Win32.Sality.3_84270c03da

by malwarelabrobot on September 11th, 2014 in Malware Descriptions.

not-a-virus:AdWare.Win32.iBryte.jcr (Kaspersky), Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Worm, Virus, Adware, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 84270c03daadd6bea52ba797f5f647fe
SHA1: 8b80277b718da6498449354baba9b48916a3afe7
SHA256: 9c2d9302a0d09c45857fc763cf43b24629cae2c58a19af60c49abbb32a18ce76
SSDeep: 24576:Sabs2agxSL4x33q7d9EljaB4CNpk0 LRjiF4pOaCgi5CICjNJoVn:SGzHxSL4xK77EljaB4CNpk0 FuuOaCg0
Size: 1131816 bytes
File type: EXE
Platform: WIN32
Entropy: Probably Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-07-08 22:26:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

%original file name%.exe:1736

The Worm injects its code into the following process(es):

%original file name%.exe:2140
Explorer.EXE:888

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2140 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\K9PL5V6Q\header_basicinstaller[1].jpg (2454 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5JCZ44MH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\header.jpg (1444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (1843 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bottom.jpg (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BOO0MMUA\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8F2IR377\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lock.temp (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\truste.jpg (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\K9PL5V6Q\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\side.jpg (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5JCZ44MH\offer_expired[1].jpg (4950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (4902 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\header.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bottom.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\truste.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\side.jpg (0 bytes)

The process %original file name%.exe:1736 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%WinDir%\system.ini (70 bytes)

Registry activity

The process %original file name%.exe:2140 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 61 74 49 76 5A 6A 0D 20 7A 30 28 1B 45 67 BE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1736 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_0" = "363132892"

[HKCU\Software\Aas\695404737]
"35845605" = "383"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "26CEFB056C4C612B18DF8A4E39AD3E086BC14A679A0C16609597EAFA4EF436B86480FE516A315D6A51F28DA8CC0B11C7B9B304C866869787A103BDFE12342ED26176866CF93A99E8E0CDB62E08DCA2F8E5A923A228BAEAE68DD518B021F8E826E6A8FDBA0704B9328FCAEA4242FC6AF4104D60B896922EC0CEDBAF6F67E08E9F"
"43014726" = "0A00687474703A2F2F6163656D6F676C75737563756B6C6172692E636F6D2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F612D6272696E672E636F6D2F73616E79626F6F6B2F6C6F676F2E67696600687474703A2F2F746E36396162692E636F6D2F696D616765732F6C6F676F662E67696600687474703A2F2F67696D382E706C2F6C6F676F2E67696600687474703A2F2F61636C617373616C657274732E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E3370696E6469612E696E2F696D616765732F6C6F676F2E67696600687474703A2F2F6163692E6772617469782E636F6D2E62722F6C6F676F2E67696600687474703A2F2F3173327176683931782E736974652E61706C75732E6E65742F696D616765732F6C6F676F2E67696600687474703A2F2F6162622E696E642E696E2F6C6F676F2E67696600687474703A2F2F7777772E616B70617274697361726976656C696C65722E636F6D2F696D616765732F696D672E676966"

[HKCU\Software\Aas]
"a3_0" = "17001001"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "152"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas\695404737]
"21507363" = "0"
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 71 BD 49 91 D8 47 D2 D8 1E 7D 7B 0B 79 53 4F"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a2_0" = "8009"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_0" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Dropped PE files

MD5 File path
1c1ea87018741b40ce59ef38413f3bf8 c:\dlprfk.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 108249 108544 4.57628 a86fc2bf538baa7b21677cff46db8507
.rdata 114688 15318 15360 3.73449 8c967fde6f1a1c1883021b4f09df413f
.data 131072 1809956 905216 4.66928 a69393230e015e6399a865381f97f513
.rsrc 1941504 98304 96768 5.23044 333698a7920490beb864e179803b42a6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://imp.oi-imp1.com/impression.do/?user_id=9d834e20-2187-459a-b448-f71e374113e7&event=admin_true&spsource=google_zoomdownloadmngr-display-us-728x90-23609154882&implementation_id=3.4.8&subid=software&subid2=www.livemixtapes.com&traffic_source=google_zoomdownloader&offer_id=downloadmanager 54.243.208.150
hxxp://imp.oi-imp1.com/impression.do/?user_id=9d834e20-2187-459a-b448-f71e374113e7&event=guest&spsource=google_zoomdownloadmngr-display-us-728x90-23609154882&implementation_id=3.4.8&subid=software&subid2=www.livemixtapes.com&traffic_source=google_zoomdownloader&offer_id=downloadmanager 54.243.208.150
hxxp://imp.oi-imp1.com/impression.do/?user_id=9d834e20-2187-459a-b448-f71e374113e7&event=setup_run&spsource=google_zoomdownloadmngr-display-us-728x90-23609154882&implementation_id=3.4.8&subid=software&subid2=www.livemixtapes.com&traffic_source=google_zoomdownloader&offer_id=downloadmanager 54.243.208.150
hxxp://imp.oi-imp1.com/impression.do/?user_id=9d834e20-2187-459a-b448-f71e374113e7&event=dpi_1&spsource=google_zoomdownloadmngr-display-us-728x90-23609154882&implementation_id=3.4.8&subid=software&subid2=www.livemixtapes.com&traffic_source=google_zoomdownloader&offer_id=downloadmanager 54.243.208.150
hxxp://config.oi-config1.com/config/downloadmanager/offers.json?version=3.4.8&pid=installer&ts=2013-07-10T18:37:14.7140762Z&cc=US&ro=1 50.17.210.69
hxxp://imp.oi-imp1.com/impression.do/?user_id=9d834e20-2187-459a-b448-f71e374113e7&event=json_installer_initialize_734&spsource=google_zoomdownloadmngr-display-us-728x90-23609154882&implementation_id=3.4.8&subid=software&subid2=www.livemixtapes.com&traffic_source=google_zoomdownloader&offer_id=downloadmanager 54.243.208.150
hxxp://dm930xmxv1gqs.cloudfront.net/installerpackage/wisedownloads/muted/header_basicinstaller.jpg 54.192.54.86
hxxp://dm930xmxv1gqs.cloudfront.net/bundles/OfferExpired/offer_expired.jpg 54.192.54.86


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE Adware.iBryte.B Install
ET MALWARE Win32.AdWare.iBryte.C Install

Traffic

GET /impression.do/?user_id=9d834e20-2187-459a-b448-f71e374113e7&event=admin_true&spsource=google_zoomdownloadmngr-display-us-728x90-23609154882&implementation_id=3.4.8&subid=software&subid2=VVV.livemixtapes.com&traffic_source=google_zoomdownloader&offer_id=downloadmanager HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
Host: imp.oi-imp1.com


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: image/png
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 10 Sep 2014 17:24:17 GMT
Connection: close
Content-Length: 109
.PNG........IHDR..............wS.....tEXtSoftware.Adobe ImageReadyq.e&
lt;....IDATx.b...?@....... .t.....IEND.B`...



GET /config/downloadmanager/offers.json?version=3.4.8&pid=installer&ts=2013-07-10T18:37:14.7140762Z&cc=US&ro=1 HTTP/1.1
User-Agent: 84270c03daadd6bea52ba797f5f647fe
Host: config.oi-config1.com


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Length: 42530
Content-Type: application/json
Expires: -1
Server: Microsoft-IIS/7.5
Content-Disposition: attachment; filename=
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 10 Sep 2014 17:24:17 GMT
Connection: close
{..  "headers": [..    {..      "1": "hXXp://dm930xmxv1gqs.cloudfront.
net/installerpackage/wisedownloads/muted/header_basicinstaller.jpg",..
      "1.25": "hXXp://dm930xmxv1gqs.cloudfront.net/installerpackage/wi
sedownloads/muted/header_basicinstaller.jpg"..    }..  ],..  "template
": {..    "height": "500",..    "width": "680",..    "borderColor": "1
92,192,192",..    "style": "<style type=\"text/css\"> a, img {bo
rder:none;outline:none;}html, body{overflow: hidden;color: #333;margin
: 0;padding: 0;font-family: Arial;}.clickthis{position: absolute;left:
 25px;top: 0;bottom: 0;right: 0;cursor: pointer;}.express{overflow: au
to;position: relative;width: 460px;height: 170px;margin-top: -5px;back
ground: rgb(254, 254, 254);}a:hover, a:visited, a{color: #175891;text-
decoration: none;border: 0;}#bottom-links{position: absolute;bottom: 4
0px;font-size: 8px;}#right-side{width:90% !important;height:95% !impor
tant;position: relative;margin: 0 0 0 10px;}#container{overflow: hidde
n;position: absolute;margin: 0;padding: 0;height: 80%;}input[type='che
ckbox']{margin-right: 10px;font-size: 8px;font-family: Arial, Helvetic
a, sans-serif;}h2, p, ol, ul, li{margin: 0px;padding: 0px;font-size: 1
2px;font-family: Arial, Helvetica, sans-serif;}ol, ul{padding: 3px 0 1
0px 22px;}li{padding: 0 0 4px 0;}hr{border: none;height: 1px;border-to
p: 1px dashed #999;}.expandable-panel{width: 440px;position: relative;
overflow: hidden;margin-bottom: 5px;border: 1px solid rgb(232, 232, 23
2);}.expandable-panel-heading{clear: both;background-color: rgb(25
<<< skipped >>>


GET /impression.do/?user_id=9d834e20-2187-459a-b448-f71e374113e7&event=json_installer_initialize_734&spsource=google_zoomdownloadmngr-display-us-728x90-23609154882&implementation_id=3.4.8&subid=software&subid2=VVV.livemixtapes.com&traffic_source=google_zoomdownloader&offer_id=downloadmanager HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
Host: imp.oi-imp1.com


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: image/png
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 10 Sep 2014 17:24:19 GMT
Connection: close
Content-Length: 109
.PNG........IHDR..............wS.....tEXtSoftware.Adobe ImageReadyq.e&
lt;....IDATx.b...?@....... .t.....IEND.B`...



GET /impression.do/?user_id=9d834e20-2187-459a-b448-f71e374113e7&event=guest&spsource=google_zoomdownloadmngr-display-us-728x90-23609154882&implementation_id=3.4.8&subid=software&subid2=VVV.livemixtapes.com&traffic_source=google_zoomdownloader&offer_id=downloadmanager HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
Host: imp.oi-imp1.com


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: image/png
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 10 Sep 2014 17:24:17 GMT
Connection: close
Content-Length: 109
.PNG........IHDR..............wS.....tEXtSoftware.Adobe ImageReadyq.e&
lt;....IDATx.b...?@....... .t.....IEND.B`...



GET /impression.do/?user_id=9d834e20-2187-459a-b448-f71e374113e7&event=setup_run&spsource=google_zoomdownloadmngr-display-us-728x90-23609154882&implementation_id=3.4.8&subid=software&subid2=VVV.livemixtapes.com&traffic_source=google_zoomdownloader&offer_id=downloadmanager HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
Host: imp.oi-imp1.com


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: image/png
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 10 Sep 2014 17:24:17 GMT
Connection: close
Content-Length: 109
.PNG........IHDR..............wS.....tEXtSoftware.Adobe ImageReadyq.e&
lt;....IDATx.b...?@....... .t.....IEND.B`...



GET /impression.do/?user_id=9d834e20-2187-459a-b448-f71e374113e7&event=dpi_1&spsource=google_zoomdownloadmngr-display-us-728x90-23609154882&implementation_id=3.4.8&subid=software&subid2=VVV.livemixtapes.com&traffic_source=google_zoomdownloader&offer_id=downloadmanager HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
Host: imp.oi-imp1.com


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: image/png
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 10 Sep 2014 17:24:18 GMT
Connection: close
Content-Length: 109
.PNG........IHDR..............wS.....tEXtSoftware.Adobe ImageReadyq.e&
lt;....IDATx.b...?@....... .t.....IEND.B`...



GET /installerpackage/wisedownloads/muted/header_basicinstaller.jpg HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dm930xmxv1gqs.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/jpeg
Content-Length: 5341
Connection: keep-alive
Cache-Control: public
Last-Modified: Tue, 09 Sep 2014 21:38:58 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 09 Sep 2014 21:38:58 GMT
Age: 71122
X-Cache: Hit from cloudfront
Via: 1.1 10f04dcf7fab39d9dda9e8c964cf4ae1.cloudfront.net (CloudFront)
X-Amz-Cf-Id: VgSx6p-mcyPvfeyomzHFdeYXKKrjuZDi_Z6WuLcYPrLpHKRLhn0WeA==
......Exif..II*.................Ducky.......P......Adobe.d............
......................................................................
...............................................................R......
......................................................................
..................1A..V.!.".....U.WQ.R..Ta.2S.q..Bbt.w................
......Q.R..!..1A..aq..."2Br3D.............?....................I.w...-
%*....'V...i...0m.....`..r............................................
......................P.t.'........~,.l....Y.m6.s...eQixYm.n.DVR..... 
.........k3.2...2.O-.Wm\.M$.O jifM4..Bbbi$LLV.".K..w.7.......R.H.Jjy`.
j".U......,...8 W..... .-z..d......d....<(.e..&...mi^..z...a[.t]O.X
..9....z.E....2...4..4...M.K..[t]...;.-...L.c.O.m.....3F..jk6fv...r...
*...Q.. V..W.%.,.lOnkW%Pi...onfnf...... .\.7..O6. ....................
................................................. R.s}.......u.......g
.n|..]........oc.)wF..r.Bir.e..n\i-.....Gq..9.p...:.[7n......z.....n..
....m.:n.wq>....>..xm..r4.>w-.......k..q...i.SE/........ub.~.
...u/..M....j..........rv...ylj...Y..*M.6k.#![...].........{;v........
.~..|............_............1'..vK{...9...c_.LX.eB7.....S....6mx.Rz.
}..k.....<...=..Oww.q..[^.......t}..k.M.j..}n.6f.y=be4..i<......
y.....f..e.3.Z..kw|..)7DDL....\K...8........O.l..?......g......?.....i
._...W..v..4h...Wc=.\..,R.j-..Qk..|x..7wM-.....[....m".31.............
........2u.<K3;.y6-..i\%.u.Y..jn...eh....u....e.O......7...)tE\...#
..H....{SL..E.>.....:...b......d\.Y<3(M',....)>g....m.7W.
<<< skipped >>>

GET /bundles/OfferExpired/offer_expired.jpg HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dm930xmxv1gqs.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/jpeg
Content-Length: 16938
Connection: keep-alive
Cache-Control: public
Last-Modified: Wed, 10 Sep 2014 03:19:14 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 10 Sep 2014 03:19:13 GMT
Age: 50706
X-Cache: Hit from cloudfront
Via: 1.1 10f04dcf7fab39d9dda9e8c964cf4ae1.cloudfront.net (CloudFront)
X-Amz-Cf-Id: iYNYFFlmEtDMQbFeajkqTdo7jfCJw3xdRoSJiwS8dtssgm7pLKd9gg==
......Exif..II*.................Ducky.......P......Adobe.d............
......................................................................
......................................................................
......................................................................
.................!1AQa.."..q.2r...B#....R3..b$.C..S.&v7...............
.....B....1.............?....n..w..u..g\7....g.7....g\7.....w..t......
.`c.....`g...X..u.w..t........u.w..u..g\g...^.{.]_........i<W..;.! 
.........................................................2&....m@.P...
.@..:.;[email protected].|.m....lP.......lP.......b......_-A.j..|.C.r....
..................................................?...M..4@. .......D.
....h.4O..'......w...p6....t@. .....D.........h.M.......I..U....\.....
.................................................TUCp.............._..
...........c_...5..."mRx..hv.BW.......................................
...................2 .@.......;.}.@;..uP.."[email protected].......
[email protected]=..6.?..5..."l.x..hv.BW...................................
...................U7...]SP2..|@.. [email protected]..\
..~=.~.L.......I..]....\..............................................
.......].n..Z.E....^..../.. %.'j..~.....&...S.....T......~.$.h.{....N.
'...B.........ox....;.........k.j.{T. .Z..............................
[email protected];....KU.Z..;....C.........I.N..
.........Wk..<...N.*T..5.p."...........k.j.{.. ....................
............................................I.....=..U......".....
<<< skipped >>>

The Worm connects to the servers at the folowing location(s):

%original file name%.exe_2140:

.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
FtPh
PSShPhH
hwEB
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
ITwHACErWBssH1wGJxEDCSEqLRAgAS0aKiwtAyk KTE4AlxRPjlVVQ==
%s (%s:%d)
E:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
Jw8pPCA6GyYvAgsqLCo9VQ==
IR9ROSwCWBssH1xHIz4PCiISHxwiKVVV
LSobJyofMQs6OhsqLQ9YVQ==
OBIQMScrUDg/LA8YJwAbJCQfKRw/ERsOJzshHi0qGwUkECkgISsHOSBZPVU=
IStcCysSHyksEQcbJAJYGSMPKQorERtdJztYGycPDD4=
bottom.jpg
side.jpg
header.jpg
truste.jpg
i_temp.temp
JyopCysSH1AsHwMZIFkpIiMSA1EgOwNdJzsxHj8uAD4=
MBAHPCA6GyYvAgsqLCo9VQ==
ITohDiwBHzopWSkbIB8lMiQ7GywwAQsrLx8HACMfC1wiPBsQLwFYGT0qAwIpLik6IhAhCi8BIV8lOhsGLBEDDCE6ISwwOyUqIzwPRyQCWT4=
IRIHAC87CyoiPAcZIBEDKiM8GDosAQsaLxEfUSQpUTkkWQMKKgEDXSIBKQApABsLIwEbXT0rKTkjOTECPzkpQw==
ITktOSU7IV8vEgcbJCstMSQ7AwQjOyE5ITofGik7LV0hPAQLIAE5GD0pB1wtPlhdIwIcMScsWF0/KSkYIxFYBiEfUBwqKwsqLx9cASc7LQsnKwMELSstKSM5KRopOSUJIhIHODkSDys/PFxV
JSlQICkBJSokOT0DJCocOSESHw49Ows7KxAfASk6UQ4iPBsQLwEhOywQHwYpOSY5ITwbJCo5VVU=
cmd.exe
#WINDOWSPATH
chrome
KQQpPCA6GyYvAgsqLCo9VQ==
ISsHICMBBxgkO1AYLSocPg==
CNotSupportedException
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
ntdll.dll
kernel32.dll
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
comctl32.dll
comdlg32.dll
shell32.dll
CCmdTarget
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
CHttpConnection
CHttpFile
hXXp://
WININET.DLL
HTTP/1.0
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
mfcm90.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
user32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
ole32.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
portuguese-brazilian
GetProcessWindowStation
USER32.DLL
OLEACC.dll
GdiplusShutdown
gdiplus.dll
RPCRT4.dll
VERSION.dll
GetWindowsDirectoryA
GetCPInfo
GetConsoleOutputCP
KERNEL32.dll
keybd_event
GetKeyboardState
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExA
CreateDialogIndirectParamA
USER32.dll
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
COMDLG32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegQueryInfoKeyA
RegDeleteKeyA
RegEnumKeyA
RegOpenKeyA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
COMCTL32.dll
UrlUnescapeA
SHLWAPI.dll
oledlg.dll
OLEAUT32.dll
URLDownloadToFileA
urlmon.dll
DeleteUrlCacheEntry
InternetCrackUrlA
InternetCanonicalizeUrlA
HttpAddRequestHeadersA
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
WININET.dll
GetProcessHeap
.?AVCCmdTarget@@
.?AV?$CList@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@ABV12@@@
.?AV?$CArray@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@V12@@@
.PAVCException@@
.PAVCFileException@@
.PAVCObject@@
.?AV?$CArray@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@ABV12@@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.?AVCCmdUI@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCInternetException@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.PAVCOleDispatchException@@
zcÁ
3.4.8
c:\%original file name%.exe
X.eqn
müL
...aaattt
666;;;999
v4&s6(r6#t5#t5%s6%s6%t5#t5%s6%s6%t5%t5%t5%t5%t5%t5%t5%t5%t5%t5%t5%t5%t5%s6(r82n>
1m=(r6#t5%s6*q95iA
W*(q9%t5%t5&s6(r6*q9'f4.m;,p;(r8%s6%t5%s6$s4%t5%t5%t5%t5%s6%s6%t5%t5%s6%s6%s6%s6#t5#t5&s6%s6#t5#t5(r6&s6
>0}?2}?-~?-
>0}?0}?-
>2|@0}?)
8N<-Y59}F2
(I.OyVn
123456789:;<=
%&'()* ,-./0
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="highestAvailable" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security><security>
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
4G4D4N4
55
4 4$4(4,4044484
7"7&7*7.737;7
: ;%;/;~;
6 6$6(6,6
? ?$?(?,?
: :(:0:<:`:
0 0<0\0|0
accKeyboardShortcut
mscoree.dll
ekernel32.dll
KERNEL32.DLL
dgoogle_zoomdownloadmngr-display-US-728x90-23609154882^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^d9d834e20-2187-459a-b448-f71e374113e7^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^d2013-07-10T18:37:14.7140762Z^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
hXXp://ec2-107-20-76-158.compute-1.amazonaws.com/ThankYou/downloadmanager?source=google_zoomdownloadmngr-display-US-728x90-23609154882&subid1=software&subid2=VVV.livemixtapes.com&userid=9d834e20-2187-459a-b448-f71e374113e7&reason=complete&earlypop^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
hXXp://ec2-107-20-76-158.compute-1.amazonaws.com/ThankYou/downloadmanager?source=google_zoomdownloadmngr-display-US-728x90-23609154882&subid1=software&subid2=VVV.livemixtapes.com&userid=9d834e20-2187-459a-b448-f71e374113e7^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^dsoftware^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^dVVV.livemixtapes.com^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^dgoogle_zoomdownloader^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|get.zoomdownloader.com|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^d^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Setup.exe
SetupManager.exe

%original file name%.exe_2140_rwx_00400000_000F2000:

.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
FtPh
PSShPhH
hwEB
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
ITwHACErWBssH1wGJxEDCSEqLRAgAS0aKiwtAyk KTE4AlxRPjlVVQ==
%s (%s:%d)
E:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
Jw8pPCA6GyYvAgsqLCo9VQ==
IR9ROSwCWBssH1xHIz4PCiISHxwiKVVV
LSobJyofMQs6OhsqLQ9YVQ==
OBIQMScrUDg/LA8YJwAbJCQfKRw/ERsOJzshHi0qGwUkECkgISsHOSBZPVU=
IStcCysSHyksEQcbJAJYGSMPKQorERtdJztYGycPDD4=
bottom.jpg
side.jpg
header.jpg
truste.jpg
i_temp.temp
JyopCysSH1AsHwMZIFkpIiMSA1EgOwNdJzsxHj8uAD4=
MBAHPCA6GyYvAgsqLCo9VQ==
ITohDiwBHzopWSkbIB8lMiQ7GywwAQsrLx8HACMfC1wiPBsQLwFYGT0qAwIpLik6IhAhCi8BIV8lOhsGLBEDDCE6ISwwOyUqIzwPRyQCWT4=
IRIHAC87CyoiPAcZIBEDKiM8GDosAQsaLxEfUSQpUTkkWQMKKgEDXSIBKQApABsLIwEbXT0rKTkjOTECPzkpQw==
ITktOSU7IV8vEgcbJCstMSQ7AwQjOyE5ITofGik7LV0hPAQLIAE5GD0pB1wtPlhdIwIcMScsWF0/KSkYIxFYBiEfUBwqKwsqLx9cASc7LQsnKwMELSstKSM5KRopOSUJIhIHODkSDys/PFxV
JSlQICkBJSokOT0DJCocOSESHw49Ows7KxAfASk6UQ4iPBsQLwEhOywQHwYpOSY5ITwbJCo5VVU=
cmd.exe
#WINDOWSPATH
chrome
KQQpPCA6GyYvAgsqLCo9VQ==
ISsHICMBBxgkO1AYLSocPg==
CNotSupportedException
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
ntdll.dll
kernel32.dll
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
comctl32.dll
comdlg32.dll
shell32.dll
CCmdTarget
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
CHttpConnection
CHttpFile
hXXp://
WININET.DLL
HTTP/1.0
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
mfcm90.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
user32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
ole32.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
portuguese-brazilian
GetProcessWindowStation
USER32.DLL
OLEACC.dll
GdiplusShutdown
gdiplus.dll
RPCRT4.dll
VERSION.dll
GetWindowsDirectoryA
GetCPInfo
GetConsoleOutputCP
KERNEL32.dll
keybd_event
GetKeyboardState
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExA
CreateDialogIndirectParamA
USER32.dll
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
COMDLG32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegQueryInfoKeyA
RegDeleteKeyA
RegEnumKeyA
RegOpenKeyA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
COMCTL32.dll
UrlUnescapeA
SHLWAPI.dll
oledlg.dll
OLEAUT32.dll
URLDownloadToFileA
urlmon.dll
DeleteUrlCacheEntry
InternetCrackUrlA
InternetCanonicalizeUrlA
HttpAddRequestHeadersA
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
WININET.dll
GetProcessHeap
.?AVCCmdTarget@@
.?AV?$CList@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@ABV12@@@
.?AV?$CArray@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@V12@@@
.PAVCException@@
.PAVCFileException@@
.PAVCObject@@
.?AV?$CArray@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@ABV12@@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.?AVCCmdUI@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCInternetException@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.PAVCOleDispatchException@@
zcÁ
3.4.8
c:\%original file name%.exe
X.eqn
müL
...aaattt
666;;;999
v4&s6(r6#t5#t5%s6%s6%t5#t5%s6%s6%t5%t5%t5%t5%t5%t5%t5%t5%t5%t5%t5%t5%t5%s6(r82n>
1m=(r6#t5%s6*q95iA
W*(q9%t5%t5&s6(r6*q9'f4.m;,p;(r8%s6%t5%s6$s4%t5%t5%t5%t5%s6%s6%t5%t5%s6%s6%s6%s6#t5#t5&s6%s6#t5#t5(r6&s6
>0}?2}?-~?-
>0}?0}?-
>2|@0}?)
8N<-Y59}F2
(I.OyVn
123456789:;<=
%&'()* ,-./0
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="highestAvailable" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security><security>
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
4G4D4N4
55
4 4$4(4,4044484
7"7&7*7.737;7
: ;%;/;~;
6 6$6(6,6
? ?$?(?,?
: :(:0:<:`:
0 0<0\0|0
accKeyboardShortcut
mscoree.dll
ekernel32.dll
KERNEL32.DLL
dgoogle_zoomdownloadmngr-display-US-728x90-23609154882^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^d9d834e20-2187-459a-b448-f71e374113e7^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^d2013-07-10T18:37:14.7140762Z^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
hXXp://ec2-107-20-76-158.compute-1.amazonaws.com/ThankYou/downloadmanager?source=google_zoomdownloadmngr-display-US-728x90-23609154882&subid1=software&subid2=VVV.livemixtapes.com&userid=9d834e20-2187-459a-b448-f71e374113e7&reason=complete&earlypop^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
hXXp://ec2-107-20-76-158.compute-1.amazonaws.com/ThankYou/downloadmanager?source=google_zoomdownloadmngr-display-US-728x90-23609154882&subid1=software&subid2=VVV.livemixtapes.com&userid=9d834e20-2187-459a-b448-f71e374113e7^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^dsoftware^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^dVVV.livemixtapes.com^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^dgoogle_zoomdownloader^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|get.zoomdownloader.com|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^d^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Setup.exe
SetupManager.exe

%original file name%.exe_2140_rwx_012B0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

Explorer.EXE_888_rwx_00FF0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

%original file name%.exe_2140_rwx_016C0000_00001000:

|%original file name%.exeM_2140_

Explorer.EXE_888_rwx_01FA0000_00001000:

|explorer.exeM_888_

Explorer.EXE_888_rwx_02110000_0108E000:

c:\windows
hXXp://acemoglusucuklari.com.tr/images/logo.gif
hXXp://a-bring.com/sanybook/logo.gif
hXXp://tn69abi.com/images/logof.gif
hXXp://gim8.pl/logo.gif
hXXp://aclassalerts.com/images/logo.gif
hXXp://VVV.3pindia.in/images/logo.gif
hXXp://aci.gratix.com.br/logo.gif
hXXp://1s2qvh91x.site.aplus.net/images/logo.gif
hXXp://abb.ind.in/logo.gif
hXXp://VVV.akpartisariveliler.com/images/img.gif
%System%\drivers\mrrkf.sys
2759687011
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
KERNEL32.dll
USER32.dll
h.rdata
H.data
.reloc
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
.adata
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
.rdata
.data
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1736

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\K9PL5V6Q\header_basicinstaller[1].jpg (2454 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5JCZ44MH\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\header.jpg (1444 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (1843 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bottom.jpg (676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BOO0MMUA\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8F2IR377\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lock.temp (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\truste.jpg (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\K9PL5V6Q\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\side.jpg (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5JCZ44MH\offer_expired[1].jpg (4950 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (4902 bytes)
    %WinDir%\system.ini (70 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now