3156636805"
"21_332" = "2122275357"
"21_333" = "769830237"
"21_330" = "1927494415"
"21_331" = "2244195605"
"21_336" = "722810902"
"21_337" = "3377014428"
"21_334" = "2117094026"
"21_335" = "4048721519"
"24_283" = "3991864390"
"24_282" = "3082341652"
"24_281" = "2172818914"
"24_280" = "1263296176"
"24_287" = "3334988046"
"24_286" = "2425465308"
"24_285" = "1515942570"
"24_284" = "606419832"
"21_206" = "4210957417"
"21_207" = "4253248793"
"21_204" = "3477979747"
"21_205" = "1827943302"
"21_202" = "1887743695"
"21_203" = "3941212771"
"21_200" = "1291585196"
"21_201" = "3031638012"
"24_26" = "2172754708"
"24_27" = "3082277446"
"24_24" = "353709232"
"24_25" = "1263231970"
"24_22" = "2829631052"
"24_23" = "3739153790"
"24_20" = "1010585576"
"24_21" = "1920108314"
"24_28" = "3991800184"
"24_29" = "606355626"
"21_112" = "1540063150"
"21_113" = "569878025"
"23_69" = "2644478547"
"23_68" = "1734722401"
"21_116" = "2719558753"
"21_117" = "2634335657"
"21_114" = "218418582"
"21_115" = "373752776"
"23_63" = "1448410983"
"23_62" = "539112501"
"23_61" = "3957869763"
"23_60" = "3048703377"
"23_67" = "825432127"
"23_66" = "4177088717"
"23_65" = "3267848603"
"23_64" = "2358159017"
"22_9" = "3890734415"
"22_8" = "2981211165"
"22_5" = "252642935"
"22_4" = "3638085957"
"22_7" = "2071697363"
"22_6" = "1162174113"
"22_1" = "909517503"
"22_0" = "5517"
"22_3" = "2728570907"
"22_2" = "1819048937"
"21_18" = "505839807"
"21_19" = "975452888"
"21_10" = "2921620297"
"21_11" = "604692855"
"21_12" = "668986389"
"21_13" = "1805967427"
"21_14" = "2072592997"
"21_15" = "1055094704"
"21_16" = "2755085180"
"21_17" = "4107115022"
"23_190" = "1027579189"
"22_183" = "3233898775"
"21_367" = "2107844203"
"22_180" = "505335926"
"23_27" = "3065297007"
"22_181" = "1414861224"
"23_26" = "2156065085"
"22_186" = "1667498811"
"23_25" = "1246235083"
"23_195" = "1246716223"
"24_316" = "3941343672"
"23_196" = "2155948129"
"23_23" = "3755843415"
"22_185" = "757986474"
"23_22" = "2846610533"
"23_103" = "3469958967"
"24_313" = "1212775458"
"23_102" = "2560268229"
"23_20" = "1027548609"
"23_101" = "1650502803"
"23_100" = "741270945"
"23_107" = "2846522319"
"23_106" = "1936830621"
"23_105" = "1027590571"
"23_104" = "117769849"
"21_279" = "1476590519"
"24_72" = "1061127696"
"24_360" = "1010671184"
"24_361" = "1920193922"
"24_362" = "2829716660"
"24_363" = "3739239398"
"24_364" = "353794840"
"24_365" = "1263317578"
"24_366" = "2172840316"
"24_367" = "3082363054"
"23_4" = "3655055073"
"23_5" = "235698643"
"23_6" = "1145446661"
"23_7" = "2054744183"
"23_0" = "17001001"
"23_1" = "926244123"
"23_2" = "1835992141"
"23_3" = "2745290687"
"23_8" = "2964509625"
"23_9" = "3873741547"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Jmicbaaosmd]
"23_198" = "3975010949"
"23_199" = "623349239"
"22_188" = "3486552354"
"22_189" = "101101341"
"22_182" = "2324376422"
"23_191" = "1936737383"
"23_192" = "2846494633"
"23_193" = "3755800219"
"23_194" = "337033677"
"22_187" = "2577025874"
"22_184" = "4143430501"
"23_197" = "3065713491"
"22_298" = "454842009"
"22_299" = "1364353946"
"22_296" = "2930756004"
"22_297" = "3840286387"
"22_294" = "1111717569"
"22_295" = "2021229971"
"22_292" = "3587630684"
"22_293" = "202187484"
"22_290" = "1768595342"
"22_291" = "2678104357"
"22_362" = "2829719624"
"22_363" = "3739245367"
"22_360" = "1010665048"
"22_361" = "1920191288"
"22_366" = "2172845350"
"22_367" = "3082366458"
"22_364" = "353791720"
"22_365" = "1263313830"
"22_368" = "3991880296"
"22_369" = "606443950"
"22_160" = "3789709874"
"22_161" = "404268294"
"22_162" = "1313800028"
"22_163" = "2223321830"
"22_164" = "3132835130"
"22_165" = "4042361713"
"22_166" = "656921814"
"22_167" = "1566448132"
"22_168" = "2475958719"
"22_169" = "3385485296"
"23_367" = "3065662087"
"23_366" = "2155971413"
"23_365" = "1246746723"
"23_364" = "336924977"
"23_363" = "3756206543"
"23_362" = "2846451357"
"23_361" = "1936768939"
"23_360" = "1027535993"
"23_369" = "623306043"
"23_368" = "3974905289"
"23_219" = "1633836527"
"23_218" = "724069053"
"23_213" = "437814963"
"23_212" = "3857112897"
"23_211" = "2947290143"
"23_210" = "2038050093"
"23_217" = "4076315467"
"23_216" = "3166566425"
"23_215" = "2257268951"
"23_214" = "1347504613"
"21_329" = "228443755"
"21_328" = "2925564514"
"21_325" = "3129052338"
"21_324" = "432972574"
"21_327" = "985252364"
"21_326" = "844578801"
"21_321" = "1878784131"
"21_320" = "4243214041"
"21_323" = "1815405095"
"21_322" = "4096131743"
"24_53" = "960064858"
"24_52" = "50542120"
"24_51" = "3435986678"
"24_50" = "2526463940"
"24_57" = "303188514"
"24_56" = "3688633072"
"24_55" = "2779110334"
"24_54" = "1869587596"
"24_59" = "2122233990"
"24_58" = "1212711252"
"21_211" = "1973453694"
"21_210" = "1728469375"
"21_213" = "2402202144"
"21_212" = "1176401891"
"21_215" = "2894898752"
"21_214" = "2776163231"
"21_217" = "1490729535"
"21_216" = "2982245356"
"21_219" = "1844118972"
"21_218" = "3988484809"
"21_7" = "124309517"
"21_105" = "515938035"
"21_104" = "208631183"
"21_107" = "2057229751"
"21_106" = "102426057"
"24_148" = "1465379048"
"24_149" = "2374901786"
"21_103" = "36296669"
"21_102" = "269759644"
"24_144" = "2122255392"
"24_145" = "3031778130"
"24_146" = "3941300868"
"24_147" = "555856310"
"24_140" = "2779131736"
"21_108" = "114721388"
"24_142" = "303209916"
"24_143" = "1212732654"
"21_9" = "1275815323"
"22_208" = "202163068"
"21_25" = "1761441157"
"21_24" = "3610011406"
"21_27" = "1134466461"
"21_26" = "4285516377"
"21_21" = "2431469476"
"21_20" = "533870759"
"21_23" = "64627726"
"21_22" = "3091985906"
"21_29" = "1829357595"
"21_28" = "495669329"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Jmicbaaosmd]
"23_189" = "117822915"
"23_188" = "3469992593"
"22_199" = "606401393"
"22_198" = "3991839384"
"23_183" = "3250724503"
"23_182" = "2340968357"
"23_181" = "1431727219"
"23_180" = "522036481"
"23_187" = "2560179119"
"23_186" = "1650946173"
"22_193" = "3739204846"
"22_192" = "2829664330"
"22_281" = "2172814425"
"22_280" = "1263292220"
"22_283" = "3991872846"
"22_282" = "3082343468"
"22_285" = "1515939966"
"22_284" = "606413340"
"22_287" = "3334994261"
"22_286" = "2425468872"
"22_289" = "859067850"
"22_288" = "4244506837"
"22_375" = "1768604834"
"22_374" = "859093091"
"22_377" = "3587660118"
"22_376" = "2678142138"
"22_371" = "2425481372"
"22_370" = "1515972283"
"22_373" = "4244536565"
"22_372" = "3335007676"
"22_379" = "1111731487"
"22_378" = "202205869"
"22_173" = "2728614671"
"22_172" = "1819084829"
"22_171" = "909560110"
"22_170" = "49068"
"22_177" = "2071738808"
"22_176" = "1162207876"
"22_175" = "252683118"
"22_174" = "3638139831"
"22_179" = "3890775472"
"22_178" = "2981261804"
"23_358" = "3469886917"
"23_359" = "117706039"
"23_352" = "2340982505"
"23_353" = "3250680283"
"23_350" = "521935989"
"23_351" = "1431750567"
"23_356" = "1650961313"
"23_357" = "2560201363"
"23_354" = "4160436493"
"23_355" = "741204095"
"23_228" = "1229603489"
"23_229" = "2138846611"
"23_226" = "3672100877"
"23_227" = "319921023"
"23_224" = "1853039081"
"23_225" = "2762336475"
"23_222" = "33601397"
"23_223" = "943292071"
"23_220" = "2543060177"
"23_221" = "3452881923"
"24_40" = "2021171152"
"24_41" = "2930693890"
"24_42" = "3840216628"
"24_43" = "454772070"
"24_44" = "1364294808"
"24_45" = "2273817546"
"24_46" = "3183340284"
"24_47" = "4092863022"
"24_48" = "707418464"
"24_49" = "1616941202"
"21_264" = "4177316141"
"21_265" = "1315744692"
"21_266" = "1750832513"
"21_267" = "1523600284"
"21_260" = "3951426747"
"21_261" = "4185985867"
"21_262" = "3266001047"
"21_263" = "2347779298"
"21_268" = "2024115471"
"21_269" = "385839158"
"23_45" = "2256853475"
"23_44" = "1347557041"
"23_47" = "4076292103"
"23_46" = "3166601429"
"23_41" = "2947398955"
"23_40" = "2038167033"
"23_43" = "437792591"
"23_42" = "3857081373"
"24_157" = "1061149098"
"24_156" = "151626360"
"24_155" = "3537070918"
"24_154" = "2627548180"
"24_153" = "1718025442"
"24_152" = "808502704"
"24_151" = "4193947262"
"24_150" = "3284424524"
"21_350" = "1423947223"
"21_351" = "695311180"
"21_352" = "1547572745"
"21_353" = "4102448548"
"21_354" = "3394436583"
"21_355" = "2475205503"
"21_356" = "1521653460"
"21_357" = "2622163677"
"21_32" = "2453312797"
"21_33" = "2584463302"
"21_30" = "1628900192"
"21_31" = "1292567928"
"21_36" = "673882630"
"21_37" = "1627537514"
"21_34" = "2142294950"
"21_35" = "2316421795"
"21_38" = "2589360550"
"21_39" = "2027648291"
"22_91" = "1162162678"
"22_90" = "252670643"
"22_93" = "2981238601"
"22_92" = "2071708159"
"22_95" = "505310771"
"22_94" = "3890763924"
"22_97" = "2324364082"
"22_96" = "1414834460"
"22_99" = "4143401121"
"22_98" = "3233889833"
"23_78" = "2240264981"
"23_79" = "3149423175"
"21_101" = "3973559527"
"21_100" = "267007831"
"24_63" = "1465357646"
"23_70" = "3553656197"
"23_71" = "134882551"
"23_72" = "1044180025"
"24_60" = "3031756728"
"22_389" = "1617022234"
"23_73" = "1953945451"
"22_380" = "2021259237"
"21_109" = "1444538359"
"22_382" = "3840297891"
"22_383" = "454865558"
"22_384" = "1364385072"
"22_385" = "2273909055"
"22_386" = "3183420266"
"24_141" = "3688654474"
"22_146" = "3941295083"
"22_147" = "555853900"
"22_144" = "2122258471"
"22_145" = "3031781555"
"22_142" = "303204252"
"22_143" = "1212730841"
"22_140" = "2779133885"
"22_141" = "3688657570"
"23_77" = "1330507811"
"22_148" = "1465370862"
"22_149" = "2374906093"
"23_349" = "3874116867"
"23_348" = "2964352465"
"23_345" = "236128331"
"23_344" = "3654893849"
"23_347" = "2055191279"
"23_346" = "1145435069"
"23_341" = "926216115"
"23_340" = "16917569"
"23_343" = "2745211351"
"23_342" = "1835980517"
"24_388" = "707504072"
"24_382" = "3840302236"
"24_383" = "454857678"
"24_380" = "2021256760"
"24_381" = "2930779498"
"24_386" = "3183425892"
"24_387" = "4092948630"
"24_384" = "1364380416"
"24_385" = "2273903154"
"23_231" = "3957892151"
"23_230" = "3048668357"
"23_233" = "1448826539"
"23_232" = "539062137"
"23_235" = "3267870927"
"23_234" = "2358057373"
"23_237" = "825389923"
"23_236" = "4177102897"
"23_239" = "2644438407"
"23_238" = "1734621781"
"21_277" = "260535146"
"21_276" = "449662550"
"21_275" = "3880404491"
"21_274" = "2739039992"
"24_79" = "3132819566"
"24_78" = "2223296828"
"21_271" = "27945311"
"21_270" = "4185908745"
"24_75" = "3789695910"
"24_74" = "2880173172"
"24_77" = "1313774090"
"24_76" = "404251352"
"24_71" = "151604958"
"24_70" = "3537049516"
"24_73" = "1970650434"
"21_278" = "1567817201"
"23_52" = "33577985"
"23_53" = "943327091"
"23_50" = "2543169005"
"23_51" = "3452933343"
"23_56" = "3672078553"
"23_57" = "319889419"
"23_54" = "1852624549"
"23_55" = "2762387863"
"24_368" = "3991885792"
"24_369" = "606441234"
"23_58" = "1229712253"
"23_59" = "2138952367"
"24_162" = "1313795492"
"24_163" = "2223318230"
"24_160" = "3789717312"
"24_161" = "404272754"
"24_166" = "656919148"
"24_167" = "1566441886"
"24_164" = "3132840968"
"24_165" = "4042363706"
"24_168" = "2475964624"
"24_169" = "3385487362"
"22_88" = "2728586645"
"22_89" = "3638109643"
"22_86" = "909547010"
"22_87" = "1819074372"
"22_84" = "3385460432"
"22_85" = "17834"
"22_82" = "1566424046"
"22_83" = "2475946535"
"22_80" = "4042335080"
"22_81" = "656894584"
"24_9" = "3890737346"
"24_8" = "2981214608"
"24_7" = "2071691870"
"24_6" = "1162169132"
"23_48" = "724120393"
"22_194" = "353750032"
"22_399" = "2122322234"
"22_398" = "1212797469"
"22_393" = "960145162"
"22_392" = "50629596"
"22_391" = "3436076625"
"22_390" = "2526545642"
"22_397" = "303269844"
"22_396" = "3688725183"
"22_395" = "2779198120"
"22_394" = "1869671204"
"22_159" = "2880200304"
"22_158" = "1970669625"
"22_151" = "4193947799"
"22_150" = "3284420376"
"22_153" = "1718021465"
"22_152" = "808506601"
"22_155" = "3537072882"
"22_154" = "2627546228"
"22_157" = "1061143084"
"22_156" = "151631898"
"24_399" = "2122319598"
"24_398" = "1212796860"
"24_395" = "2779195942"
"24_394" = "1869673204"
"24_397" = "303274122"
"24_396" = "3688718680"
"24_391" = "3436072286"
"24_390" = "2526549548"
"24_393" = "960150466"
"24_392" = "50627728"
"23_244" = "2863657345"
"23_245" = "3772889331"
"23_246" = "421158949"
"23_247" = "1330391831"
"23_240" = "3553678537"
"23_241" = "134913083"
"23_242" = "1044596589"
"23_243" = "1953828447"
"23_248" = "2240156249"
"23_249" = "3149448587"
"23_396" = "3671985009"
"23_397" = "319877795"
"24_68" = "1718004040"
"21_249" = "759071083"
"23_392" = "34074297"
"23_393" = "943313387"
"23_390" = "2543549445"
"23_391" = "3452774263"
"21_242" = "3948116217"
"21_243" = "365825101"
"21_240" = "192491857"
"21_241" = "1371146414"
"21_246" = "73376946"
"21_247" = "925285623"
"21_244" = "2834667104"
"21_245" = "3529825249"
"24_373" = "4244532186"
"24_372" = "3335009448"
"24_371" = "2425486710"
"24_370" = "1515963972"
"24_377" = "3587655842"
"24_376" = "2678133104"
"24_375" = "1768610366"
"24_374" = "859087628"
"24_379" = "1111734022"
"24_378" = "202211284"
"21_398" = "3803105037"
"21_399" = "3730601139"
"21_394" = "725189665"
"21_395" = "3580315979"
"21_396" = "1496725805"
"21_397" = "2391969988"
"21_390" = "2863425436"
"21_391" = "487010029"
"21_392" = "2336449773"
"21_393" = "2444277112"
"23_89" = "3654965835"
"23_88" = "2745275161"
"23_81" = "639900923"
"23_80" = "4059190665"
"23_83" = "2458947359"
"23_82" = "1549714477"
"23_85" = "16988595"
"23_84" = "3368646209"
"23_87" = "1836035031"
"23_86" = "926277861"
"24_175" = "252689198"
"24_174" = "3638133756"
"24_177" = "2071734674"
"24_176" = "1162211936"
"24_171" = "909565542"
"24_170" = "42804"
"24_173" = "2728611018"
"24_172" = "1819088280"
"24_179" = "3890780150"
"24_178" = "2981257412"
"21_239" = "2347715573"
"24_293" = "202189882"
"24_298" = "454836276"
"24_299" = "1364359014"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 9F 35 8B 06 DE 75 FF 40 59 8F 02 C9 F6 D5 8D"
[HKCU\Software\Jmicbaaosmd]
"23_402" = "539084461"
"23_403" = "1448839583"
"23_400" = "3048559625"
"23_401" = "3958316923"
"23_74" = "2863177309"
"23_282" = "3065751357"
"23_283" = "3974917743"
"23_75" = "3772858767"
"22_253" = "2475987038"
"23_288" = "4261245545"
"22_128" = "454789944"
"22_129" = "1364314536"
"23_289" = "842474843"
"22_124" = "1111664267"
"22_125" = "2021189735"
"22_126" = "2930720216"
"22_127" = "3840242924"
"22_120" = "1768539821"
"22_121" = "2678064921"
"22_122" = "3587594638"
"22_123" = "202152550"
"23_76" = "421202161"
"22_255" = "61367"
"22_230" = "3031797364"
"22_231" = "3941322916"
"22_232" = "555879240"
"22_233" = "1465396699"
"22_234" = "2374920096"
"22_235" = "3284449434"
"22_236" = "4193975237"
"22_237" = "808517798"
"22_238" = "1718043400"
"22_239" = "2627571884"
"24_120" = "1768546160"
"24_121" = "2678068898"
"23_257" = "1835926299"
"23_256" = "926177321"
"23_255" = "17010919"
"23_254" = "3368659381"
"23_253" = "2459428419"
"23_252" = "1549614865"
"23_251" = "640381999"
"23_250" = "4059204861"
"23_259" = "3654991295"
"23_258" = "2745223757"
"24_97" = "2324359666"
"24_96" = "1414836928"
"24_95" = "505314190"
"24_94" = "3890758748"
"24_93" = "2981236010"
"24_92" = "2071713272"
"24_91" = "1162190534"
"24_90" = "252667796"
"21_255" = "943234431"
"21_254" = "2737214161"
"21_257" = "3735830555"
"21_256" = "2994273115"
"21_251" = "644089274"
"21_250" = "1291819688"
"24_99" = "4143405142"
"24_98" = "3233882404"
"24_346" = "1162254740"
"24_347" = "2071777478"
"24_344" = "3638176560"
"24_345" = "252732002"
"24_342" = "1819131084"
"24_343" = "2728653822"
"24_340" = "85608"
"24_341" = "909608346"
"24_348" = "2981300216"
"24_349" = "3890822954"
"21_389" = "1482895255"
"21_388" = "2304365972"
"21_387" = "1773803693"
"21_386" = "279835733"
"21_385" = "1510421120"
"21_384" = "2003810992"
"21_383" = "1579947524"
"21_382" = "901539489"
"21_381" = "798121889"
"21_380" = "1290794886"
"23_96" = "1431820521"
"23_97" = "2341045211"
"23_94" = "3874172533"
"23_95" = "521998759"
"23_92" = "2054733777"
"23_93" = "2964416259"
"23_90" = "235670973"
"23_91" = "1145500911"
"23_98" = "3250735885"
"23_99" = "4159976063"
"24_188" = "3486550200"
"24_189" = "101105642"
"24_180" = "505335592"
"24_181" = "1414858330"
"24_182" = "2324381068"
"24_183" = "3233903806"
"24_184" = "4143426544"
"24_185" = "757981986"
"24_186" = "1667504724"
"24_187" = "2577027462"
"21_83" = "612339980"
"21_82" = "1343472978"
"21_81" = "1974367689"
"21_80" = "4093933073"
"21_87" = "3861628229"
"21_86" = "3106391302"
"21_85" = "3093126815"
"21_84" = "1891089074"
"21_89" = "463724496"
"21_88" = "3744823182"
"24_256" = "909586944"
"23_328" = "1953878585"
"24_258" = "2728632420"
"23_326" = "134816645"
"24_401" = "3941365074"
"24_400" = "3031842336"
"24_403" = "1465443254"
"24_402" = "555920516"
"22_139" = "1869605938"
"22_138" = "960092808"
"22_137" = "50568698"
"22_136" = "3436005619"
"22_135" = "2526478922"
"22_134" = "1616967404"
"22_133" = "707443090"
"22_132" = "4092882175"
"22_131" = "3183357443"
"22_130" = "2273841737"
"22_223" = "960105012"
"22_222" = "50579464"
"22_221" = "3436036048"
"22_220" = "2526509256"
"22_227" = "303227014"
"22_226" = "3688669337"
"22_225" = "2779156997"
"22_224" = "1869635497"
"22_229" = "2122271442"
"22_228" = "1212757395"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Jmicbaaosmd]
"23_268" = "3250758257"
"23_269" = "4160001443"
"23_262" = "2055149317"
"23_263" = "2964446839"
"23_260" = "236152033"
"23_261" = "1145384915"
"23_266" = "1431712733"
"23_267" = "2341010191"
"23_264" = "3874193849"
"23_265" = "521947371"
"24_84" = "3385465960"
"24_85" = "21402"
"24_86" = "909544140"
"24_87" = "1819066878"
"24_80" = "4042342304"
"24_81" = "656897746"
"24_82" = "1566420484"
"24_83" = "2475943222"
"24_88" = "2728589616"
"24_89" = "3638112354"
"24_359" = "101148446"
"24_358" = "3486593004"
"24_351" = "1414901134"
"24_350" = "505378396"
"24_353" = "3233946610"
"24_352" = "2324423872"
"24_355" = "758024790"
"24_354" = "4143469348"
"24_357" = "2577070266"
"24_356" = "1667547528"
"23_280" = "1246704793"
"23_281" = "2156003275"
"24_199" = "606398430"
"24_198" = "3991842988"
"23_284" = "623268177"
"23_285" = "1532500099"
"23_286" = "2442314741"
"23_287" = "3351546663"
"24_193" = "3739196594"
"24_192" = "2829673856"
"24_191" = "1920151118"
"24_190" = "1010628380"
"24_197" = "3082320250"
"24_196" = "2172797512"
"24_195" = "1263274774"
"24_194" = "353752036"
"21_286" = "2505560497"
"21_287" = "167796443"
"21_284" = "653259974"
"21_285" = "1952327158"
"21_282" = "1698348135"
"21_283" = "936711201"
"21_280" = "1515575238"
"21_281" = "1906013894"
"21_288" = "2411720444"
"21_289" = "1980560385"
"21_90" = "3382020642"
"21_91" = "908845565"
"21_92" = "1029594306"
"21_93" = "3091943416"
"21_94" = "4108016167"
"21_95" = "2051560188"
"21_96" = "1308778171"
"21_97" = "1022247304"
"21_98" = "1343103469"
"21_99" = "1548170498"
"22_197" = "3082315926"
"21_361" = "2926143692"
"22_196" = "2172803612"
"21_360" = "869381666"
"22_191" = "1920151796"
"21_248" = "1556343629"
"22_190" = "1010625672"
"24_69" = "2627526778"
"23_185" = "741247243"
"21_365" = "4085694487"
"23_184" = "4160012761"
"23_31" = "2442380583"
"23_32" = "3351612521"
"21_366" = "2522357846"
"24_62" = "555834908"
"22_39" = "1111651276"
"22_38" = "202122094"
"22_37" = "3587566474"
"22_36" = "2678051978"
"22_35" = "1768527459"
"22_34" = "859007532"
"22_33" = "4244441173"
"22_32" = "3334928356"
"22_31" = "2425403934"
"22_30" = "1515875810"
"24_61" = "3941279466"
"24_66" = "4193925860"
"24_67" = "808481302"
"24_64" = "2374880384"
"24_65" = "3284403122"
"23_110" = "1246289237"
"23_111" = "2156037255"
"23_112" = "3065728969"
"22_101" = "1667487309"
"23_114" = "623378029"
"22_107" = "2829651881"
"23_116" = "2442291329"
"23_117" = "3351532531"
"23_118" = "4261288741"
"23_119" = "842056215"
"22_108" = "3739178284"
"22_109" = "353735919"
"22_216" = "3183380784"
"22_217" = "4092910738"
"22_214" = "1364341136"
"22_215" = "2273857363"
"22_212" = "3840253952"
"22_213" = "454817095"
"22_210" = "2021219100"
"22_211" = "2930731130"
"22_218" = "707465282"
"22_219" = "1616981901"
"23_279" = "336940375"
"23_278" = "3755776613"
"23_275" = "1027481759"
"23_274" = "117733805"
"23_277" = "2846544691"
"23_276" = "1936780225"
"23_271" = "1650919367"
"23_270" = "741170325"
"23_273" = "3469981307"
"23_10" = "522014173"
"24_218" = "707461268"
"24_219" = "1616984006"
"24_210" = "2021213956"
"24_211" = "2930736694"
"24_212" = "3840259432"
"24_213" = "454814874"
"24_214" = "1364337612"
"23_11" = "1431778575"
"24_216" = "3183383088"
"24_217" = "4092905826"
"24_328" = "1970714640"
"24_329" = "2880237378"
"24_324" = "2627590984"
"24_325" = "3537113722"
"24_326" = "151669164"
"24_327" = "1061191902"
"24_320" = "3284467328"
"24_321" = "4193990066"
"24_322" = "808545508"
"24_323" = "1718068246"
"23_293" = "219039251"
"23_292" = "3570769697"
"23_291" = "2661537791"
"23_290" = "1751772301"
"23_297" = "3857015595"
"23_296" = "2947333113"
"23_295" = "2038100151"
"23_294" = "1128270149"
"23_299" = "1347493199"
"23_298" = "438250013"
"21_299" = "958737417"
"21_298" = "1066549807"
"21_291" = "1167039336"
"21_290" = "1704103153"
"21_293" = "2127398220"
"21_292" = "3176285526"
"21_295" = "4137237151"
"21_294" = "4010356183"
"21_297" = "1814880628"
"21_296" = "1916871587"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Jmicbaaosmd]
"21_364" = "3190690307"
"22_28" = "3991803880"
"22_29" = "606361272"
"22_24" = "353711572"
"22_25" = "1263236635"
"22_26" = "2172748151"
"22_27" = "3082274834"
"22_20" = "1010589108"
"22_21" = "1920111771"
"22_22" = "2829625907"
"22_23" = "3739149834"
"22_115" = "1515903535"
"22_114" = "606372195"
"22_117" = "3334939642"
"22_116" = "2425428171"
"22_111" = "2172777592"
"22_110" = "1263251141"
"22_113" = "3991816176"
"22_112" = "3082305436"
"23_109" = "337046115"
"23_108" = "3755746097"
"22_119" = "859027779"
"22_118" = "4244465406"
"21_2" = "685386305"
"21_3" = "3052119462"
"21_0" = "1431655765"
"21_1" = "2014316891"
"21_6" = "301322874"
"22_306" = "3436045940"
"21_4" = "1017744945"
"21_5" = "825634610"
"21_8" = "1221900341"
"24_239" = "2627569582"
"22_209" = "1111694582"
"22_308" = "960133971"
"22_309" = "1869647363"
"22_201" = "2425439542"
"22_200" = "1515914856"
"22_203" = "4244495275"
"22_202" = "3334969817"
"22_205" = "1768564117"
"22_204" = "859040848"
"22_207" = "3587618194"
"22_206" = "2678092452"
"24_209" = "1111691218"
"24_208" = "202168480"
"24_203" = "4244489382"
"24_202" = "3334966644"
"24_201" = "2425443906"
"24_200" = "1515921168"
"24_207" = "3587613038"
"24_206" = "2678090300"
"24_205" = "1768567562"
"24_204" = "859044824"
"21_358" = "2967276881"
"21_359" = "1547965605"
"24_339" = "3385530166"
"24_338" = "2476007428"
"24_337" = "1566484690"
"24_336" = "656961952"
"24_335" = "4042406510"
"24_334" = "3132883772"
"24_333" = "2223361034"
"24_332" = "1313838296"
"24_331" = "404315558"
"24_330" = "3789760116"
"21_198" = "1040697628"
"21_199" = "1549894032"
"21_192" = "1623055013"
"21_193" = "1905112294"
"21_190" = "3675907617"
"21_191" = "3502124528"
"21_196" = "1381931873"
"21_197" = "2982205719"
"21_194" = "3659270552"
"21_195" = "1318447915"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Jmicbaaosmd]
"22_195" = "1263273050"
"23_389" = "1633858771"
"21_170" = "1010944335"
"21_171" = "2160402227"
"21_172" = "4053616866"
"21_173" = "4204954639"
"21_174" = "2852190634"
"21_175" = "3839640641"
"21_176" = "2118873467"
"21_177" = "3426043334"
"21_178" = "1799564415"
"21_179" = "284036659"
"24_5" = "252646394"
"24_4" = "3638090952"
"24_3" = "2728568214"
"24_2" = "1819045476"
"24_1" = "909522738"
"24_0" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Jmicbaaosmd]
"23_388" = "724094433"
"22_19" = "101057906"
"22_18" = "3486512621"
"22_11" = "1414808930"
"22_10" = "505297052"
"22_13" = "3233863470"
"22_12" = "2324333828"
"22_15" = "757939759"
"22_14" = "4143386946"
"22_17" = "2576986003"
"22_16" = "1667462881"
"24_306" = "3436050884"
"24_307" = "50606326"
"22_102" = "2576998440"
"22_103" = "3486523510"
"22_100" = "757960837"
"23_113" = "3974969147"
"22_106" = "1920123944"
"24_308" = "960129064"
"23_115" = "1532600671"
"24_309" = "1869651802"
"22_104" = "101087799"
"22_105" = "1010613474"
"24_159" = "2880194574"
"24_158" = "1970671836"
"23_136" = "3452844217"
"23_137" = "33612779"
"23_134" = "1633914373"
"23_135" = "2543087991"
"23_132" = "4076281825"
"23_133" = "724158163"
"23_130" = "2257284429"
"23_131" = "3166524607"
"23_49" = "1633942203"
"23_138" = "943368925"
"23_139" = "1852609039"
"22_278" = "3739216342"
"22_279" = "353776667"
"22_274" = "101124638"
"22_275" = "1010652594"
"22_276" = "1920177537"
"22_277" = "2829692351"
"22_270" = "758001624"
"22_271" = "1667528855"
"22_272" = "2577052052"
"22_273" = "3486565986"
"23_387" = "4076214975"
"22_300" = "2273884351"
"22_301" = "3183410199"
"22_302" = "4092921240"
"22_303" = "707478045"
"22_304" = "1617010184"
"22_305" = "2526532844"
"24_238" = "1718046844"
"22_307" = "50599228"
"24_236" = "4193968664"
"24_237" = "808524106"
"24_234" = "2374923188"
"24_235" = "3284445926"
"24_232" = "555877712"
"24_233" = "1465400450"
"24_230" = "3031799532"
"24_231" = "3941322270"
"21_349" = "3898013184"
"21_348" = "2121637029"
"21_343" = "1926036129"
"21_342" = "1942012017"
"21_341" = "1390837550"
"21_340" = "2015103013"
"21_347" = "2137006773"
"21_346" = "1526472257"
"21_345" = "1729151763"
"21_344" = "3249501578"
"24_302" = "4092927228"
"24_303" = "707482670"
"24_300" = "2273881752"
"24_301" = "3183404490"
"21_189" = "1090017713"
"21_188" = "3906864797"
"24_304" = "1617005408"
"24_305" = "2526528146"
"21_185" = "236690293"
"21_184" = "624185211"
"21_187" = "348326960"
"21_186" = "2645614058"
"21_181" = "1815227653"
"21_180" = "2242006785"
"21_183" = "3516086272"
"21_182" = "3755470585"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\Jmicbaaosmd]
"21_163" = "897902509"
"21_162" = "3659196091"
"21_161" = "1486732845"
"21_160" = "3290186491"
"21_167" = "3389013285"
"21_166" = "3483880473"
"21_165" = "4277607573"
"21_164" = "2405251966"
"21_169" = "2303635421"
"21_168" = "2782570008"
"21_259" = "275075014"
"21_47" = "2273150803"
"21_46" = "242181002"
"21_45" = "2637276589"
"21_44" = "4185248738"
"21_43" = "606997208"
"21_42" = "930111988"
"21_41" = "1696968276"
"21_40" = "2098300431"
"21_49" = "2700601796"
"21_48" = "349795886"
"23_394" = "1853069533"
"23_395" = "2762227727"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Jmicbaaosmd]
"23_386" = "3166458701"
"23_129" = "1347598875"
"23_128" = "437842729"
"23_121" = "2661514379"
"23_120" = "1751823705"
"23_123" = "219148079"
"23_122" = "3570739197"
"23_125" = "2038143299"
"23_124" = "1128388113"
"23_127" = "3857058791"
"23_126" = "2947301557"
"23_272" = "2560216841"
"22_269" = "4143440708"
"22_268" = "3233927360"
"22_267" = "2324398498"
"22_266" = "1414888510"
"22_265" = "505363868"
"22_264" = "3890804924"
"22_263" = "2981274827"
"22_262" = "2071752424"
"22_261" = "1162236802"
"22_260" = "252711132"
"24_221" = "3436029482"
"24_220" = "2526506744"
"24_223" = "960107662"
"24_222" = "50584924"
"24_225" = "2779153138"
"24_224" = "1869630400"
"24_227" = "303231318"
"24_226" = "3688675876"
"24_229" = "2122276794"
"23_331" = "421148559"
"23_332" = "1330446065"
"23_333" = "2240194083"
"23_334" = "3149883669"
"23_335" = "4059123783"
"23_336" = "640359305"
"23_337" = "1549648635"
"22_313" = "1212771219"
"22_312" = "303257476"
"22_311" = "3688700248"
"22_310" = "2779172556"
"22_317" = "555896254"
"22_316" = "3941348702"
"22_315" = "3031825626"
"22_314" = "2122293982"
"22_319" = "2374950518"
"22_318" = "1465418632"
"21_378" = "2535764842"
"21_379" = "429302223"
"21_376" = "1927905188"
"21_377" = "1268382192"
"21_374" = "778649426"
"21_375" = "47397995"
"21_372" = "269538689"
"21_373" = "1670415496"
"21_370" = "3705528118"
"21_371" = "4085956039"
"23_398" = "1229628821"
"24_315" = "3031820934"
"24_314" = "2122298196"
"24_317" = "555899114"
"23_24" = "337004185"
"24_311" = "3688697278"
"24_310" = "2779174540"
"23_21" = "1936846131"
"24_312" = "303252720"
"24_319" = "2374944590"
"24_318" = "1465421852"
"23_29" = "623323779"
"23_28" = "3974980433"
"24_215" = "2273860350"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Jmicbaaosmd]
"21_208" = "976969161"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Jmicbaaosmd]
"21_209" = "1844791791"
"21_156" = "1638157877"
"21_157" = "25601011"
"21_154" = "1916891434"
"21_155" = "3107738747"
"21_152" = "2336350734"
"21_153" = "4028717196"
"21_150" = "426629123"
"21_151" = "2602438068"
"21_400" = "2577291273"
"21_401" = "4022372925"
"21_402" = "720589368"
"21_403" = "946952389"
"21_404" = "4230415188"
"24_289" = "859066226"
"21_158" = "1936241629"
"21_159" = "3169004735"
"24_288" = "4244510784"
"22_73" = "1970644964"
"22_72" = "1061133528"
"22_71" = "151606042"
"22_70" = "3537047400"
"22_77" = "1313768533"
"22_76" = "404256224"
"22_75" = "3789698926"
"22_74" = "2880170050"
"22_79" = "3132821939"
"22_78" = "2223293436"
"21_54" = "329575482"
"21_55" = "3950776836"
"21_56" = "4142443835"
"21_57" = "1628591961"
"21_50" = "4029186162"
"21_51" = "2297640591"
"21_52" = "3595875837"
"21_53" = "3452783339"
"21_58" = "306115623"
"21_59" = "4228837455"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Jmicbaaosmd]
"23_158" = "1953856245"
"23_159" = "2863604263"
"23_154" = "2644401725"
"23_155" = "3553624431"
"23_156" = "134924369"
"23_157" = "1044165507"
"23_150" = "3267837285"
"23_151" = "4177126487"
"23_152" = "825470873"
"23_153" = "1734710987"
"22_252" = "1566459938"
"24_139" = "1869608998"
"22_250" = "4042391305"
"22_251" = "656934558"
"22_256" = "909583977"
"22_257" = "1819101488"
"22_254" = "3385513521"
"24_138" = "960086260"
"22_258" = "2728640059"
"22_259" = "3638151468"
"21_110" = "1132196651"
"21_111" = "310184299"
"24_131" = "3183361686"
"24_130" = "2273838948"
"21_118" = "12959428"
"24_254" = "3385508764"
"24_255" = "64206"
"23_329" = "2863629675"
"24_257" = "1819109682"
"24_250" = "4042385108"
"24_251" = "656940550"
"24_252" = "1566463288"
"24_253" = "2475986026"
"23_323" = "1734659647"
"23_322" = "825362125"
"23_321" = "4177026971"
"23_320" = "3267859625"
"23_327" = "1044638455"
"24_259" = "3638155158"
"23_325" = "3554113619"
"23_324" = "2644423009"
"22_326" = "151674488"
"22_327" = "1061198525"
"22_324" = "2627587376"
"22_325" = "3537111711"
"22_322" = "808548995"
"22_323" = "1718073186"
"22_320" = "3284460277"
"22_321" = "4193988498"
"24_133" = "707439866"
"24_136" = "3436008080"
"22_328" = "1970709966"
"22_329" = "2880227976"
"24_132" = "4092884424"
"23_34" = "842022541"
"23_35" = "1751835135"
"23_36" = "2661067041"
"23_37" = "3570831379"
"23_30" = "1532567029"
"24_135" = "2526485342"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Jmicbaaosmd]
"23_33" = "4261312347"
"21_369" = "2340592065"
"21_368" = "536071717"
"23_38" = "219110213"
"23_39" = "1128334007"
"24_134" = "1616962604"
"24_19" = "101062838"
"24_18" = "3486507396"
"24_17" = "2576984658"
"24_16" = "1667461920"
"24_15" = "757939182"
"24_14" = "4143383740"
"24_13" = "3233861002"
"24_12" = "2324338264"
"24_11" = "1414815526"
"24_10" = "505292788"
"24_137" = "50563522"
"24_100" = "757960584"
"24_101" = "1667483322"
"24_102" = "2577006060"
"24_103" = "3486528798"
"24_104" = "101084240"
"24_105" = "1010606978"
"24_106" = "1920129716"
"24_107" = "2829652454"
"24_108" = "3739175192"
"24_109" = "353730634"
"21_149" = "3576538832"
"21_148" = "85980837"
"21_141" = "3384498884"
"21_140" = "2465505661"
"21_143" = "651458463"
"21_142" = "4064170125"
"21_145" = "3856896380"
"21_144" = "2891582549"
"21_147" = "1212848873"
"21_146" = "4065684409"
"22_60" = "3031758900"
"22_61" = "3941281933"
"22_62" = "555829035"
"22_63" = "1465352538"
"22_64" = "2374885220"
"22_65" = "3284407630"
"22_66" = "4193920722"
"22_67" = "808478393"
"22_68" = "1718009020"
"22_69" = "2627532110"
"21_61" = "2130005713"
"21_60" = "4132673783"
"21_63" = "2994069232"
"21_62" = "2577234757"
"21_65" = "2546014933"
"21_64" = "852993339"
"21_67" = "1370269995"
"21_66" = "1146015066"
"21_69" = "2525616991"
"21_68" = "1955596862"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\biclient.exe,"
[HKCU\Software\Jmicbaaosmd]
"24_241" = "151647762"
"24_240" = "3537092320"
"21_273" = "3203454221"
"24_249" = "3132862370"
"21_272" = "765955342"
"24_248" = "2223339632"
"23_149" = "2358069811"
"23_148" = "1448379073"
"23_147" = "539155359"
"23_146" = "3957854381"
"23_145" = "3048614267"
"23_144" = "2138859017"
"23_143" = "1229700807"
"23_142" = "319944597"
"23_141" = "3672050851"
"23_140" = "2762294641"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Jmicbaaosmd]
"22_245" = "3789736343"
"22_244" = "2880209567"
"22_247" = "1313822750"
"22_246" = "404295937"
"22_241" = "151644383"
"22_240" = "3537087108"
"22_243" = "1970696667"
"22_242" = "1061172222"
"22_249" = "3132863937"
"22_248" = "2223336442"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Jmicbaaosmd]
"24_247" = "1313816894"
"24_246" = "404294156"
"24_245" = "3789738714"
"24_244" = "2880215976"
"24_243" = "1970693238"
"24_242" = "1061170500"
"23_318" = "1448868405"
"23_319" = "2358095207"
"23_316" = "3958328209"
"23_317" = "539046595"
"23_314" = "2138888573"
"23_315" = "3048636591"
"23_312" = "319827673"
"23_313" = "1229592075"
"23_310" = "2762325157"
"23_311" = "3672008599"
"22_339" = "3385527694"
"22_338" = "2476012480"
"22_331" = "404309016"
"22_330" = "3789766320"
"22_333" = "2223363153"
"22_332" = "1313833183"
"22_335" = "4042400691"
"22_334" = "3132888530"
"22_337" = "1566489736"
"22_336" = "656958790"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://installer.betterinstaller.com/network_smb_filesflash/flvplayerrsha/0e11044f561def4bac902d3d5a6c4169?v=2.1&uid=0e11044f561def4bac902d3d5a6c4169&muid=CDA9EA544C42F5C076ED65A6B085AB29 |  |
| hxxp://d69bfzwbyt513.cloudfront.net/images/Tokyo/tokyo_sprite_full.png |  54.230.90.125 |
| hxxp://d24mpw184ozx1g.cloudfront.net/images/Tokyo/tokyoWhiteSparkMiddleBG.jpg | 205.251.253.34 |
| hxxp://download.betterinstaller.com/js/libs/storage.swf?191096 | |
| hxxp://installer.betterinstaller.com/installer/ajax | |
| hxxp://d1vvae5pk0e4pe.cloudfront.net/mirror/imesh/FLVSetupStub_signed2.exe?a=1 | 205.251.253.108 |
| hxxp://installer.betterinstaller.com/downloader/network_smb_filesflash/flvplayerrsha/cd0f26e15f03dd4c8cfe826143cf376a?v=2.1&uid=cd0f26e15f03dd4c8cfe826143cf376a&muid=CDA9EA544C42F5C076ED65A6B085AB29 | |
| hxxp://download.betterinstaller.com/js/libs/storage.swf?678068 | |
| hxxp://installer.betterinstaller.com/pinger?event_type=offer_shown&installer_source=better_installer&software_type=sponsored&muid=cda9ea544c42f5c076ed65a6b085ab29&client_uid=0e11044f561def4bac902d3d5a6c4169&affiliate_id=network_smb_filesflash&software_id=flvplayerrsha&sponsored_id=imesh_download_manager_flv_network2&tokyo_csrf2_key=46f6d20ad2c9596c6470b39243028df0&tokyo_csrf2_timestamp=1395402332&offer_index=1&0.1802907590862624 | |
| hxxp://www-google-analytics.l.google.com/ga.js | |
| hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.8&utms=1&utmn=1493686174&utmhn=bi.bisrv.com&utmhid=1479356444&utmr=-&utmp=Installer_Init&utmht=1395385095849&utmac=UA-31676879-1&utmcc=__utma=1.798769483.1395385094.1395385094.1395385094.1;+__utmz=1.1395385094.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=qhCAAAAAAAAB~ | |
| hxxp://secondoffer-lb-126442588.us-east-1.elb.amazonaws.com/www/delivery/so/init_offer.php?brand_name=FLV Video Player&brand_host=FLVPlayer.org&offer_index=1&offer_id=51&sysid=473&appid=107&ln=en&ab=IE&db=&osver=5.1&ostype=win32&osl=en-US&pver=&ptype=n | |
| hxxp://installer.betterinstaller.com/downloader/network_smb_filesflash/flvplayerrsha/8c1a1a3c329da9488dc4f5116e78fda0?v=2.1&uid=8c1a1a3c329da9488dc4f5116e78fda0&muid=CDA9EA544C42F5C076ED65A6B085AB29 | |
| hxxp://secondoffer-lb-126442588.us-east-1.elb.amazonaws.com/www/delivery/ajs.php?zoneid=15&cb=32413900408&charset=unicode&loc=http://www.secondofferdelivery.com/www/delivery/so/init_offer.php?brand_name=FLV Video Player&brand_host=FLVPlayer.org&offer_index=1&offer_id=51&sysid=473&appid=107&ln=en&ab=IE&db=&osver=5.1&ostype=win32&osl=en-US&pver=&ptype=n | |
| hxxp://secondoffer-lb-126442588.us-east-1.elb.amazonaws.com//www/delivery/so/offer.css?r=370b3e3cf2 | |
| hxxp://secondoffer-lb-126442588.us-east-1.elb.amazonaws.com//www/delivery/so/files/torch/banner.jpg | |
| hxxp://secondoffer-lb-126442588.us-east-1.elb.amazonaws.com//www/delivery/so/offer.js?r=370b3e3cf2 | |
| hxxp://installer.betterinstaller.com/installer/ajax-bidl?offers[filesfrog][exec_args]=/S /visible /enable /ff_affid network_smb_filesflash /nodesktopshortcut &uid_orig=0e11044f561def4bac902d3d5a6c4169&uid=8c1a1a3c329da9488dc4f5116e78fda0&tokyo_csrf_key=ce6a16412a68d10cf2220c5fedb24396&tokyo_csrf_timestamp=1395402345&ffInstalled=false&affid=network_smb_filesflash&sid=flvplayerrsha&country=CA&hostBrowser=ch&unique_id=662fc7fa7bc066d5f38bfcf19998b39a | |
| hxxp://secondoffer-lb-126442588.us-east-1.elb.amazonaws.com/www/delivery/so/init_offer.php?brand_name=FLV Video Player&brand_host=FLVPlayer.org&offer_index=2&offer_id=52&sysid=473&appid=107&ln=en&ab=IE&db=&osver=5.1&ostype=win32&osl=en-US&pver=&ptype=n | |
| hxxp://d1vvae5pk0e4pe.cloudfront.net/mirror/filesfrog/UpdateCheckerSetup.exe | |
| hxxp://secondoffer-lb-126442588.us-east-1.elb.amazonaws.com/www/delivery/ajs.php?zoneid=16&exclude=bannerid:11&cb=35130297303&charset=unicode&loc=http://www.secondofferdelivery.com/www/delivery/so/init_offer.php?brand_name=FLV Video Player&brand_host=FLVPlayer.org&offer_index=2&offer_id=52&sysid=473&appid=107&ln=en&ab=IE&db=&osver=5.1&ostype=win32&osl=en-US&pver=&ptype=n | |
| hxxp://d24mpw184ozx1g.cloudfront.net/images/Tokyo/tokyo_sprite_full.png | |
| hxxp://download.betterinstaller.com/js/libs/storage.swf?511901 | |
| static.bisrv.com | 78.138.97.8 |
| bi.bisrv.com | 78.138.127.15 |
| www.google-analytics.com | 173.194.43.32 |
| www.secondofferdelivery.com | 23.21.124.71 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
wmic.exe:2284
biclient.exe:1708
biclient.exe:1340
UpdateCheckerSetup.exe:1328
%original file name%.exe:3336 - Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%Documents and Settings%\%current user%\Local Settings\Application Data\FilesFrog Update Checker\TempWmicBatchFile.bat (0 bytes)
%Documents and Settings%\%current user%\ntuser.dat.LOG (29280 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (26996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\cd0f26e15f03dd4c8cfe826143cf376a[1].txt (26899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\storage[2].swf (773 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.7 (9760 bytes)
%Documents and Settings%\%current user%\Cookies\L8JU4RSI.txt (547 bytes)
%Documents and Settings%\%current user%\Cookies\EX9WZQ4Y.txt (547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\ga[1].js (22940 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tokyo_sprite_full[1].png (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\ajax[1].txt (773 bytes)
%Documents and Settings%\%current user%\Cookies\XHEQ03NB.txt (115 bytes)
%Documents and Settings%\%current user%\Cookies\TNYVAA1F.txt (547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\0e11044f561def4bac902d3d5a6c4169[1].txt (31595 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\tokyoWhiteSparkMiddleBG[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Cookies\QX6HVGMC.txt (285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\storage[1].swf (773 bytes)
%Documents and Settings%\%current user%\Cookies\U6PVXK8I.txt (547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.1 (9760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.0 (9760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.3 (9760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.2 (9760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.5 (9760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.4 (9760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.6 (9760 bytes)
%Documents and Settings%\%current user%\Cookies\F330J03M.txt (547 bytes)
%Documents and Settings%\%current user%\Cookies\HQNSO3HB.txt (547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\4CVJKYRT.txt (547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\tokyo_sprite_full[1].png (893 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\storage[1].swf (773 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.6 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.4 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.5 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\ajax-bidl[1].txt (762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.7 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.0 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.1 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.2 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.3 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\8c1a1a3c329da9488dc4f5116e78fda0[1].txt (24432 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\FilesFrog Update Checker\Check for Updates.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\FilesFrog Update Checker\Uninstall.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslA.tmp (10215 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FilesFrog Update Checker\update_checker.exe (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FilesFrog Update Checker\uninstall.exe (1328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\ajs[1].php (3313 bytes)
%Documents and Settings%\All Users\Desktop\FLV Video Player.lnk (721 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\modern-header.bmp (3072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\offer[1].js (5223 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014032120140322\index.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6\license.txt (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Cookies\QKFDH3FS.txt (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\init_container[1] (752 bytes)
%Documents and Settings%\%current user%\Cookies\3053U27W.txt (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\UAC.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6\Helper.dll (36965 bytes)
%Program Files%\FLV Video Player\log.log (7453 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\offer[1].css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6\soffer.dll (2243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\init_offer[1].htm (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\init_offer[2].htm (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\banner[1].jpg (4364 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\init_container[1] (752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\config.ini (102 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\biclient.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000685DC_rar\%original file name%.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp (6436 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SDP" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FilesFrog Update Checker\update_checker.exe /auto"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"network_smb_filesflash" = "" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
