Win32.Sality.3_65be649eb0

by malwarelabrobot on May 14th, 2015 in Malware Descriptions.

not-a-virus:AdWare.Win32.OutBrowse.bxe (Kaspersky), Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, mzpefinder_pcap_file.YR, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, Adware, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 65be649eb0c521d833168cd3818cde6f
SHA1: e81aa35bc71fa7e9899ba5872b8eb661b27ba281
SHA256: 8fa383a3976ce5772e0e5c4c787410495b850b1f09dadae83dc033a69ced7f19
SSDeep: 12288:ODME43IfAOVWkhZwpHBladqfzuwIwm XMIY2MvBUYpO:ODM96vVWk8EwnlMOMJF
Size: 686736 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: HD-Quality-v3V06.01
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

GI18X10700.exe:1288
wmic.exe:1540

The Trojan injects its code into the following process(es):

%original file name%.exe:1744
cbjcabfcehd.exe:648
Explorer.EXE:1140

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GI18X10700.exe:1288 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp (0 bytes)

The process wmic.exe:1540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\81431477426.txt (238 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\81431477426.txt (0 bytes)

The process %original file name%.exe:1744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\kll.dll (3678 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cbjcabfcehd.zip (59748 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)
C:\mgjsd.exe (103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000827B5_Rar\%original file name%.exe (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rc10.exe (412657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\nsisunz.dll (211 bytes)
C:\autorun.inf (234 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pdijn.exe (741 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rc10.cbjcabfcehd (9120 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pdijn.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)

The process cbjcabfcehd.exe:648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\OperaChecker25-6[1].exe (8690 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\DynamicOfferScreen[1].htm (2083 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bodyImg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81431477426\GI18X10700.exe (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dc[1].js (2083 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\81431477426.txt (0 bytes)

Registry activity

The process GI18X10700.exe:1288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 97 B3 CB FB F1 D0 81 D0 D5 DC DB FC 2E 54 15"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\OperaOB]
"Install" = "1"

The process wmic.exe:1540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 C7 13 75 19 79 CD 72 FD 81 D8 4B 11 30 BC 47"

The process %original file name%.exe:1744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_0" = "1022174809"

[HKCU\Software\Aas\695404737]
"35845605" = "383"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "26CEFB056C4C612B18DF8A4E39AD3E086BC14A679A0C16609597EAFA4EF436B86480FE516A315D6A51F28DA8CC0B11C7B9B304C866869787A103BDFE12342ED26176866CF93A99E8E0CDB62E08DCA2F8E5A923A228BAEAE68DD518B021F8E826E6A8FDBA0704B9328FCAEA4242FC6AF4104D60B896922EC0CEDBAF6F67E08E9F"
"43014726" = "0A00687474703A2F2F6163656D6F676C75737563756B6C6172692E636F6D2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F612D6272696E672E636F6D2F73616E79626F6F6B2F6C6F676F2E67696600687474703A2F2F746E36396162692E636F6D2F696D616765732F6C6F676F662E67696600687474703A2F2F67696D382E706C2F6C6F676F2E67696600687474703A2F2F61636C617373616C657274732E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E3370696E6469612E696E2F696D616765732F6C6F676F2E67696600687474703A2F2F6163692E6772617469782E636F6D2E62722F6C6F676F2E67696600687474703A2F2F3173327176683931782E736974652E61706C75732E6E65742F696D616765732F6C6F676F2E67696600687474703A2F2F6162622E696E642E696E2F6C6F676F2E67696600687474703A2F2F7777772E616B70617274697361726976656C696C65722E636F6D2F696D616765732F696D672E676966"

[HKCU\Software\Aas]
"a3_0" = "17001001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "152"

"21507363" = "0"
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 CC 8B 32 EF 6C 1D 6C CC F1 6D CE BC CC 5D 41"

[HKCU\Software\Aas]
"a2_0" = "5871"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_0" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The process cbjcabfcehd.exe:648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 0C 9D 54 4F 93 C9 2B 67 52 80 46 46 88 F7 1F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
e290cb423110946a91b219d7547c32cd c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000827B5_Rar\%original file name%.exe
10ffabc748d68c40b68f883058c9b932 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\81431477426\GI18X10700.exe
9f0f5c6c70927185fb894025a54aea18 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\cbjcabfcehd.exe
ff7c9d48e40ecda166d835cd920cd43c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh2.tmp\kll.dll
5f13dbc378792f23e598079fc1e4422b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh2.tmp\nsisunz.dll
10ffabc748d68c40b68f883058c9b932 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\OperaChecker25-6[1].exe
df12dfdbf2ad7d45e71ee81f81be3825 c:\mgjsd.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name: 1424353697
Product Version: 1.15219.23.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.48344 0963fada6451ca3a71f8c975c3c715f3
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 36864 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 229376 102400 102400 5.28898 4b3c713decca392c86e9bb076c65f945

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
dcf0a5b32535bb791e460e2291b804da

URLs

URL IP
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Flow?pubid=233&distid=24601&productid=1694&subpubid=0&campaignid=0&networkid=0&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:5C:94:64&netv=&d1=010331433&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=89.178.68.255&downloadtime=2/19/2015 1:48:17 PM&clickid=010331433020027411999&version=6.1
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/Installer/OperaBrowser/OperaChecker25-6.exe
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Flow?pubid=233&distid=24601&productid=1694&subpubid=0&campaignid=0&networkid=0&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:5C:94:64&netv=&d1=010331433&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=89.178.68.255&downloadtime=2/19/2015 1:48:17 PM&clickid=010331433020027411999&version=6.1&nipids=-13298-12929-20458-26068-27801&secondcall=1&reqid=272409833
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Track?pubid=233&distid=24601&productid=1694&subpubid=0&campaignid=0&networkid=0&reqid=272409833&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:5C:94:64&netv=&d1=010331433&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=89.178.68.255&downloadtime=2/19/2015 1:48:17 PM&clickid=010331433020027411999&status=2&installedid=10700&z=1&offerscreenid=234&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=5&distid=24601&leadp=1694&countryid=262&sysbit=32&imgurl=&dfb=0&hb=2&isagg=1&version=6.1&external=0&
hxxp://stats.l.doubleclick.net/dc.js
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/topLine.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/topComp.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/bgImg.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/bodyImg.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/bottomLine.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/nextCase.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/button_over.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/button.png
hxxp://serv.the-app-data.info/Installer/Flow?pubid=233&distid=24601&productid=1694&subpubid=0&campaignid=0&networkid=0&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:5C:94:64&netv=&d1=010331433&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=89.178.68.255&downloadtime=2/19/2015 1:48:17 PM&clickid=010331433020027411999&version=6.1 107.21.94.185
hxxp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24601&leadp=1694&countryid=262&sysbit=32&imgurl=&dfb=0&hb=2&isagg=1&version=6.1&external=0& 54.225.114.189
hxxp://serv.the-app-data.info/Installer/Track?pubid=233&distid=24601&productid=1694&subpubid=0&campaignid=0&networkid=0&reqid=272409833&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:5C:94:64&netv=&d1=010331433&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=89.178.68.255&downloadtime=2/19/2015 1:48:17 PM&clickid=010331433020027411999&status=2&installedid=10700&z=1&offerscreenid=234&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0 107.21.94.185
hxxp://static.revenyou.com/offers/images/Theme12/button_over.png 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme12/bgImg.jpg 198.232.124.224
hxxp://serv.the-app-data.info/Installer/Flow?pubid=233&distid=24601&productid=1694&subpubid=0&campaignid=0&networkid=0&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:5C:94:64&netv=&d1=010331433&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=89.178.68.255&downloadtime=2/19/2015 1:48:17 PM&clickid=010331433020027411999&version=6.1&nipids=-13298-12929-20458-26068-27801&secondcall=1&reqid=272409833 107.21.94.185
hxxp://static.revenyou.com/offers/images/Theme12/bottomLine.jpg 198.232.124.224
hxxp://stats.g.doubleclick.net/dc.js 74.125.140.157
hxxp://static.revenyou.com/offers/images/Theme12/topComp.png 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme12/bodyImg.png 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme12/topLine.jpg 198.232.124.224
hxxp://cdn.download4desktop.com/Installer/OperaBrowser/OperaChecker25-6.exe 198.232.124.192
hxxp://static.revenyou.com/offers/images/Theme12/button.png 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme12/nextCase.jpg 198.232.124.224


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /offers/images/Theme12/topComp.png HTTP/1.1
Accept: */*
Referer: hXXp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24601&leadp=1694&countryid=262&sysbit=32&imgurl=&dfb=0&hb=2&isagg=1&version=6.1&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Wed, 13 May 2015 00:37:11 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme12/bgImg.jpg HTTP/1.1


Accept: */*
Referer: hXXp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24601&leadp=1694&countryid=262&sysbit=32&imgurl=&dfb=0&hb=2&isagg=1&version=6.1&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Wed, 13 May 2015 00:37:12 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme12/nextCase.jpg HTTP/1.1


Accept: */*
Referer: hXXp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24601&leadp=1694&countryid=262&sysbit=32&imgurl=&dfb=0&hb=2&isagg=1&version=6.1&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Wed, 13 May 2015 00:37:12 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>..HTTP/1.1 404 Not Found..Date: Wed, 13 May 2015 00:37:12 GMT..Co
ntent-Type: text/html..Content-Length: 1245..Connection: keep-aliv
<<< skipped >>>


GET /Installer/Track?pubid=233&distid=24601&productid=1694&subpubid=0&campaignid=0&networkid=0&reqid=272409833&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:5C:94:64&netv=&d1=010331433&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=89.178.68.255&downloadtime=2/19/2015 1:48:17 PM&clickid=010331433020027411999&status=2&installedid=10700&z=1&offerscreenid=234&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: serv.the-app-data.info
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Wed, 13 May 2015 00:37:11 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 8
Connection: keep-alive
..OK..HTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html
; charset=utf-8..Date: Wed, 13 May 2015 00:37:11 GMT..Server: Microsof
t-IIS/8.0..X-AspNet-Version: 4.0.30319..X-AspNetMvc-Version: 4.0..X-Po
wered-By: ASP.NET..Content-Length: 8..Connection: keep-alive....OK....



GET /Installer/OperaBrowser/OperaChecker25-6.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.download4desktop.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 13 May 2015 00:37:13 GMT
Content-Type: application/octet-stream
Content-Length: 50225
Connection: keep-alive
x-amz-id-2: rSXuGusUMdqHVDoCWARYIlTomTS6DYHW5RQtKbTNNLW3gQe1J/uMJFeh/wGSeUQA
x-amz-request-id: 6AAC73386C1C1921
Last-Modified: Wed, 25 Jun 2014 14:41:23 GMT
ETag: "10ffabc748d68c40b68f883058c9b932"
Server: NetDNA-cache/2.2
Content-Disposition: attachment
X-Cache: HIT
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................................................................t....
......PC..............................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
..PC.......D...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET /Installer/Flow?pubid=233&distid=24601&productid=1694&subpubid=0&campaignid=0&networkid=0&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:5C:94:64&netv=&d1=010331433&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=89.178.68.255&downloadtime=2/19/2015 1:48:17 PM&clickid=010331433020027411999&version=6.1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: serv.the-app-data.info
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Wed, 13 May 2015 00:37:08 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 25158
Connection: keep-alive
..Sv.NlmsAxc.2..*.JqaEv`.5. ).Bkmnjf`grQsoa"8/$.Fmkcsez_oajgRvjdo
"8..'.PbaJay 5..% O_fGew1,.3 .&!NenjjoG_j_!6" '.
KkmaobpIB.2 % >fv]yqJ^a^p.4/("GnO\brCiqEnqoYge 7  .Ev`MME 7.!(
"Cs]PKJ/.9."*.;jfk^hcHil`.5. ).NbfcmMME 7.gptn5'*lps(cid
_oYn^ps_q*cmh'*hdc_qo/Btf\fg`IebepN[m^ck9nbfcma_63#^hotg_5--4- %he
__h8*46.%_osilmrga7122$nqn[gq72.&gh_pkj: cbb; .c[;/ hoaeb5,.tblreo
l8.)*$brsarl\d8) ).Q]tc.2(**.;c`irdgiZjA[s]"8..'.?knhrippk`lP
baJayq.2..*.J`uoso.5&/).Dbfc^ldoc.4,-, KjjfmqcnjR_o].3 .&!@iq^
j`i_k]xNar`.5&/).Rheck9amcoCmot_gd.3.).UerrpYgHdc_q?okhYi]Jfhd.: .
$.<_kLtjAq>``\i_iw.:rmm`% OomEn?b_m^qpcuaIlnl\ejbl!6" '
.MnlFhQagsgYmBlpn`hlcm.5. ).OneCs]M^qrfsPeph.5. ).OneCs]M^qrfsRajp].3 
.&!Loqo=s^PbmthtR`jh.8.. .Pmnl@qcO_rqlrQYgnc.4!., KgnmPbaJay1-.5. 
).OksrM]bDcv03.: .u't MirpEv`.5. ).OneCs].3 .&!?okkgi^lqNxle 5
('.Klhhpix\ldhlQsoas 5.,. ).QagI`q.3 EEDU_JJ;<E]J;[email protected]@N
EZWo`[qp_`ncf`kNhdqq`neZWo`[qp_`ncf`kciz.v.DKCTWGHA>F^IAACAI>.PI
EPW?M=WUqt_dp-n\_`Lmcnv]rcWTnpcbn,lae``ku.y.GGEWZDJ<[email protected]@S
SAP@TWhkfa`)pjpkNhdqq`neZWghbe^'ohuqchw.z.BJAY]GG>:J\G@?HGI=.LM
CNV=RCWTqb scdsSmalrZpbV[ri qa`pfmv.x FF=TXJL=@H_K<;CBLB.RKFRR9M>
;ZYcrpapokpkdPiepw_m]WUgpn`ntqpjaany.{.HI@QZEM@;K[M?>@DGC.MNBTU<
J@UZh_x)fgi\Nhdqq`neZWc`r ccm`hnw.w.FH?X[LM>9GXK>=GENC.KJ?RT;QA\
Zhqnm_onraap^`Nhdqq`neZWetlr^lsoe_m[cany.{.HI@QZEM@;K[M?>@DGC.MNBTU
<J@UZlgmebms]nLmcnv]rcWTjflf\nteqchw.z.BJAY]GG>:J\G@?HGI=.LM
<<< skipped >>>

GET /Installer/Flow?pubid=233&distid=24601&productid=1694&subpubid=0&campaignid=0&networkid=0&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:5C:94:64&netv=&d1=010331433&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=89.178.68.255&downloadtime=2/19/2015 1:48:17 PM&clickid=010331433020027411999&version=6.1&nipids=-13298-12929-20458-26068-27801&secondcall=1&reqid=272409833 HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: serv.the-app-data.info
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Wed, 13 May 2015 00:37:11 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 26112
Connection: keep-alive
..Sv.NlmsAxc.2..*.JqaEv`.5. ).Bkmnjf`grQsoa"8/$.Fmkcsez_oajgRvjdo
"8..'.PbaJay 5..% O_fGew1,.3 .&!NenjjoG_j_!6" '.
KkmaobpIB.2 % >fv]yqJ^a^p.4/("GnO\brCiqEnqoYge 7  .Ev`MME 7.!(
"Cs]PKJ/.9."*.;jfk^hcHil`.5. ).NbfcmMME 7.gptn5'*lps(cid
_oYn^ps_q*cmh'*hdc_qo/Btf\fg`IebepN[m^ck9nbfcma_63#^hotg_5--4- %he
__h8*46.%_osilmrga7122$nqn[gq72.&gh_pkj: cbb; .c[;/ hoaeb5,.tblreo
l8.)*$brsarl\d8) ).Q]tc.2(**.;c`irdgiZjA[s]"8..'.?knhrippk`lP
baJayq.2..*.J`uoso.5&/).Dbfc^ldoc.4,-, KjjfmqcnjR_o].3 .&!@iq^
j`i_k]xNar`.5&/).Rheck9amcoCmot_gd.3.).UerrpYgHdc_q?okhYi]Jfhd.: .
$.<_kLtjAq>``\i_iw.:rmm`% OomEn?b_m^qpcuaIlnl\ejbl!6" '
.MnlFhQagsgYmBlpn`hlcm.5. ).OneCs]M^qrfsPeph.5. ).OneCs]M^qrfsRajp].3 
.&!Loqo=s^PbmthtR`jh.8.. .Pmnl@qcO_rqlrQYgnc.4!., KgnmPbaJay1-.5. 
).OksrM]bDcv03.: .u't MirpEv`.5. ).OneCs].3 .&!?okkgi^lqNxle 5
0'.Klhhpix\ldhlQsoas 5.,&7*-8)4.(((*7*,/)36.$.KcdEdu"8..&
#39;.PbaJay4/.5. ).QapmmlIZkb.9.ATJ.'.NoicqcrD<.3/).@hw_tkJ_dbl
!60*.AnP_fnEkrGikoZji.9-, @p`NPI.9."*.=s^SOF1.: .$.<mjg`jdJdf`
.8.. .Oda]mNPI.9.hroh5(-plu*dk_YoZqbluar,^gh(-l`earq*<tg_jcbKfd`jN\
pb_m;oda]mbb:.2-&nd\n6/0,84-/-1-2 /*318 -. /6*,640/!\dlrf^<.44 
)!ec^^o9144,!\mrhsnyg_5-/0#mxobgo5. $a`a90$cZ8 $fm`cg;,.q^ppcnj=4))!^v
q_qjaj8(.% O[sa"8()'.?a^hpimiYg=_q[!6"/.*41 .,8.9 -(/.6*
,5,66(*21... .AloaqbprmdoRcbC`rq.4!., KYthsq.9)1*.=a_c`nhre 5%,% Mlnio
rdgiK_q_!6-/'.?bq`ldlal^qMZrb.9)1*.Kg^cm;epepDfnm_if!60*.Ndkrr
<<< skipped >>>


GET /dc.js HTTP/1.1
Accept: */*
Referer: hXXp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24601&leadp=1694&countryid=262&sysbit=32&imgurl=&dfb=0&hb=2&isagg=1&version=6.1&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: stats.g.doubleclick.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Strict-Transport-Security: max-age=7200
Date: Wed, 13 May 2015 00:27:19 GMT
Expires: Wed, 13 May 2015 02:27:19 GMT
Last-Modified: Mon, 27 Apr 2015 18:49:35 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 15842
Cache-Control: public, max-age=7200
Age: 595
Alternate-Protocol: 80:quic,p=1
...........}.[.J................>.( (..Z.}&.i....)...o..e&.....s.o.
i&k..5k.-~{....O.....>.2..............$.....v7...B.p.......S...;z'.
.^x,...e....u[....K....:...'... .F...{.zC=.I.=.......CO\AP]..v..>..
d..<1...?..5&.j.......<....7........x.zi.4.v..'.Co4.u..B.Q......
...NO...^_...L......Z.....=O.A..P..8....w......$..,.X.O,....]J,Y..H t#
{c.^.^7...{(i.....P...x.......;S}z?.........wc..cE..q.Y...v...;.7.Ff.~
I,...=.Q......t....Q.V.w.....go......S.CHA.'..O...d. [email protected]....${
k...]..........B.0....n.]'...~7~RY....ru..e.O..c..,y^..n..Y.A^.....B.P
><x.P'...A..y.WTo../J.......C..m..|O.....V-.W..W....P6wZ~5....y.
Z.:9*......'......?Nb....l........$.....n.1.d!{..c....I.FO&....I`z.$jd
[email protected]........<.`>v.....P.._]:..].X.DI......`.{...
....f.,od..9..P".F.e.....9..R..ac..c.....W.i*..E/-.^}..f....z>..2.H
..*<l^.....v.).Z.q=#..KW~..ib B.....V 8....M...Q.....2 8..F;.g...pE
^r.......B.;..2....;....q..`.I>;o....... .!.......l..P60I.bK.lE....
......s....Qy.8....#.^. ..G......7.Ze8c.sfrr..SJI...1.:.\YW..j3..H%...
........e.c.....[.n...-{...ov.z.........#[email protected].=..jR....]....xz.`.<
;.....}..*`.\..8.u.Bvc.ue.S[Y.EV...4...)......JUZ.vb..\. ...7....%f..2
6#.H].r.u...~....../.-.x[{5 ....,.<.;....6.T.[..R..d.ZX...[A.m.o>
;?U..c.[.v.....$e../~8^..xJ....R..... H..nq......H..4.5h.j<..l..u}}
.....Jj....-3.W(....8u..kF..a%`]3..C.`..a7.X.......-.$:[email protected]...
1".u...TjC.J~.Ym5..%[email protected] ...!NY...Qy......5..MN....x~1T..Qz.
T.e.J...M[.....Y?e][email protected]..........
<<< skipped >>>


GET /offers/images/Theme12/topLine.jpg HTTP/1.1
Accept: */*
Referer: hXXp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24601&leadp=1694&countryid=262&sysbit=32&imgurl=&dfb=0&hb=2&isagg=1&version=6.1&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Wed, 13 May 2015 00:37:11 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme12/bodyImg.png HTTP/1.1


Accept: */*
Referer: hXXp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24601&leadp=1694&countryid=262&sysbit=32&imgurl=&dfb=0&hb=2&isagg=1&version=6.1&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 13 May 2015 00:37:11 GMT
Content-Type: image/png
Content-Length: 1914
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 10:27:32 GMT
ETag: "36dd864c691ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Wed, 20 May 2015 00:37:11 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR.......:.....j.......sRGB.........gAMA......a.... cHRM
..z&..............u0...`..:....p..Q<...0PLTE.......................
.........................{.......IDATx......:..`..p..J.4.ty.:......)v.
.\....,.fwv..U...!.....b.f.....Cy(..OW......w......]R..l..2My}<..].
.8hn{*..X.).m..4w.U.J.....u..l.J...<...>uJ.....i.>o.%......I.
\..S......U.D.}OK..J`......sJ`.}..M.9%..A....u.T.%........K....OQ..._.
.d.>..L....]I. U.].c.Je...|.W.U?..E.}...*.vZ...K...M....).W...^V..&
gt;).e(.].Z.}dg%@....S.*/...........Y.W.]}...|.SgO........rrj...4UY../
..r.~.....Z.ep.wui.sP^..X.g%$(.......C........Ze....4yn}....U.({.V..{o
..}O...w.G.Q.^..r..p....0y............8......6.v....zz~....-...F*..f.F
]...R..*. -......e{mO.s.i.9.U....zz.6.f.T>.f.DQ%.. ...l.q\N."eA({_W
7..Q.....d........>...Y.."e.\....s,.. .Li)%....R.o.....C.9wQ....8..
......KNY..t..)...k...v)P*.....I...4&../.{)..qe..R.'...2..*..d.z&.T;y.
.)Q*....)R..2..)Tj.B..)V..b..)W......QB!rj.B.J)..N)b*...R)q..<S...z
%.LPr..%.LQ2.4e.....q&*c.De,..J.x& ig...g..b.(.g..p.)Qf..uf*1g..af .Y.
..... .;(.....s......r.v. ...s'...K.0wS.....sG%.......-.R..}......4S..
...W.....=.9eN(..OS..Jt(...<...P.(..DJ;_)..Y. ..7.>[email protected])e
M.qi;...........$.z%.[..P...SJzT*E]......2zT.t..L%6.TJ..Y.a...}.V..J..
.,.....H... ....;..2_._/[.^/[.\.W.\.!..%oT*y.Z....#Q.Bw.FI.7...H..2Jt.
*..../........2.F..X.....gqJ.q:.U.q.. V...B..s.(.J2.x..()#1@.'d4.Hh.h.
J.I.i.G.#.;.J....*Q$Z..?.........sR..D.<...| ......2.1b.A3...v.....
X.y{..R....{h..pzJ.I.).Y..Kn.z;%Jn..c.W...bL........t..!...A..(..*
<<< skipped >>>

GET /offers/images/Theme12/bottomLine.jpg HTTP/1.1


Accept: */*
Referer: hXXp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24601&leadp=1694&countryid=262&sysbit=32&imgurl=&dfb=0&hb=2&isagg=1&version=6.1&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Wed, 13 May 2015 00:37:12 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>......
<<< skipped >>>

GET /offers/images/Theme12/button_over.png HTTP/1.1


Accept: */*
Referer: hXXp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24601&leadp=1694&countryid=262&sysbit=32&imgurl=&dfb=0&hb=2&isagg=1&version=6.1&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 13 May 2015 00:37:12 GMT
Content-Type: image/png
Content-Length: 921
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 17:21:05 GMT
ETag: "f072da2a092ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Wed, 20 May 2015 00:37:12 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e&
lt;...;IDATx..Z;o.1..Y.D...W."$=D..*[email protected].
...........;..N.h..=.|..x6..f..pf...n...yX...>z......`87.3...t.e:.s
h..e..z.A....G.p..IZ.z...?Ra8........Y......O.......[[email protected].
...y..-.....Lc.0......O..|z.O/...k.....e...n..!......G.p...9....3. .'?
7 ..GD@..{.<....C$....N.........Q...<.,@...].;Q.'<.(.X.r.,.6.
......QrB..h..d&r....6....G..Shr.... .....4r..= ..f.....B.qP..l.K.....
...YB.Z....H....../:.l.(.S.D...nM7..P.%R........&_uR.H6A..(raP.H9...[\
D. .(....d...`.8.A......r5Q..........:v.e....u.....-&.1.....&.........
Z.|....).L...$....)K%a-....b..a*{<(W..P<..w7_Z.....h.%6.N.......
.*\FB...A...#..f.N...C..(.p...........K.|..5d..3u-........(.k. 7..6..t
svP!.U0.q.......9z.e [email protected]............. .>=...{WVim...
.f.c6.:...|.....0X.yk...../z..!.SHW.d......o.s........a..8..g.|zvg...o
[email protected].^......IEND.B`.....


GET /offers/images/Theme12/button.png HTTP/1.1


Accept: */*
Referer: hXXp://srv.dmdataserver.com//offers/DynamicOfferScreen?offerid=5&distid=24601&leadp=1694&countryid=262&sysbit=32&imgurl=&dfb=0&hb=2&isagg=1&version=6.1&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 13 May 2015 00:37:12 GMT
Content-Type: image/png
Content-Length: 458
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 17:21:12 GMT
ETag: "1b5642f092ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Wed, 20 May 2015 00:37:12 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e&
lt;...lIDATx...1..p....at.`...[_)...&.........~...C..V$z.J.w.Wi.......
.../..<........R.H)s..i....t.....}2M...9i.&..(..c.....l.&.0`.&a..f.
..p...R.Jr....bA....$.....cr....u....sq..x....?..> ..pu`.h..C......
.$w$..gY. .....%9MS...V.....IF'..0].;..HF..]b..Hr..pW...k..{..EQD.....
-L.....#..H.u.. ..lF....j".,<........<. ......18....\.....oI...^
.....:..._......rU.<Z`..d..E.|.0.......B.....IEND.B`...



GET //offers/DynamicOfferScreen?offerid=5&distid=24601&leadp=1694&countryid=262&sysbit=32&imgurl=&dfb=0&hb=2&isagg=1&version=6.1&external=0& HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: srv.dmdataserver.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Wed, 13 May 2015 00:37:12 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 11924
Connection: keep-alive
<html>.    <head>.      <title>5 - NonProduct (FLV P
layer)</title><script type='text/javascript'>var _gaq = _g
aq || [];_gaq.push(['_setAccount', 'UA-37348037-1']);_gaq.push(['_setD
omainName', 'ppdownload.com']);_gaq.push(['_setAllowLinker', true]);..
                                            _gaq.push(['_trackPageview
']);..                                            (function() {..     
                                         var ga = document.createEleme
nt('script'); ga.type = 'text/javascript'; ga.async = true;..         
                                     ga.src = ('https:' == document.lo
cation.protocol ? 'hXXps://' : 'hXXp://')   'stats.g.doubleclick.net/d
c.js';..                                              var s = document
.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);.
.                                            })();</script><s
tyle type='text/css'>body      {          width:100%; height:100%; 
margin:0px; padding:0px; font-size:font-family:helvetica; font-size:12
px;}   .divLeadpName      {         border-bottom-style:groove;border-
bottom-width: thin; padding-left:61px; padding-top:9px; font-size:font
-family:helvetica; font-style:italic; font-size:25px;                 
font-weight:bold; color:black; position:absolute;   width: 100%; backg
round-color: #fff; ba}   #divTop         {display: none}  #divMiddle  
    {background-color: #efecec; height: 100%;} #middle    {background-
color: #fff;} .divOnNext      {          position:absolute; width:
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1744:

.text
.rdata
.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\cbjcabfcehd.exe 2-3-6-6-1-7-4-8-8-5-6 LU1DPjwrLysYKk1TP0pDQzYsGCdJP1JUSUxKQkA1KBspQkZNTkg9OSosMSovHSk9SD05KBgqSlBMPk9CTVtBPDgrNDYuGi5MQUpOQExdUkxGPGFwbGg1KS1wX2x1J3BgXShbbm0nXmBtXSZhaWBtHSk9S0I/Q0E/Ny4uKi0yKjArKyssLi0sMTMqLTExNBotQSs3LyosKyssLjEwGilDKzklKRspQjA3JzAZKzwsOCcvHSk NDYpKRgqSlBMPk9CTVtISkRQP0BTNx8oTEpHP09BUVk/VEU9NRgqSlBMPk9CTVtGOUg/Ox0pP1c W01KRzceLD9SRFg/RTxHQ0xCNxouQUtLTFo8UExRTURLOSoYKk5GPkhFWEhRV01NRjsdKVBMNi4YJz9NLzoaKVFOSkxBSD9dVD9GQkhJPUFIO0VCT0xLNhwnQU5ZUFJITkhGQTVsbW9jHSlMRE1RSkZESEVcT01ES1s8OVRNOy8aKUdCQD1QOCseLENNXj1VRjlIQ0FcP0hCS1VITEA O2NbZnJeHCc8SlFMSUk7Q1hFSDUzMywuMTItLzQmKjAvHixOQ0w OSksLS4xMi0wODAcJzxKUUxJSTtDWFBBRUA3MCwrMy4rLCktJSs4MTI0MDAmSEU=
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\rc10.exe->C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\cbjcabfcehd.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\cbjcabfcehd.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\rc10.exe
nsisunz.dll
1.2.2
Extract: %f
%u byte%c
(%u byte%c)
%d.%d%d Ë%c
inflate 1.2.2 Copyright 1995-2004 Mark Adler
GetProcessHeap
zcÁ
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
0*1014181<1
H<.Tt^
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp
nsh2.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
@@@`777-
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
SHELL32.DLL
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\000827B5_Rar\%original file name%.exe
hXXp://acemoglusucuklari.com.tr/images/logo.gif
hXXp://a-bring.com/sanybook/logo.gif
hXXp://tn69abi.com/images/logof.gif
hXXp://gim8.pl/logo.gif
hXXp://aclassalerts.com/images/logo.gif
hXXp://VVV.3pindia.in/images/logo.gif
hXXp://aci.gratix.com.br/logo.gif
hXXp://1s2qvh91x.site.aplus.net/images/logo.gif
hXXp://abb.ind.in/logo.gif
hXXp://VVV.akpartisariveliler.com/images/img.gif
4jtp://maxoregypt.com/images/logof.gif
hXXp://etraum.com/images/s.jpg
hXXp://68.168.222.206/logos.gif
.info/J
home.gifI888
h.rata
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
MSVCRT.dll
WS2_32.dll
00000000
1424353697
1.15219.23.0

%original file name%.exe_1744_rwx_003F0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

cbjcabfcehd.exe_648:

.text
`.rdata
@.data
.rsrc
@.reloc
.CGy,
<9%u3
FTPj
YPSSSh
,4,56,789
xSSSh
FTPjKS
FtPj;S
C.PjRV
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
%d/%d/%d %d:%d:%d
X:X:X:X:X:X
large file support is disabled
unknown operation
SQL logic error or missing database
foreign_keys
sqlite_compileoption_get
sqlite_compileoption_used
sqlite_log
sqlite_source_id
sqlite_version
sqlite_attach
sqlite_detach
sqlite_stat1
sqlite_rename_parent
sqlite_rename_trigger
sqlite_rename_table
GetProcessHeap
RowKey
3.7.16.2
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
922337203685477580
SQLITE_
?API call with %s database connection pointer
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s\etilqs_
%s\%s
cannot limit WAL size: %s
2nd reference to page %d
invalid page number %d
%s(%d)
keyinfo(%d
%r %s BY term out of range - should be between 1 and %d
Expression tree is too large (maximum depth %d)
too many SQL variables
variable number must be between ?1 and ?%d
too many columns in %s
%s OR name=%Q
type='trigger' AND (%s)
table %s may not be altered
sqlite_
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
duplicate column name: %s
too many columns on %s
DELETE FROM %Q.%s WHERE %s=%Q
sqlite_stat%d
unknown column "%s" in foreign key definition
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
a JOIN clause is required before %s
cannot modify %s because it is a view
table %s may not be modified
Cforeign key mismatch - "%w" referencing "%w"
error during initialization: %s
no entry point [%s] in shared library [%s]
unable to open shared library [%s]
sqlite3_extension_init
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s:%d
no such index: %s
SCAN TABLE %s %s%s(~%d rows)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
sqlite_master
sqlite_temp_master
vtable constructor did not declare schema: %s
vtable constructor failed: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s (~%lld rows)
%s VIRTUAL TABLE INDEX %d:%s
%s (rowid<?)
%s (rowid>?)
%s (rowid>? AND rowid<?)
%s (rowid=?)
%s USING INTEGER PRIMARY KEY
%s USING %s%sINDEX%s%s%s
%s AS %s
%s TABLE %s
%s SUBQUERY %d
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
foreign key constraint failed
unable to use function %s in the requested context
zeroblob(%d)
CREATE TABLE %Q.%s(%s)
%s %T cannot reference objects in database %s
default value of column [%s] is not constant
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
no such collation sequence: %s
%s - %s
malformed database schema (%s)
cannot join using column %s - column not present in both tables
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
%s.%s
%s-shm
bind on a busy prepared statement: [%s]
%s: %s
%s: %s.%s
%s: %s.%s.%s
misuse of aliased aggregate %s
not authorized to use function: %s
too many terms in %s BY clause
EXECUTE %s%s SUBQUERY %d
%.*s"%w"%s
%s%.*s"%w"
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
Cannot add a PRIMARY KEY column
invalid name: "%s"
automatic extension loading failed: %s
d-d-d d:d:d
d:d:d
d-d-d
M@d
SELECTs to the left and right of %s do not have the same number of result columns
LIMIT clause should come after %s not before
ORDER BY clause should come after %s not before
BmTindexed columns are not unique
Recovered %d frames from WAL file %s
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
failed to get page %d
%d of %d pages missing from overflow list starting at %d
freelist leaf count too big on page %d
Fragmentation of %d bytes reported as %d on page %d
Multiple uses for byte %d of page %d
Corruption detected in cell %d on page %d
On page %d at right child:
On tree page %d cell %d:
btreeInitPage() returns error code %d
unable to get the page. error code=%d
Page %d:
Outstanding page count goes from %d to %d during this analysis
Pointer map page %d is referenced
Page %d is never used
sqlite3_get_table() called with two or more incompatible queries
no such vfs: %s
%s mode not allowed: %s
no such %s mode: %s
MJ delete: %s
-mjX9X
MJ collide: %s
%s-mjXXXXXX9XXz
database %s is locked
cannot detach database %s
no such database: %s
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
unknown database: %s
unknown database %s
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
PRIMARY KEY must be unique
constraint %s failed
%s.%s may not be NULL
database schema is locked: %s
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
PRAGMA vacuum_db.synchronous=OFF
cannot VACUUM - SQL statements in progress
misuse of aggregate: %s()
constraint failed at %d in [%s]
abort at %d in [%s]: %s
database table is locked: %s
cannot change %s wal mode from within a transaction
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot commit transaction - SQL statements in progress
cannot release savepoint - SQL statements in progress
no such savepoint: %s
cannot open savepoint - SQL statements in progress
statement aborts at %d: [%s] %s
cannot use index: %s
at most %d tables in a join
cannot open value of type %s
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
unsupported file format
no such trigger: %S
unable to open database: %s
database %s is already in use
too many attached databases - max %d
sqlite_sequence
there is already an index named %s
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
no such index: %S
unable to identify the object to be reindexed
no such table: %s
%s.%s.%s
too many references to "%s": max 65535
sqlite_subquery_%p_
cannot create INSTEAD OF trigger on table: %S
cannot create %s trigger on view: %S
cannot open %s column for writing
no such column: "%s"
indexed
foreign key
cannot open view: %s
cannot open virtual table: %s
sqlite_altertab_%s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
CREATE%s INDEX %.*s
table %s has no column named %s
sqlite_autoindex_%s_%d
index %s already exists
there is already a table named %s
virtual tables may not be indexed
views may not be indexed
table %s may not be indexed
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
table "%s" has more than one primary key
CREATE TABLE %Q.sqlite_sequence(name,seq)
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE %s %.*s
view %s is circularly defined
table %S has no column named %s
%d values for %d columns
table %S has %d columns but %d values were supplied
*** in database %s ***
unsupported encoding: %s
foreign_key_check
foreign_key_list
no such column: %s
there is already another table or index with this name: %s
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
view %s may not be altered
-- TRIGGER %s
use DROP VIEW to delete view %s
use DROP TABLE to delete table %s
table %s may not be dropped
sqlite_stat
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
Error %d has occurred.
Error %u in WinHttpReadData.
Error %u in WinHttpQueryDataAvailable.
Visual C   CRT: Not enough memory to complete call to strerror.
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
WinHttpCloseHandle
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpWriteData
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
WinHttpSendRequest
WinHttpAddRequestHeaders
WinHttpSetOption
WinHttpOpenRequest
WinHttpConnect
WinHttpCrackUrl
WinHttpSetTimeouts
WinHttpOpen
WINHTTP.dll
KERNEL32.dll
EnumChildWindows
CreateDialogIndirectParamW
USER32.dll
GDI32.dll
RegOpenKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
URLDownloadToFileW
urlmon.dll
IPHLPAPI.DLL
GetCPInfo
.?AV?$CAtlExeModuleT@VCSmartInstallerModule@@@ATL@@
.?AVCWebPage@@
zcÁ
{A0386B19-B7E7-4BE7-B567-ABF77CBB6E60} = s `ATLExecServer'
`ATLExecServer.EXE'
val AppID = s {BCCC2C7F-1383-417B-944F-1677DF428E44}
ForceRemove {FA20B59B-21AA-44FC-8A68-450979B7CC90} = s 'CBrowserExternals Class'
val ServerExecutable = s '%MODULE_RAW%'
TypeLib = s '{D14931FB-8313-4BCC-91EB-62F4EF2A8FC4}'
ForceRemove {622D38AD-B4A9-4170-8192-5B865C6A5DCE} = s 'CBrowserExternalImp Class'
ForceRemove {D14931FB-8313-4BCC-91EB-62F4EF2A8FC4} = s 'CBrowserExternal Class'
stdole2.tlbWWW
~cmdWd
OpenUrlW
urlWd
method OpenUrl
Created by MIDL version 7.00.0555 at Thu Feb 19 12:58:07 2015
<BUTTON onclick='window.external.OnClick(theBody, "red");'>Red</BUTTON>
<BUTTON onclick='window.external.OnClick(theBody, "green");'>Green</BUTTON>
<BUTTON onclick='window.external.OnClick(theBody, "blue");'>Blue</BUTTON>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
=->/?>?[?
4"4(404-5
3%4s4<5
5 5$5(5,5`5
Advapi32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
gEXESTR
RUNTIME_WELCOMEIMAGEURL
THANKYOU_URL
EXE_CMDLINE
EXE_URL
SERVER_URL
execmdline
exeurl
\Microsoft\Windows\Cookies
cookies.sqlite
sqlite
\Mozilla\Firefox\Profiles
SELECT value,last_access_utc FROM cookies WHERE host_key LIKE '%
\..\Local Settings\Application Data\Google\Chrome\User Data\Default\
\..\Local\Google\Chrome\User Data\Default\
Chrome_WidgetWin_1
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
OLEACC.DLL
SELECT url FROM moz_places WHERE url LIKE '%
places.sqlite
\default.html
Safari.exe
Opera.exe
firefox
chrome
http\shell\open\command
Opera.HTML
IE.AssocFile.HTM
FirefoxHTML
ChromeHTML
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
Software\Mozilla\Mozilla FireFox
SOFTWARE\Mozilla\Mozilla FireFox
SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}
virtualoffercmd
opera
&welcomeimgurl=
&chromev=
CHROMEVERSION
@@exeurl
AntivirusesRegKeys
RegKey64
RegKey32
PostRegKey64
PostRegKey32
PostExeResultValue
PostExeResultTerm
PreExeResultValue
PreExeResultTerm
PostExe
PreExe
ReportName
RegKey
ExeURL2
ExeURL
OfferURL
{BCCC2C7F-1383-417B-944F-1677DF428E44}
OLEAUT32.DLL
Mscoree.dll
888816666554443
6666554443
!6666554443
JWinHttpClient
virtualoffercmd:
downoad.exe
load.exe
RTURL=
n2d.exe
VirtualOfferCmd
VirtualOfferCMD
VIRTUALOFFERCMD
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
LKERNEL32.DLL
WUSER32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\cbjcabfcehd.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}
2015.219.1057.8
201521910578.exe

%original file name%.exe_1744_rwx_00440000_00010000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\000827B5_Rar\%original file name%.exe
%original file name%.exe
.rsrc
.text
c:\%original file name%.exe
hXXp://acemoglusucuklari.com.tr/images/logo.gif
hXXp://a-bring.com/sanybook/logo.gif
hXXp://tn69abi.com/images/logof.gif
hXXp://gim8.pl/logo.gif
hXXp://aclassalerts.com/images/logo.gif
hXXp://VVV.3pindia.in/images/logo.gif
hXXp://aci.gratix.com.br/logo.gif
hXXp://1s2qvh91x.site.aplus.net/images/logo.gif
hXXp://abb.ind.in/logo.gif
hXXp://VVV.akpartisariveliler.com/images/img.gif
4jtp://maxoregypt.com/images/logof.gif
hXXp://etraum.com/images/s.jpg
hXXp://68.168.222.206/logos.gif
.info/J
home.gifI888
KERNEL32.dll
h.rata
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA

%original file name%.exe_1744_rwx_00A40000_0108E000:

c:\windows
hXXp://acemoglusucuklari.com.tr/images/logo.gif
hXXp://a-bring.com/sanybook/logo.gif
hXXp://tn69abi.com/images/logof.gif
hXXp://gim8.pl/logo.gif
hXXp://aclassalerts.com/images/logo.gif
hXXp://VVV.3pindia.in/images/logo.gif
hXXp://aci.gratix.com.br/logo.gif
hXXp://1s2qvh91x.site.aplus.net/images/logo.gif
hXXp://abb.ind.in/logo.gif
hXXp://VVV.akpartisariveliler.com/images/img.gif
%System%\drivers\lkmtl.sys
5343908871
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
KERNEL32.dll
USER32.dll
h.rdata
H.data
.reloc
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
.adata
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
.rdata
.data
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll

%original file name%.exe_1744_rwx_023D0000_00001000:

|%original file name%.exeM_1744_

cbjcabfcehd.exe_648_rwx_02840000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

cbjcabfcehd.exe_648_rwx_02950000_00001000:

|cbjcabfcehd.exeM_648_

Explorer.EXE_1140_rwx_00FF0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

Explorer.EXE_1140_rwx_01E00000_00001000:

|explorer.exeM_1140_


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    GI18X10700.exe:1288
    wmic.exe:1540

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\81431477426.txt (238 bytes)
    %WinDir%\system.ini (70 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\kll.dll (3678 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (528 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cbjcabfcehd.zip (59748 bytes)
    %Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)
    C:\mgjsd.exe (103 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000827B5_Rar\%original file name%.exe (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rc10.exe (412657 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\nsisunz.dll (211 bytes)
    C:\autorun.inf (234 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pdijn.exe (741 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rc10.cbjcabfcehd (9120 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[1].png (458 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\OperaChecker25-6[1].exe (8690 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\DynamicOfferScreen[1].htm (2083 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bodyImg[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\81431477426\GI18X10700.exe (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\button_over[1].png (921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dc[1].js (2083 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now